CN106874761A - A kind of Android system malicious application detection method and system - Google Patents

A kind of Android system malicious application detection method and system Download PDF

Info

Publication number
CN106874761A
CN106874761A CN201611256933.2A CN201611256933A CN106874761A CN 106874761 A CN106874761 A CN 106874761A CN 201611256933 A CN201611256933 A CN 201611256933A CN 106874761 A CN106874761 A CN 106874761A
Authority
CN
China
Prior art keywords
authority
characteristic
sample set
behavior
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611256933.2A
Other languages
Chinese (zh)
Inventor
刘元安
范文浩
桑耀辉
吴帆
张洪光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201611256933.2A priority Critical patent/CN106874761A/en
Publication of CN106874761A publication Critical patent/CN106874761A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a kind of Android system malicious application detection method and system, including:Authority feature is obtained by reverse-engineering decompiling application program;Gathered by dynamic behaviour and the behavioral chain Model Matching of definition obtains behavioural characteristic.By substantial amounts of authority feature and behavioural characteristic combination producing characteristic sample set;Machine learning algorithm generates grader using characteristic sample set;The feature of Unknown Applications is input into grader, draw unknown applications whether be malicious application conclusion.The present invention proposes the behavior chain model gathered based on reverse-engineering and dynamic behaviour, then the carrying out of unknown applications is detected by machine learning algorithm, so as to realize the effective identification to malicious application, accuracy rate is high, it is seen that detection method and system effectiveness that the present invention is provided are high and need not to change system source code availability good.

Description

A kind of Android system malicious application detection method and system
Technical field
The present invention relates to mobile Internet information security field, a kind of Android system malicious application detection method is particularly related to And system.
Background technology
With the quick popularization of smart mobile phone, people enter the epoch of mobile Internet.Issue based on application shop Pattern turns into the important model of Mobile solution, and Mobile solution industry has obtained quick growth.Because Mobile solution can be from movement Terminal obtains substantial amounts of sensitive information, and itself can produce high profit by Mobile Market and advertiser, and Mobile solution is frequent Attacked by hacker, mobile application security event takes place frequently.The third-party application market that the good and bad jumbled together, the Mobile solution of magnanimity Lack and concentrate effective Safety Examination etc., result in substantial amounts of malice Mobile solution and be published in Mobile solution market.How from Accurately being identified in the Mobile solution of magnanimity may bring the malicious application of potential safety hazard to mobile terminal, be answered as mobile One of major issue with security study.
The Main Means of malicious application detection at this stage can be divided into Static Detection and dynamic detection.Static detection method: FlowDroid is by analyzing the life cycle of target program byte code files and component, it is possible to achieve static stain analysis, and Generating function calling figure.TaintDroid proposes system-level dynamic stain analysis tool, by marking sensitive information, realizes To the information flow monitor in real time of private data;But static detection method needs constantly to update the feature database of malicious application, and It is only capable of recognizing known malicious application.
Dynamic testing method:Kynoid is on the basis of TaintDroid, it is possible to achieve to the letter between application and data Cease the dynamic detection of stream, there is provided monitoring in real time, prevent the leakage of privacy;Need to repair based on TaintDroid dynamic testing methods Change Android operation system source code, cause the method to be difficult to popularization and application.
The content of the invention
In view of this, it is an object of the invention to propose a kind of high efficiency, low overhead and Android system source need not be changed The Android system malicious application detection method and system of code.
Based on the Android system malicious application detection method that the above-mentioned purpose present invention is provided, including:
By the installation file of reverse-engineering decompiling application program, authority feature is obtained;
The behavior record of the application program is obtained by dynamic behaviour capture technique, by the behavior record and definition Behavior chain model match obtaining behavioural characteristic;
By behavioural characteristic and the authority combinations of features into final feature;
The final feature of multiple known applications is generated into characteristic sample set, machine learning algorithm utilizes the spy Levy set of data samples generation grader;
The grader of the final feature input generation of Unknown Applications will be obtained, show whether the unknown applications are evil The conclusion of meaning application.
Further, the final feature by multiple known applications generates characteristic sample set, machine learning Algorithm is included using the method for the characteristic sample set metaplasia constituent class device:
The final feature of normal application known to multiple and malicious application is generated into characteristic sample set;
The characteristic sample set is divided into features training sample set and characteristic test sample set;
The machine learning algorithm generates grader using the features training sample set, and the characteristic test sample set is surveyed The grader of examination assessment generation.
Further, the installation file by reverse-engineering decompiling application program, the method for obtaining authority feature Including:
Decompiling is carried out to the installation file of the application program using decompiling instrument, the authority feature is obtained;
Define authority characteristic vector P=(μ1,μ2…μi…μk), wherein, k represents System Privileges in Android operation system Total number, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents without application authority, 1 expression Authority is applied for.
Further, it is described to carry out matching the side for obtaining behavioural characteristic with the behavior chain model of definition by the behavior record Method includes:
The behavior record that will be obtained is matched with the behavior chain model of definition, can obtain each behavioral chain Triggering times;
The triggering times of all behavioral chains are done into normalized, behavioural characteristic vector S=(σ can be obtained12…σi… σm), wherein, m represents the total number of behavior chain model, σiRepresent the triggering in i-th every thousand of behavior chain model behavior record Number of times,
It is shown to include behavioural characteristic into final feature with the authority combinations of features:
Authority characteristic vector P and behavioural characteristic vector S are combined into a final characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
Further, the method bag of the behavior record that the application program is obtained by dynamic behaviour capture technique Include:
Local dynamic library file is injected into the process space of destination application;
Load the local dynamic base;
Java layers of API (Application Programming Interface, application programming interface) of modification exists Corresponding Method structures in Dalvik virtual machine example;
By dynamic binding, (Application Programming Interface application programmings connect to intercept API Mouthful) call, that is, obtain the behavior record of the application program.
On the other hand the present invention also provides Android system malicious application detecting system, including:
Authority feature unit is obtained, for the installation file by reverse-engineering decompiling application program, authority is obtained special Levy;
Acquisition behavioural characteristic unit, the behavior record for obtaining the application program by dynamic behaviour capture technique, The behavior record match obtaining behavioural characteristic with the behavior chain model of definition;
Final feature unit is generated, for the behavioural characteristic and the authority combinations of features into final feature that will match;
Generation grader unit, for the final feature of normal application known to multiple and malicious application to be generated Characteristic sample set, features training sample set and characteristic test sample set, machine are divided into by the characteristic sample set Learning algorithm generates grader using the features training sample data set, and the characteristic test sample set is used to test assessment life Into grader;
Detection unit, for by the grader of the final feature of Unknown Applications input generation, detect it is described it is unknown should With whether being malicious application.
Further, the generation grader unit includes:
Generation characteristic sample set module, for by the final of normal application known to multiple and malicious application Feature generates characteristic sample set;
Sample set module is divided, for the characteristic sample set to be divided into features training sample set and characteristic test Sample set;
Training classifier modules, grader is generated for the machine learning algorithm using the features training sample set, The characteristic test sample set is used to test the grader of assessment generation.
The acquisition authority feature unit, is further used for the installation file to the application program using decompiling instrument Carry out decompiling;
And for obtaining the authority feature after, define authority characteristic vector P=(μ12…μi…μk), wherein, k tables Show the total number of System Privileges in Android operation system, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈{0, 1 }, 0 represent that, without application authority, authority has been applied in 1 expression.
Further, the acquisition behavioural characteristic unit, is further used for the behavior record and the definition that will be obtained The behavior chain model is matched, and can obtain the triggering times of each behavioral chain;
And for the triggering times of all behavioral chains to be done into normalized, behavioural characteristic vector S=can be obtained (σ12…σi…σm), wherein, m represents the total number of behavior chain model, σiRepresent i-th every thousand of behavior chain model behavior Triggering times in record,
The final feature unit of generation, is further used for for authority characteristic vector P and behavioural characteristic vector S being combined into one Individual final characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
Further, the acquisition behavioural characteristic unit includes:Behavior record module is obtained, for will local dynamic library text Part is injected into the process space of destination application;It is further used for the loading local dynamic base;Java layers of API of modification exists Corresponding Method structures in Dalvik virtual machine example;And for by dynamic binding, intercepting API Calls, that is, obtain Take the behavior record of the application program.
The Android system malicious application detection method that the present invention is provided as can be seen from the above is based on reverse work by proposing Journey and the behavior chain model of dynamic behaviour collection, obtain data from Mobile solution;By machine learning algorithm to unknown applications Carrying out detect that so as to realize the effective identification to malicious application, accuracy rate is higher, compensate for traditional static detection method and is difficult to Detect the deficiency of unknown applications;And the Android system malicious application detection method that the present invention is provided need not change Android system source Code, overcoming dynamic testing method needs to change the defect of Android operation system source code, and availability is good, and this method is logical Crossing high in the clouds detection effectively reduces mobile terminal performance expense.
Brief description of the drawings
One embodiment flow chart of the Android system malicious application detection method that Fig. 1 is provided for the present invention;
Another embodiment flow chart for the Android system malicious application detection method that Fig. 2 is provided for the present invention;
One embodiment schematic diagram of the Android system malicious application detecting system that Fig. 3 is provided for the present invention.
Specific embodiment
To make the object, technical solutions and advantages of the present invention become more apparent, below in conjunction with specific embodiment, and reference Accompanying drawing, the present invention is described in more detail.
One embodiment flow chart of the Android system malicious application detection method for being provided for the present invention as shown in Figure 1, should Detection method includes:
Step 101, by the installation file of reverse-engineering decompiling application program, obtains authority feature;
Step 102, the behavior record of the application program is obtained by dynamic behaviour capture technique, by the behavior record Behavior chain model with definition match obtaining behavioural characteristic;
Step 103, by behavioural characteristic and the authority combinations of features into final feature;
Step 104, characteristic sample set, machine learning algorithm profit are generated by the final feature of multiple known applications With the characteristic sample set metaplasia constituent class device;
Step 105, will obtain the grader of the final feature input generation of Unknown Applications, draw the unknown applications Whether be malicious application conclusion.
The Android system malicious application detection method that the present invention is provided as can be seen from the above is based on reverse work by proposing Journey and the behavior chain model of dynamic behaviour collection, obtain data, by machine learning algorithm to unknown applications from Mobile solution Carrying out detect that, so as to realize the effective identification to malicious application, accuracy rate is higher;The Android system malice that the present invention is provided should Android system source code need not be changed with detection method, availability is good, and this method is detected effectively to reduce by high in the clouds and moved Dynamic terminal capabilities expense.
Another embodiment of the further Android system malicious application detection method that present invention offer is provided Flow chart:
Wherein, step 101, by the installation file of reverse-engineering decompiling application program, the method for obtaining authority feature Further include:
Step 101a, decompiling is carried out using decompiling instrument to the installation file of the application program;
Step 101b, obtains the authority feature, defines authority characteristic vector P=(μ12…μi…μk), wherein, k tables Show the total number of System Privileges in Android operation system, μiRepresent whether application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents that, without application authority, authority has been applied in 1 expression.
When an application program needs to perform the operation of potential risk, it is necessary to first to the corresponding power of operating system application Limit, such as reading address list needs android.permission.READ_CONTACTS authorities, and sending short message needs Android.permission.SEND_SMS authorities.Therefore, application program apllied authority, Ke Yi when mounted Behavior and the motivation of this application program are embodied to a certain extent.
Reverse-engineering is to pass through morphological analysis, syntactic analysis, control flow analysis, data flow by not program code execution The various modes such as analysis are processed program file, so that the dis-assembling code of program is generated, then by reading dis-assembling Code understands program function.By Android application program installation file carried out reverse process can obtain program source code and The authority application information of application.
The installation file of Android application program is an APK (Android Package), and each APK file is included One AndroidManifest.xml file, this document have recorded the application program to be needed to operating system application when mounted Authority.
Step 101a, carries out decompiling and specifically includes using decompiling instrument to the installation file of the application program:
Decompiling is carried out to APK file using apktool instruments, the folder content obtained after decompiling;
The smali files of the folder content that will be obtained using Smali2JavaUI instruments are converted to java files, java File is included and has permission feature.
Further, step 102, the behavior record of the application program is obtained by dynamic behaviour capture technique, by institute State behavior record and with the behavior chain model of definition match and obtain behavioural characteristic and specifically include:
Step 102a, based on process injection behavior record collection:Local dynamic library file is injected into destination application The process space in;Load the local dynamic base;Java layers of API (Application Programming of modification Interface, application programming interface) corresponding Method structures in Dalvik virtual machine example;By dynamic Binding, intercepts API Calls, that is, obtain the behavior record of the application program.
Process injection is loaded into the mapping of the internal memory of specified process by the third party's dynamic link library packed, and is called Entrance function therein is so as to perform pre-set logic.After process is injected successfully, mapped by the internal memory of the process of checking Table can see the dynamic link library file of oneself packing.
Behavioural information will be produced to record by dynamic behaviour capture technique, when Android application program calls Android API, such as The information such as allocating time, API class names, API approach name, thread number, parameter, context.Behavior can be gathered using JSON and believed Breath packing, beneficial between process with network in quick transmission.
Step 102b is performed simultaneously, and the behavior chain model of definition is:
L=(B1,B2,…,Bn)
L represents behavioral chain, and B represents behavior, and n represents the behavior number of the behavioral chain.
Behavior refers to that application program operationally performs one section of instruction, and the GPS location for obtaining mobile phone is a behavior, hair It is also a behavior to play HTTP request, but a behavior does not have malicious, such as one application program acquisition hand in itself The GPS location of machine had both been likely to be and had helped user's navigation, it is also possible to be the positional information in leakage user, therefore, will be many Individual behavior is combined into behavioral chain in a particular order, by analytical behavior chain, the behavior of the significantly more efficient program that is applied of energy It is intended to.
The behavior record match obtaining behavioural characteristic by step 102c with the behavior chain model of definition, specific bag Include:
To obtain comprising a large amount of of the information such as allocating time, API class names, API approach name, thread number, parameter, context Behavior record with definition the behavior chain model match, the triggering times of each behavioral chain L can be obtained;
The triggering times of all behavioral chains are done into normalized, behavioural characteristic vector S=(σ can be obtained12…σi… σm), wherein, m represents the total number of behavior chain model, σiRepresent the triggering in i-th every thousand of behavior chain model behavior record Number of times,
Step 103, behavioural characteristic is specifically included with the authority combinations of features into final feature:Levy authority feature Vectorial P and behavioural characteristic vector S is combined into a final characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
Step 104, characteristic sample set, machine learning algorithm profit are generated by the final feature of multiple known applications Included with the characteristic sample set metaplasia constituent class implement body:
The final feature of normal application known to multiple and malicious application is generated characteristic sample by step 104a This collection;
Step 104b, features training sample set and characteristic test sample set are divided into by the characteristic sample set;
Step 104c, machine learning algorithm generates grader, the characteristic test sample using the features training sample set This collects the grader for testing assessment generation;
Grader therefrom finds classifying rules by the analysis to known class training set, and the class of new data is predicted with this Not.The present invention can use Bayes classifier, and principle of classification is by the prior probability of certain object, using Bayesian formula meter Calculate its posterior probability, the i.e. object and belong to the probability of a certain class, class of the selection with maximum a posteriori probability is used as the object institute The class of category.
The all corresponding characteristic vector F of any application can be obtained in step 103, it is a large amount of it is different known to These operations are repeated in application program, characteristic vector data sample set can be obtained.Characteristic sample set can be pressed 9:1 Ratio is divided into features training sample set and characteristic test sample set.With levy training sample set train Bayes classifier obtain for Detect the grader of rogue program.
Step 105, will obtain the grader of the final feature input generation of Unknown Applications, draw the unknown applications Whether it is that the conclusion of malicious application is specifically included:
During detection unknown applications, the final characteristic vector of application program to be measured is obtained, then by application program to be measured most Whole characteristic vector, be input to training complete Bayes classifier, draw the unknown applications whether be malicious application conclusion.
The detection method of present invention offer is further illustrated by a specific embodiment, for example:
30 potential risk authorities higher are have selected from Android system authority.Then the installation of decompiling application program File, the authority that the application is applied, generation authority characteristic vector P are obtained by analyzing AndroidManifest.xml files.
P=(0,1,1,1,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,0,0,1,1,0,0,1,1)
Being captured by dynamic behaviour can obtain a large amount of behavior records of Android application program, and each record is all included API approach name, allocating time, method parameter, method return value, process number, the contextual information of thread number.
Behavior is set up as a example by initiating HTTP (HyperText Transfer Protocol HTTP) requests Chain model, application program is called by serial of methods can complete the initiation of HTTP request:(1) construction URL (Uniform Resoure Locator uniform resource locators) object (2) calls the openConnection methods of URL objects to obtain HttpURLConnection objects (3) call the getInputStream methods of HttpURLConnection objects to obtain input Byte stream (4) calls the read methods of InputStream objects.It is hereby achieved that the behavior chain model L=of HTTP request (B1,B2,B3,B4)。
According to same method, can define multiple has the behavior chain model of potential risk, for example, define 10 behavioral chains Model.
The behavior chain model that will be obtained is matched with substantial amounts of behavior record, can obtain touching for each behavioral chain L Hair number of times, and generate behavioural characteristic vector S:S=(142,49,82,73,17,251,109,207,29,41)
Final characteristic vector F can be obtained by authority characteristic vector P and behavioural characteristic vector S:F=(0,1,1,1,0, 0,0,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,0,0,1,1,0,0,1,1,142,49,82,73,17,251,109, 207,29,41)。
The characteristic vector of any Android application program can be obtained by above step, for example, can select 200 malice , as sample set, this 400 application programs are analyzed respectively, 400 characteristic vectors that will be obtained are made using with 200 normal uses Vector data sample set is characterized, characteristic sample set 9 can be pressed:1 ratio is divided into features training sample set and feature Test sample collection, trains Bayes classifier to obtain the pattra leaves for detecting rogue program that training is completed with training sample set is levied This grader.
Detection unknown applications when, obtain the characteristic vector of application program to be measured, then by the feature of application program to be measured to Amount, be input to training complete Bayes classifier, draw the unknown applications whether be malicious application conclusion.
It can be seen that the Android system malicious application detection method that the present invention is provided is based on reverse-engineering and dynamic row by proposing It is the behavior chain model of collection, data is obtained from Mobile solution;The carrying out of unknown applications is detected by machine learning algorithm, So as to realize the effective identification to malicious application, accuracy rate is higher, compensate for traditional static detection method and is difficult to detect unknown answering Deficiency;The Android system malicious application detection method that the present invention is provided need not change Android system source code, overcome Dynamic testing method needs to change the defect of Android operation system source code;And the detection method that the present invention is provided is using dynamic Analysis is combined with static analysis, has complementary advantages, and is detected by high in the clouds, reduces mobile terminal performance expense, it is seen that the present invention is carried For a kind of high efficiency, low overhead and need not change the Android system malicious application detection method of Android system source code.
On the other hand the present invention also provides Android system malicious application detecting system, is illustrated in figure 3 present invention offer Android system malicious application detecting system embodiment schematic diagram, the system includes:
Authority feature unit 301 is obtained, for the installation file by reverse-engineering decompiling application program, authority is obtained Feature;
Behavioural characteristic unit 302 is obtained, the behavior for being obtained the application program by dynamic behaviour capture technique is remembered Record, the behavior record match obtaining behavioural characteristic with the behavior chain model of definition;
Final feature unit 303 is generated, for the behavioural characteristic and the authority combinations of features into final feature that will match;
Generation grader unit 304, for the final feature of multiple known applications to be generated into characteristic sample set, Machine learning algorithm utilizes characteristic sample set;
Detection unit 305, for by the grader of the final feature input generation of Unknown Applications, detecting described unknown Using whether being malicious application.
Wherein, authority feature unit 301 is obtained, is further used for using installation of the decompiling instrument to the application program File carries out decompiling;And for obtaining the authority feature after, define authority characteristic vector P=(μ12…μi…μk), Wherein, k represents the total number of System Privileges in Android operation system, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents that, without application authority, authority has been applied in 1 expression.
The behavior chain model of the definition is:
L=(B1,B2,…,Bn)
L represents behavioral chain, and B represents behavior, and n represents the behavior number of the behavioral chain.
Behavioural characteristic unit 302 is obtained, is further used for the behavioral chain of the behavior record and definition that will be obtained Model is matched, and can obtain the triggering times of each behavioral chain L;
And for the triggering times of all behavioral chains to be done into normalized, behavioural characteristic vector S=can be obtained (σ12…σi…σm), wherein, m represents the total number of behavior chain model, σiRepresent i-th every thousand of behavior chain model behavior Triggering times in record,
Final feature unit 303 is generated, is further used for for authority characteristic vector P and behavioural characteristic vector S being combined into one Individual final characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
Further, obtaining authority feature unit 301 includes:Behavior record module is obtained, for will local dynamic library text Part is injected into the process space of destination application;It is further used for the loading local dynamic base;Java layers of API of modification exists Corresponding Method structures in Dalvik virtual machine example;And for by dynamic binding, intercepting API Calls, that is, obtain Take the behavior record of the application program.
Further, generation grader unit 304 includes:
Generation characteristic sample set module, for by the final of normal application known to multiple and malicious application Feature generates characteristic sample set;
Sample set module is divided, for the characteristic sample set to be divided into features training sample set and characteristic test Sample set;
Training classifier modules, grader is generated for the machine learning algorithm using the features training sample set, The characteristic test sample set is used to test the grader of assessment generation.
It can be seen that the Android system malicious application detection method that provides of the present invention and system by proposing based on reverse-engineering and The behavior chain model of dynamic behaviour collection, obtains data from Mobile solution;Unknown applications are entered by machine learning algorithm Row detection, so as to realize the effective identification to malicious application, accuracy rate is higher, compensate for traditional static detection method and is difficult to detect The deficiency of unknown applications;The Android system malicious application detection method that the present invention is provided need not change Android system source code, Overcoming dynamic testing method needs to change the defect of Android operation system source code;And the detection method that the present invention is provided is adopted It is combined with static analysis with dynamic analysis, is had complementary advantages, detected by high in the clouds, reduces mobile terminal performance expense, it is seen that this Invention there is provided high efficiency, low overhead and need not change Android system source code Android system malicious application detection method and System.
Those of ordinary skill in the art should be understood:The discussion of any of the above embodiment is exemplary only, not It is intended to imply that the scope of the present disclosure (including claim) is limited to these examples;Under thinking of the invention, above example Or can also be combined between the technical characteristic in different embodiments, step can be realized with random order, and be existed such as Many other changes of upper described different aspect of the invention, for simplicity, they are provided not in details.
The Android system malicious application detection method and system that the present invention is provided are based on reverse-engineering and dynamic by proposing The behavior chain model of behavior collection, obtains data from Mobile solution;The carrying out of unknown applications is examined by machine learning algorithm Survey, so as to realize the effective identification to malicious application, accuracy rate is higher, compensate for traditional static detection method and be difficult to detect unknown The deficiency of application;The Android system malicious application detection method that the present invention is provided need not change Android system source code, overcome Dynamic testing method needs to change the defect of Android operation system source code;And the detection method that the present invention is provided is using dynamic State analysis is combined with static analysis, has complementary advantages, and is detected by high in the clouds, reduces mobile terminal performance expense, it is seen that the present invention There is provided high efficiency, low overhead and the Android system malicious application detection method of Android system source code need not be changed and be System.
In addition, to simplify explanation and discussing, and in order to obscure the invention, can in the accompanying drawing for being provided To show or can not show to be connected with the known power ground of integrated circuit (IC) chip and other parts.Furthermore, it is possible to Device is shown in block diagram form, to avoid obscuring the invention, and this have also contemplated that following facts, i.e., on this The details of the implementation method of a little block diagram arrangements is to depend highly on to implement platform of the invention (that is, these details should It is completely in the range of the understanding of those skilled in the art).Elaborating that detail (for example, circuit) is of the invention to describe In the case of exemplary embodiment, it will be apparent to those skilled in the art that can be without these details In the case of or implement the present invention in the case that these details are changed.Therefore, these descriptions are considered as explanation Property rather than restricted.
Although invention has been described to have been incorporated with specific embodiment of the invention, according to retouching above State, many replacements of these embodiments, modification and modification will be apparent for those of ordinary skills.Example Such as, other memory architectures (for example, dynamic ram (DRAM)) can use discussed embodiment.
Embodiments of the invention be intended to fall within the broad range of appended claims it is all such replace, Modification and modification.Therefore, all any omission, modification, equivalent, improvement within the spirit and principles in the present invention, made Deng should be included within the scope of the present invention.

Claims (10)

1. a kind of Android system malicious application detection method, it is characterised in that including:
By the installation file of reverse-engineering decompiling application program, authority feature is obtained;
The behavior record of the application program is obtained by dynamic behaviour capture technique, by the behavior record and the behavior for defining Chain model match obtaining behavioural characteristic;
By behavioural characteristic and the authority combinations of features into final feature;
The final feature of multiple known applications is generated into characteristic sample set, machine learning algorithm utilizes the characteristic Grader is generated according to sample set;
The grader of the final feature input generation of Unknown Applications will be obtained, obtains whether the unknown applications are that malice should Conclusion.
2. Android system malicious application detection method according to claim 1, it is characterised in that it is described will should known to multiple Characteristic sample set is generated with the final feature of program, machine learning algorithm generates classification using the characteristic sample set The method of device includes:
The final feature of normal application known to multiple and malicious application is generated into characteristic sample set;
The characteristic sample set is divided into features training sample set and characteristic test sample set;
The machine learning algorithm generates grader using the features training sample set, and the characteristic test sample set is used to survey The grader of examination assessment generation.
3. Android system malicious application detection method according to claim 2, it is characterised in that described by reverse-engineering The installation file of decompiling application program, the method for obtaining authority feature includes:
Decompiling is carried out to the installation file of the application program using decompiling instrument;
The authority feature is obtained, authority characteristic vector P=(μ are defined12…μi…μk), wherein, k represents Android operation system The total number of middle System Privileges, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents no Shen Please authority, 1 represent applied for authority.
4. Android system malicious application detection method according to claim 3, it is characterised in that described by behavior note Record carries out matching the method for obtaining behavioural characteristic with the behavior chain model for defining to be included:
The behavior record that will be obtained is matched with the behavior chain model of definition, can obtain touching for each behavioral chain Hair number of times;
The triggering times of all behavioral chains are done into normalized, behavioural characteristic vector S=(σ can be obtained12…σi…σm), Wherein, m represents the total number of behavior chain model, σiRepresent the triggering time in i-th every thousand of behavior chain model behavior record Number,
It is shown to include behavioural characteristic into final feature with the authority combinations of features:
Authority characteristic vector P and behavioural characteristic vector S are combined into a final characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
5. the Android system malicious application detection method according to claim 1-4 any one, it is characterised in that described logical The method for crossing the behavior record that dynamic behaviour capture technique obtains the application program includes:
Local dynamic library file is injected into the process space of destination application;
Load the local dynamic base;
Corresponding Method structures of the Java layers of API of modification in Dalvik virtual machine example;
By dynamic binding, API Calls are intercepted, that is, obtain the behavior record of the application program.
6. a kind of Android system malicious application detecting system, it is characterised in that including:
Authority feature unit is obtained, for the installation file by reverse-engineering decompiling application program, authority feature is obtained;
Obtain behavioural characteristic unit, the behavior record for obtaining the application program by dynamic behaviour capture technique, by institute State behavior record match obtaining behavioural characteristic with the behavior chain model of definition;
Final feature unit is generated, for the behavioural characteristic and the authority combinations of features into final feature that will match;
Generation grader unit, for the final feature of multiple known applications to be generated into characteristic sample set, engineering Practise algorithm and generate grader using the characteristic sample set;
Detection unit, for by the grader of the final feature input generation of Unknown Applications, detecting that the unknown applications are No is malicious application.
7. Android system malicious application detecting system according to claim 6, it is characterised in that the generation grader list Unit includes:
Generation characteristic sample set module, for by the final feature of normal application known to multiple and malicious application Generation characteristic sample set;
Sample set module is divided, for the characteristic sample set to be divided into features training sample set and characteristic test sample Collection;
Training classifier modules, grader is generated for the machine learning algorithm using the features training sample set, described The grader of characteristic test sample set test assessment generation.
8. Android system malicious application detecting system according to claim 7, it is characterised in that the acquisition authority feature Unit, is further used for carrying out decompiling to the installation file of the application program using decompiling instrument, obtains the authority Feature;
And for defining authority characteristic vector P=(μ12…μi…μk), wherein, k represents System Privileges in Android operation system Total number, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents without application authority, 1 table Show and applied for authority.
9. Android system malicious application detecting system according to claim 8, it is characterised in that the acquisition behavioural characteristic Unit, the behavior record for being further used for obtaining is matched with the behavior chain model of definition, can be obtained each The triggering times of individual behavioral chain;
And for the triggering times of all behavioral chains to be done into normalized, behavioural characteristic vector S=(σ can be obtained12… σi…σm), wherein, m represents the total number of behavior chain model, σiIn representing i-th every thousand of behavior chain model behavior record Triggering times,
The final feature unit of generation, is further used for for authority characteristic vector P and behavioural characteristic vector S being combined into one most Whole characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
10. the Android system malicious application detecting system according to claim 6-9 any one, it is characterised in that described Obtaining behavioural characteristic unit includes:Behavior record module is obtained, for local dynamic library file to be injected into destination application The process space in;It is further used for the loading local dynamic base, Java layers of API is in Dalvik virtual machine example for modification Corresponding Method structures;And for by dynamic binding, intercepting API Calls, that is, obtain the behavior of the application program Record.
CN201611256933.2A 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system Pending CN106874761A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611256933.2A CN106874761A (en) 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611256933.2A CN106874761A (en) 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system

Publications (1)

Publication Number Publication Date
CN106874761A true CN106874761A (en) 2017-06-20

Family

ID=59165355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611256933.2A Pending CN106874761A (en) 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system

Country Status (1)

Country Link
CN (1) CN106874761A (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358101A (en) * 2017-06-28 2017-11-17 暨南大学 It is a kind of that software detecting method and system are extorted based on permission mode
CN107577943A (en) * 2017-09-08 2018-01-12 北京奇虎科技有限公司 Sample predictions method, apparatus and server based on machine learning
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium
CN108021806A (en) * 2017-11-24 2018-05-11 北京奇虎科技有限公司 A kind of recognition methods of malice installation kit and device
CN108595953A (en) * 2018-04-04 2018-09-28 厦门雷德蒙软件开发有限公司 Method for carrying out risk assessment on mobile phone application
CN108681671A (en) * 2018-05-21 2018-10-19 中国科学技术大学 A kind of Android mobile attacks source tracing method
CN108810018A (en) * 2018-07-12 2018-11-13 南方电网科学研究院有限责任公司 Mobile application detection cloud platform
CN109086200A (en) * 2018-07-13 2018-12-25 南京大学 A kind of validity test frame based on the modification of Android virtual machine
CN109101817A (en) * 2018-08-13 2018-12-28 亚信科技(成都)有限公司 A kind of identification malicious file class method for distinguishing and calculate equipment
CN109271780A (en) * 2017-07-17 2019-01-25 卡巴斯基实验室股份制公司 Method, system and the computer-readable medium of machine learning malware detection model
CN109711171A (en) * 2018-05-04 2019-05-03 360企业安全技术(珠海)有限公司 Localization method and device, system, storage medium, the electronic device of software vulnerability
CN109753799A (en) * 2018-12-14 2019-05-14 厦门安胜网络科技有限公司 A kind of method that Android application program is anti-tamper, system and computer storage medium
CN109918907A (en) * 2019-01-30 2019-06-21 国家计算机网络与信息安全管理中心 Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium
CN109992514A (en) * 2019-04-01 2019-07-09 国家计算机网络与信息安全管理中心 Mobile application dynamic analysing method based on visual content
CN110008698A (en) * 2018-01-04 2019-07-12 深圳市腾讯计算机系统有限公司 Method for detecting virus and device
CN110162963A (en) * 2019-04-26 2019-08-23 肖银皓 A method of identifying power application program
CN110213200A (en) * 2018-02-28 2019-09-06 腾讯科技(深圳)有限公司 A kind of risk behavior hold-up interception method and relevant device
CN110472415A (en) * 2018-12-13 2019-11-19 成都亚信网络安全产业技术研究院有限公司 A kind of determination method and device of rogue program
CN110858247A (en) * 2018-08-23 2020-03-03 北京京东尚科信息技术有限公司 Android malicious application detection method, system, device and storage medium
CN112084497A (en) * 2020-09-11 2020-12-15 国网山西省电力公司营销服务中心 Method and device for detecting malicious program of embedded Linux system
CN113127870A (en) * 2021-04-08 2021-07-16 重庆电子工程职业学院 Rapid intelligent comparison and safety detection method for mobile malicious software big data
CN113343219A (en) * 2021-05-31 2021-09-03 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN114792006A (en) * 2022-03-29 2022-07-26 西安电子科技大学 Android cross-application program collusion safety analysis method and system based on LSTM
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
严勇: "基于动态监控的 Android 恶意软件检测方法", 《信息安全与通信保密》 *

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358101A (en) * 2017-06-28 2017-11-17 暨南大学 It is a kind of that software detecting method and system are extorted based on permission mode
CN107358101B (en) * 2017-06-28 2020-05-08 暨南大学 Lego software detection method and system based on authority mode
CN109271780B (en) * 2017-07-17 2022-05-24 卡巴斯基实验室股份制公司 Method, system, and computer readable medium for machine learning malware detection model
CN109271780A (en) * 2017-07-17 2019-01-25 卡巴斯基实验室股份制公司 Method, system and the computer-readable medium of machine learning malware detection model
CN107577943A (en) * 2017-09-08 2018-01-12 北京奇虎科技有限公司 Sample predictions method, apparatus and server based on machine learning
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium
CN108021806A (en) * 2017-11-24 2018-05-11 北京奇虎科技有限公司 A kind of recognition methods of malice installation kit and device
CN110008698A (en) * 2018-01-04 2019-07-12 深圳市腾讯计算机系统有限公司 Method for detecting virus and device
CN110213200A (en) * 2018-02-28 2019-09-06 腾讯科技(深圳)有限公司 A kind of risk behavior hold-up interception method and relevant device
CN110213200B (en) * 2018-02-28 2022-07-01 腾讯科技(深圳)有限公司 Risk behavior interception method and related equipment
CN108595953A (en) * 2018-04-04 2018-09-28 厦门雷德蒙软件开发有限公司 Method for carrying out risk assessment on mobile phone application
CN109711171A (en) * 2018-05-04 2019-05-03 360企业安全技术(珠海)有限公司 Localization method and device, system, storage medium, the electronic device of software vulnerability
CN108681671A (en) * 2018-05-21 2018-10-19 中国科学技术大学 A kind of Android mobile attacks source tracing method
CN108810018A (en) * 2018-07-12 2018-11-13 南方电网科学研究院有限责任公司 Mobile application detection cloud platform
CN109086200A (en) * 2018-07-13 2018-12-25 南京大学 A kind of validity test frame based on the modification of Android virtual machine
CN109086200B (en) * 2018-07-13 2020-04-14 南京大学 Effective test framework based on android virtual machine modification
CN109101817A (en) * 2018-08-13 2018-12-28 亚信科技(成都)有限公司 A kind of identification malicious file class method for distinguishing and calculate equipment
CN109101817B (en) * 2018-08-13 2023-09-01 亚信科技(成都)有限公司 Method for identifying malicious file category and computing device
CN110858247A (en) * 2018-08-23 2020-03-03 北京京东尚科信息技术有限公司 Android malicious application detection method, system, device and storage medium
CN110472415B (en) * 2018-12-13 2021-08-10 成都亚信网络安全产业技术研究院有限公司 Malicious program determination method and device
CN110472415A (en) * 2018-12-13 2019-11-19 成都亚信网络安全产业技术研究院有限公司 A kind of determination method and device of rogue program
CN109753799A (en) * 2018-12-14 2019-05-14 厦门安胜网络科技有限公司 A kind of method that Android application program is anti-tamper, system and computer storage medium
CN109918907A (en) * 2019-01-30 2019-06-21 国家计算机网络与信息安全管理中心 Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications
CN109992514A (en) * 2019-04-01 2019-07-09 国家计算机网络与信息安全管理中心 Mobile application dynamic analysing method based on visual content
CN109992514B (en) * 2019-04-01 2023-04-07 国家计算机网络与信息安全管理中心 Mobile application dynamic analysis method based on visual content
CN110162963A (en) * 2019-04-26 2019-08-23 肖银皓 A method of identifying power application program
CN112084497A (en) * 2020-09-11 2020-12-15 国网山西省电力公司营销服务中心 Method and device for detecting malicious program of embedded Linux system
CN113127870A (en) * 2021-04-08 2021-07-16 重庆电子工程职业学院 Rapid intelligent comparison and safety detection method for mobile malicious software big data
CN113343219A (en) * 2021-05-31 2021-09-03 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN113343219B (en) * 2021-05-31 2023-03-07 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN114792006A (en) * 2022-03-29 2022-07-26 西安电子科技大学 Android cross-application program collusion safety analysis method and system based on LSTM

Similar Documents

Publication Publication Date Title
CN106874761A (en) A kind of Android system malicious application detection method and system
Holzinger et al. Digital transformation for sustainable development goals (sdgs)-a security, safety and privacy perspective on ai
Zhan et al. Automated third-party library detection for android applications: Are we there yet?
Sadeghi et al. Analysis of android inter-app security vulnerabilities using covert
CN107659570A (en) Webshell detection methods and system based on machine learning and static and dynamic analysis
Gao et al. Android malware detection via graphlet sampling
Ali-Gombe et al. AspectDroid: Android app analysis system
TW201610735A (en) Point-wise protection of application using runtime agent and dynamic security analysis
CN106548074A (en) Application program analyzing monitoring method and system
CN104182681B (en) Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof
CN106570399A (en) Method for detecting privacy leakage across app components
CN105210075A (en) Unused parameters of application under test
CN108280348A (en) Android Malware recognition methods based on RGB image mapping
CN105653947A (en) Method and device for assessing application data security risk
Li et al. Large-scale third-party library detection in android markets
Chester et al. M-perm: A lightweight detector for android permission gaps
CN118051920B (en) Vulnerability verification request packet generation method, device, equipment and storage medium
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
Rahman et al. Permpress: Machine learning-based pipeline to evaluate permissions in app privacy policies
Zhao et al. Android malware detection based on sensitive permissions and apis
CN117272308A (en) Software security test method, device, equipment, storage medium and program product
Primault et al. ACCIO: How to make location privacy experimentation open and easy
Kedziora et al. Android malware detection using machine learning and reverse engineering
CN105893462A (en) User network behavior analysis method and device
CN114826732B (en) Dynamic detection and tracing method for android system privacy stealing behavior

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170620