CN107169351A - With reference to the Android unknown malware detection methods of dynamic behaviour feature - Google Patents

With reference to the Android unknown malware detection methods of dynamic behaviour feature Download PDF

Info

Publication number
CN107169351A
CN107169351A CN201710331198.5A CN201710331198A CN107169351A CN 107169351 A CN107169351 A CN 107169351A CN 201710331198 A CN201710331198 A CN 201710331198A CN 107169351 A CN107169351 A CN 107169351A
Authority
CN
China
Prior art keywords
software
step
feature
android
dynamic behaviour
Prior art date
Application number
CN201710331198.5A
Other languages
Chinese (zh)
Inventor
潘丽敏
张笈
杨静雅
罗森林
Original Assignee
北京理工大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京理工大学 filed Critical 北京理工大学
Priority to CN201710331198.5A priority Critical patent/CN107169351A/en
Publication of CN107169351A publication Critical patent/CN107169351A/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Abstract

The present invention relates to a kind of Android unknown malware detection methods of combination dynamic behaviour feature, belong to computer and information science technical field.Detected software is input in system by the present invention first;Then, system can be decompressed and decompiling to software kit, and extract the static nature in destination file;Simultaneously, system can run the software kit in Android simulator, use the dynamic behaviour of the Behavior Monitor System monitoring software based on LKM (Loadable Kernel Module, UV-Vis spectra), and log, the dynamic behaviour feature of software is extracted in daily record;Finally, the dynamic static nature extracted is normalized, is input to and trains in sorting algorithm classification and Detection module, the module can go out whether detected software is Malware according to the sound state characteristic automatic decision of input.The present invention has in higher detection efficiency and accuracy rate, the safety detection that can be applied to the software platforms such as Android application markets.

Description

With reference to the Android unknown malware detection methods of dynamic behaviour feature

Technical field

The present invention relates to a kind of Android unknown malware detection methods of combination dynamic behaviour feature, belong to calculating Machine and information science technology field.

Background technology

Since in March, 1999 Symbian5.0 systems birth, between the more than ten years, operation system of smart phone has been obtained vigorously Development.In recent years, the operating system of new generation such as Android, Windows Phone, iOS gradually occupies smart mobile phone Most of market of operating system.Wherein, android system is with the fastest developing speed as a open source operating system.

The fast-developing of android system is not only that vast smart phone user brings facility, its huge market and Commercial value is even more the sight for having attracted global hackers.According to Tengxun's Mobile safety laboratory《The mobile phone safe report of the first half of the year in 2016 Accuse》Show that the first half of the year in 2016 increases Android viruses bag 918.25 ten thousand newly, increase by 53.90% on a year-on-year basis, be 2014 annual new Increase 9.15 times of virus bag (100.33 ten thousand).Wherein increase newly and pay virus bag 32.33 ten thousand, increase by 986.14%, branch on a year-on-year basis Pay virus form severe.First half of the year mobile phone viruses infection number of users surpasses 200,000,000 within 2016, is 3.12 times of Britain's total number of people, together Than increasing by 42.35%.Virus infection number of users 1670.33 ten thousand is wherein paid, increases by 45.82% on a year-on-year basis.

Existing malware detection method is taken a broad view of, commonly used approach has:

1. feature database matching process

This method generally first carries out feature extraction to Malware, then the characteristic of malware data with having had built up Storehouse is matched, so as to detect whether software is Malware.This method needs to enter with known characteristic of malware storehouse Row compares, so that unknown Malware can not be detected.

2. machine learning method

It is more and more because the method for machine learning achieves good effect in the detection of PC platforms unknown malware Research this kind of method is applied to android system.Traditional feature database matching process can not detect unknown malware, existing The Android malware detection method based on machine learning having, improves to some extent compared with feature database matching method, can detect unknown dislike Meaning software, but only with the determinant attribute of the single more difficult comprehensive representation Malware of static nature or behavioral characteristics, easily make Know into knowing or leaking by mistake, cause Detection results to decline, detection efficiency can equally be impacted if the intrinsic dimensionality extracted is too high. Meanwhile, in terms of test data, if with more and quantity negative sample, positive negative sample is tried one's best, and holding is quantitative to be put down Weighing apparatus, can further lift Detection accuracy.

In summary, existing detection method can not efficiently, Malware is accurately and comprehensively detected, so the present invention is carried Go out a kind of Android unknown malware detection methods of combination dynamic behaviour feature.

The content of the invention

The purpose of the present invention is the accuracy rate to improve detection Android unknown malwares and reduces feature extraction dimension Degree, proposes a kind of Android unknown malware detection methods of combination dynamic behaviour feature.

The present invention design principle be:The present invention can carry out dynamic behaviour feature to Android software to be detected and carry Take with static file feature extraction, and classified with sorting algorithm, whether judge the software is Malware.First, will Detected software is input in system.Then, system can be decompressed and decompiling to software kit, and be extracted in destination file Static nature;Meanwhile, system can run the software kit in Android simulator, using based on LKM, (Linux can load interior Core module) application software behavior monitoring method monitoring software dynamic behaviour, and log extracts software in daily record Dynamic behaviour feature.Finally, the dynamic static nature extracted is normalized, is input to and trains sorting algorithm classification In detection module, the module can go out whether detected software is that malice is soft according to the sound state characteristic automatic decision of input Part.

The technical scheme is that be achieved by the steps of:

Step 1, the apk bags of Android software are extracted into its static file feature as input.

Step 2, using the application software behavior monitoring method monitoring software based on LKM (Linux UV-Vis spectras) Dynamic behaviour, extract the dynamic behaviour feature of software, its concrete methods of realizing is:

Step 2.1, when monitored software attempts to produce malicious act, system can kidnap and replace monitored software first The corresponding linux system of behavior of generation is called.

Step 2.2, the system after replacement is called in handling routine, and the parameter that system is called is parsed, judged Which kind of behavior what is monitored is.

Step 2.3, the malicious act daily record of monitored software is recorded, daily record is analyzed, the dynamic behaviour feature of software is extracted.

Step 3, it regard the union of both step 1 and step 2 result as initial characteristicses collection.

Step 4, the feature to most worthy of classifying is selected in initial characteristicses collection using feature selecting algorithm, reduction is special The dimension levied, filters out essential signature sets.

Step 5, essential signature sets will be selected as input, classifier training is carried out using sorting algorithm, ultimately generated Malware detection model, and sample to be detected is detected.

Beneficial effect

Compared to traditional feature database matching process, the present invention can detect unknown malware.

Compared to the existing Android malware detection method based on machine learning, the present invention is using based on LKM's The dynamic behaviour of application software behavior monitoring method monitoring software, analysis monitoring daily record extracts dynamic behaviour feature, with higher Software action monitoring accuracy rate, preferably characterize the essence of sample with reference to the dynamic behaviour feature of malicious code, lifting inspection The accuracy rate of survey.Meanwhile, characteristic dimension is reduced, detection efficiency is lifted.

Brief description of the drawings

Fig. 1 is the Android unknown malware detection method schematic diagrams of combination dynamic behaviour feature proposed by the present invention;

Fig. 2 is static in the Android unknown malware detection methods of combination dynamic behaviour feature proposed by the present invention Feature extraction schematic diagram;

Fig. 3 is dynamic in the Android unknown malware detection methods of combination dynamic behaviour feature proposed by the present invention Feature extraction schematic diagram;

Fig. 4 is dynamic in the Android unknown malware detection methods of combination dynamic behaviour feature proposed by the present invention Behavior monitoring schematic diagram.

Embodiment

In order to better illustrate objects and advantages of the present invention, with reference to embodiment of the embodiment to the inventive method It is described in further details.Here, the schematic implementation use-case of the present invention and wherein illustrating to be used to explain the present invention, but do not make For limitation of the invention.Idiographic flow is:

Step 1, software static nature is extracted.

Step 1.1, static nature extraction module is decompressed and decompiling simultaneously to being detected software.

Step 1.2, feature extraction is carried out respectively to dex, so file that decompression is obtained.Wherein, dex files are mainly carried Take following characteristics:Dex File header informations, character string deviant and number, type offset value and number, method prototype deviant and Number, fields offset value and number and class define deviant and number;Following characteristics are mainly extracted to so files:ELF file headers Information, system call information, paragraph header information, symbol table, global offset table, program segment, dynamic segment, dynamic symbol section and reorientation Section.

Step 1.3, samli, the xml document obtained to decompiling carries out feature extraction respectively.Wherein, to smali files Extract following characteristics:Class name, parent name, resource name, method information (title, parameter, return value) and function call information;It is right Xml document extract feature be:Software version information, software package informatin, software authority application information and program assembly information (bag Containing receiver, activity, service and provider).

Step 1.4, by the input form that the feature normalization extracted is sorting algorithm, 69 dimensions are extracted altogether static special Levy.

Step 2, the software behavioral characteristics of the application software behavior monitoring method based on LKM are extracted.

Step 2.1, detected software is run in Android simulator environment, meanwhile, inputted with Monkey instruments pseudo- Streams of Random Events, triggers the behavior of software.

Step 2.2, when monitored software produces malicious act, system, which is called, to be realized by traps swi instructions. The address of swi instructions is located at the 0x08 skews of exception vector table, and the ArmV7 series processors that Android is used are used High address pattern, so swi address is 0xFFFF0008.And the entry address of the corresponding Interrupt Service Routines of swi is swi At the position of 2 bytes of address offset.Afterwards, the entry- checked under kernel source code/arch/arm/kernel/ catalogues Common.S files, find in ENTRY (vector_swi) code block after zero_fp instructions, continue to search downwards, until looking for To " the corresponding condition code of adr tbl, sys_call_table " sentences, just can calculate sys_call_table ground afterwards Location, gets behind the entry address of subsystem call table, just can replace corresponding system and call.

Step 2.3, the parameter called by system may determine that what is monitored is which kind of behavior of software, and method is main Monitoring obtains system service (including send short message, call, obtain telephone number etc.), network connection and the class of privilege-escalation three Behavior.

Step 2.4, by the behavior record daily record monitored.

Step 2.5, monitoring daily record is analyzed, extracts the network data of turnover, file read-write operations, backstage and open It is dynamic/to close service, information leakage (including network and short message) and the short message sent and the class dynamic behaviour feature of phone 5 dialed, Behavioral characteristics collection is built, 32 are extracted altogether and ties up behavioral characteristics.

Step 3, it regard the union of extract 69 dimension static natures and 32 dimension behavioral characteristics as initial characteristicses collection.

Step 4, Feature Dimension Reduction.

Step 4.1, χ is chosen using filtration method2The feature that value, information gain, information gain-ratio are all higher than 0 68 is tieed up totally.

Step 4.2, subset is evaluated using pack, experimental result is:Merit of best subset found:0.963, the feature elected 37 is tieed up totally.

Step 4.3, the common factor of two methods is taken to build essential signature sets:Totally 33 dimensional feature, wherein static nature 21 is tieed up, and is moved State feature 12 is tieed up.

Step 5, detected using random forests algorithm.

Step 5.1, essential signature sets are tieed up as the input of random forests algorithm using select 33.

Step 5.2, classifier training is carried out using random forests algorithm, detection is trained with the method for ten folding cross validations Model, and parameter is adjusted, wherein, the individual numerical value of tree generally takes square of characteristic, and the characteristic selected at random is 15 When, Detection accuracy highest.

Step 5.3, sample to be detected is detected.

Test result

Test the Malware stood to North Carolina in YanJinzhou team of university Malware Sample Storehouse Detected, 1260 Malware samples are had in Sample Storehouse, be divided into 49 families, the present invention can be disliked so that effective detection is unknown Meaning software sample, rate of accuracy reached to 97.5%.

Above-described to specifically describe, purpose, technical scheme and beneficial effect to invention have been carried out further specifically It is bright, it should be understood that the specific embodiment that the foregoing is only the present invention, the protection model being not intended to limit the present invention Enclose, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc. should be included in the present invention Protection domain within.

Claims (3)

1. combine the Android unknown malware detection methods of dynamic behaviour feature, it is characterised in that methods described is included such as Lower step:
Step 1, the apk bags of Android software are extracted into its static file feature as input;
Step 2, using the dynamic of the application software behavior monitoring method monitoring software based on LKM (Linux UV-Vis spectras) State behavior, extracts the dynamic behaviour feature of software;
Step 3, it regard the union of both step 1 and step 2 result as initial characteristicses collection;
Step 4, the feature to most worthy of classifying is selected in initial characteristicses collection using feature selecting algorithm, reduction feature Dimension, filters out essential signature sets;
Step 5, essential signature sets will be selected as input, classifier training is carried out using sorting algorithm, malice is ultimately generated Software detection model, and sample to be detected is detected.
2. a kind of Android unknown malware detection methods of combination dynamic behaviour feature according to claim 1, its It is characterised by, the specific steps bag of the application software behavior monitoring method based on LKM (Linux UV-Vis spectras) Include:
Step 2.1, when monitored software attempts to produce malicious act, system can kidnap and replace monitored software and produce first The corresponding linux system of behavior call;
Step 2.2, the system after replacement is called in handling routine, and the parameter that system is called is parsed, and judges monitoring To be which kind of behavior;
Step 2.3, the malicious act daily record of monitored software is recorded, daily record is analyzed, the dynamic behaviour feature of software is extracted.
3. a kind of Android unknown malware detection methods of combination dynamic behaviour feature according to claim 1, its It is characterised by, it is described to be combined software static file feature and dynamic software feature, unknown malice can be effectively improved soft The accuracy of part detection.
CN201710331198.5A 2017-05-11 2017-05-11 With reference to the Android unknown malware detection methods of dynamic behaviour feature CN107169351A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710331198.5A CN107169351A (en) 2017-05-11 2017-05-11 With reference to the Android unknown malware detection methods of dynamic behaviour feature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710331198.5A CN107169351A (en) 2017-05-11 2017-05-11 With reference to the Android unknown malware detection methods of dynamic behaviour feature

Publications (1)

Publication Number Publication Date
CN107169351A true CN107169351A (en) 2017-09-15

Family

ID=59814994

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710331198.5A CN107169351A (en) 2017-05-11 2017-05-11 With reference to the Android unknown malware detection methods of dynamic behaviour feature

Country Status (1)

Country Link
CN (1) CN107169351A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis
CN108345793A (en) * 2017-12-29 2018-07-31 北京物资学院 A kind of extracting method and device of software detection feature
CN108345794A (en) * 2017-12-29 2018-07-31 北京物资学院 The detection method and device of Malware
CN108734012A (en) * 2018-05-21 2018-11-02 上海戎磐网络科技有限公司 Malware recognition methods, device and electronic equipment
CN109818945A (en) * 2019-01-11 2019-05-28 中国科学院信息工程研究所 Application behavior feature selection approach and device

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363240A (en) * 2014-11-26 2015-02-18 国家电网公司 Unknown threat comprehensive detection method based on information flow behavior validity detection
CN104361285A (en) * 2014-11-20 2015-02-18 工业和信息化部电信研究院 Method and device for detecting security of application programs of mobile devices
CN104462973A (en) * 2014-12-18 2015-03-25 上海斐讯数据通信技术有限公司 System and method for detecting dynamic malicious behaviors of application program in mobile terminal
CN104598823A (en) * 2015-01-21 2015-05-06 华东师范大学 Kernel level rootkit detection method and system in Andriod system
CN105069354A (en) * 2015-07-31 2015-11-18 天津大学 Attack tree model based Android software hybrid detection method
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105447388A (en) * 2015-12-17 2016-03-30 福建六壬网安股份有限公司 Android malicious code detection system and method based on weight
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN105956468A (en) * 2016-04-22 2016-09-21 中国科学院信息工程研究所 Method and system for detecting Android malicious application based on file access dynamic monitoring
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104361285A (en) * 2014-11-20 2015-02-18 工业和信息化部电信研究院 Method and device for detecting security of application programs of mobile devices
CN104363240A (en) * 2014-11-26 2015-02-18 国家电网公司 Unknown threat comprehensive detection method based on information flow behavior validity detection
CN104462973A (en) * 2014-12-18 2015-03-25 上海斐讯数据通信技术有限公司 System and method for detecting dynamic malicious behaviors of application program in mobile terminal
CN105897807A (en) * 2015-01-14 2016-08-24 江苏博智软件科技有限公司 Mobile intelligent terminal abnormal code cloud detection method based on behavioral characteristics
CN104598823A (en) * 2015-01-21 2015-05-06 华东师范大学 Kernel level rootkit detection method and system in Andriod system
CN105069354A (en) * 2015-07-31 2015-11-18 天津大学 Attack tree model based Android software hybrid detection method
CN105205396A (en) * 2015-10-15 2015-12-30 上海交通大学 Detecting system for Android malicious code based on deep learning and method thereof
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application
CN105447388A (en) * 2015-12-17 2016-03-30 福建六壬网安股份有限公司 Android malicious code detection system and method based on weight
CN105956468A (en) * 2016-04-22 2016-09-21 中国科学院信息工程研究所 Method and system for detecting Android malicious application based on file access dynamic monitoring
CN105893848A (en) * 2016-04-27 2016-08-24 南京邮电大学 Precaution method for Android malicious application program based on code behavior similarity matching
CN106341282A (en) * 2016-11-10 2017-01-18 广东电网有限责任公司电力科学研究院 Malicious code behavior analyzer

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107659570A (en) * 2017-09-29 2018-02-02 杭州安恒信息技术有限公司 Webshell detection methods and system based on machine learning and static and dynamic analysis
CN108345793A (en) * 2017-12-29 2018-07-31 北京物资学院 A kind of extracting method and device of software detection feature
CN108345794A (en) * 2017-12-29 2018-07-31 北京物资学院 The detection method and device of Malware
CN108734012A (en) * 2018-05-21 2018-11-02 上海戎磐网络科技有限公司 Malware recognition methods, device and electronic equipment
CN109818945A (en) * 2019-01-11 2019-05-28 中国科学院信息工程研究所 Application behavior feature selection approach and device

Similar Documents

Publication Publication Date Title
Caliskan-Islam et al. De-anonymizing programmers via code stylometry
US20160203318A1 (en) System and method for automated machine-learning, zero-day malware detection
CN103473506B (en) For the method and apparatus identifying malice APK file
Li et al. LibD: scalable and precise third-party library detection in android markets
Rigby et al. Discovering essential code elements in informal documentation
US9253208B1 (en) System and method for automated phishing detection rule evolution
Ahmadi et al. Novel feature extraction, selection and fusion for effective malware family classification
Wang et al. A deep learning approach for detecting malicious JavaScript code
Galal et al. Behavior-based features model for malware detection
US20170262633A1 (en) System and method for automated machine-learning, zero-day malware detection
Ye et al. IMDS: Intelligent malware detection system
CN104598824B (en) A kind of malware detection methods and device thereof
Ye et al. An intelligent PE-malware detection system based on association mining
Nari et al. Automated malware classification based on network behavior
JP4711949B2 (en) Method and system for detecting malware in macros and executable scripts
US20140130158A1 (en) Identification of malware detection signature candidate code
US20130117855A1 (en) Apparatus for automatically inspecting security of applications and method thereof
US20150172303A1 (en) Malware Detection and Identification
CN103839003B (en) Malicious file detection method and device
CN102768717B (en) Malicious file detection method and malicious file detection device
CN102591854B (en) For advertisement filtering system and the filter method thereof of text feature
Ye et al. SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging
EP2461273A2 (en) Method and system for machine-learning based optimization and customization of document similarities calculation
Wang et al. Virus detection using data mining techinques
Pendlebury et al. {TESSERACT}: Eliminating experimental bias in malware classification across space and time

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination