CN108280350A - A kind of mobile network's terminal Malware multiple features detection method towards Android - Google Patents
A kind of mobile network's terminal Malware multiple features detection method towards Android Download PDFInfo
- Publication number
- CN108280350A CN108280350A CN201810109044.6A CN201810109044A CN108280350A CN 108280350 A CN108280350 A CN 108280350A CN 201810109044 A CN201810109044 A CN 201810109044A CN 108280350 A CN108280350 A CN 108280350A
- Authority
- CN
- China
- Prior art keywords
- software
- malware
- feature
- family
- sample
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
Abstract
Mobile network's terminal Malware multiple features detection method towards Android that the invention discloses a kind of.Include the following steps:Step 1, Android software data set, including malice sample and non-malicious sample are obtained;Step 2, the installation kit for analyzing Malware extracts the installation kit feature of software, constructs installation kit feature vector;Step 3, the permission of software application is obtained, permissions list is built;Step 4, the installation kit of decompiling Malware builds the sensitive behavior figure of software, extracts the sensitive behavior collection of software;Step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, structure Malware family feature database;Step 6, software features are extracted, and carry out malicious judgement and malice family classification.Selection Software packet feature, permission feature and software sensitive behavior of the present invention call the foundation that feature judges as Malware, and the accuracy of software malicious act detection can be improved, while having the ability of Malware family classification.
Description
Technical field
The invention belongs to mobile software analysis and information security fields, and in particular to a kind of mobile network towards Android
Network terminal Malware multiple features detection method.
Background technology
Android malicious code multi-tag test problems are the challenging problems in academia and industrial quarters.
Judgement software should also provide its affiliated family while malicious.The application of current smart mobile phone has been directed to people's life
Various aspects, and android system occupies a large amount of share, therefore accurately detection Android malice generations in smart mobile phone
Code is of great significance and value for protection Android privacy of user and property safety.
Existing Android malware detection technique is broadly divided into 2 classes:Respectively it is based on static analysis and based on dynamic
The detection technique of analysis.The execution of dynamic analysing method simulation softward can bypass Code obfuscation and add that static method encounters
The problems such as close;But dynamic test code coverage is low, and some rogue programs can prevent from running under simulator certainly.
Control stream and data-flow analysis are mainly studied using inverse compiling technique or carried out in smali intermediate codes to Static Analysis Method
Technology can carry out automated analysis to software, have higher detection efficiency, and code coverage is high, is suitable for a large amount of soft
Part sample is analyzed;The disadvantage is that solution static method is needed to be difficult to the Code obfuscation detected, encryption and in Dynamic Execution
The problem of just decoding malicious code.In order to cope with the problem, has researcher and consider encryption, code in malware detection
The technologies such as dynamic load, Native code dynamic loads, such as Riskranker and DroidRanger.
There are many scholars at present has carried out correlative study for the multi-tag detection method of Android malware.Such as
Daniel Arp et al. propose the Android malicious code multi-tag detection methods based on Static Analysis Method, pacify in software
It is extracted a large amount of static nature in dress packet, and is classified using support vector machines, efficient detection is realized;Yu Feng etc.
People proposes the feature description language of description Android malice family, and is divided software under testing using Feature Correspondence Algorithm
Class realizes semantic-based Android malware detection;Chao Yang et al. are retouched using two-stage behavior figure representation method
The logic behavior for stating software is judged soft in conjunction with the behavior figure of static stain analysis and inter-module by malicious act pattern analysis
Part it is malicious, and realize the classification to malice family.
However, the research of existing Android malware multi-tag detection technique, multiselect takes all samples of Malware
This is analyzed, and extracts feature possessed by Malware, and in this, as the foundation of software under testing malice sex determination.And belong to
There is the Malware of different families different malicious acts, malicious showed feature also to have larger difference.
The Malware of same Malware family has similar malicious act.But existing malware detection tool for
The multi-tag detectability of Malware is weaker, when being detected for the malice sample in Genome data sets such as McAfee,
The pattern detection that will be wherein more than 90% is Trojan or Downloader, and actually belongs to multiple and different Malware men
Race (such as DroidDream).Therefore, speed and accuracy need to be further improved, and need to study efficient Malware more
Label detection method.
Invention content
The purpose of the present invention is to provide a kind of mobile network's terminal Malware multiple features detection side towards Android
Method improves the precision of Android malware detection to effectively extract the feature of Android malware, and has
The ability of Android malice family classifications.
Realize that technical solution of the invention is:How special a kind of mobile network's terminal Malware towards Android is
Detection method is levied, following steps are specifically included:
Step 1 obtains Android malware sample, and marks the Android malware family belonging to each sample,
Then non-malicious software sample is obtained, to build malice and non-malicious software sample data set;
Step 2, the installation kit feature for extracting software, including:With the presence or absence of .so files, with the presence or absence of for root systems
File, whether there is abnormal document, and whether there is subprogram, to construct installation kit feature vector F;
Step 3 handles Android software sample using decompiling instrument, parses AndroidManifest.xml files,
According to the tag field in xml, the permissions list P of software application is extracted;
Step 4, decompiling installation kit build software function calling figure, position security sensitive method therein, build software
Sensitive behavior figure SBG, then use dataflow analysis method obtain security sensitive method contextual information, will by directly or
The security sensitive method called indirectly constitutes the sensitive behavior collection SBS of software;
It is step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, obtain each spy
Levy the probability that component occurs, structure Android malware family multiple features model M, to build Malware family feature
Library;
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature and Malware of software under testing
Family's feature database carries out characteristic matching, is similarly spent highest Malware household name, if similarity is more than threshold value
It is Malware then to export the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software.
Compared with prior art, the present invention its remarkable advantage is:1) present invention proposes a kind of movement towards Android
Network terminal Malware multiple features detection method is based on Static Analysis Method, from software for different Malware families
The behavior of packet feature, application permission feature and software calls three aspects of feature to analyze software;2) present invention is using system
Analysis method, the feature of extraction Malware family are counted, construction Malware family feature database proposes evil based on this feature library
Meaning software multi-tag detection method can reach preferable malicious judgement precision and malice family classification precision.
The present invention is further elaborated below in conjunction with the accompanying drawings.
Description of the drawings
Fig. 1 is a kind of stream of mobile network's terminal Malware multiple features detection method towards Android of the present invention
Cheng Tu.
Fig. 2 is with the malware detection precision and malice family classification precision of the present invention and part in VirusTotal
The comparing result of engine.
Specific implementation mode
In conjunction with attached drawing, a kind of mobile network's terminal Malware multiple features detection method towards Android of the invention,
Include the following steps:
Step 1 obtains Android malware sample, and marks the Android malware family belonging to each sample,
Then non-malicious software sample is obtained, to build malice and non-malicious software sample data set;
Step 2, the installation kit feature for extracting software, including:With the presence or absence of .so files, with the presence or absence of for root systems
File, with the presence or absence of abnormal document and whether there is subprogram, to construct installation kit feature vector F;
The unmatched file of type that the abnormal document refers to the suffix of file and file content itself is specified;Judge file
Judge whether library file is root exploit files with the presence or absence of .so files, and by MD5 values;Judge jar file, dex texts
Part and apk files whether there is subprogram.
Step 3 handles Android software sample using decompiling instrument, parses AndroidManifest.xml files,
According to the tag field in xml, the permissions list P of software application is extracted;
Step 4, decompiling installation kit build software function calling figure, position security sensitive method therein, build software
Sensitive behavior figure SBG, then use dataflow analysis method obtain security sensitive method contextual information, will by directly or
The security sensitive method called indirectly constitutes the sensitive behavior collection SBS of software;
The security sensitive method includes:Method, information flow Source/Sink methods and other suspicious sides of protection of usage right
Method;Protection of usage right method refers to the API for needing to apply for that permission could use in android system, information flow Source/Sink methods
The method for referring to there may be or sending sensitive information, other suspicious methods include dynamic load function, reflective function, encryption and decryption letter
Number, Native codes execute and call function.
The software function calling figure of structure is following four-tuple:
SBG=(VD,VN,E,μ)
Wherein, VDFor the subset of software sensitive behavior calling figure Point Set, any node v thereind∈VDFor security sensitive
One kind of method;VNFor the subset of software sensitive behavior calling figure Point Set, any node v thereinn∈VNFor non-security sensitivity
Method, but direct or indirect have invoked security sensitive method;E∈VN×VDFor the set on software sensitive behavior calling figure side,
There is call relation, any of which side e=(v between representation methodn,vd) ∈ E indicate the non-security sensitive method v in softwaren
∈VNDirect or indirect has invoked security sensitive method vd∈VDOr component CsIn method vnIt is directly or indirectly touched by ICC
Component C is sent outtIn method vd;Labeling function μ:Vd→<ID, EntryType, Para > are for marking the node in figure to include
Content, the i.e. contextual information of this method, including method ID, entrance vertex type EntryType and parameter Para;
The set that sensitive behavior collection is as follows:
SBS={ S1,…,Si,…,Sm}
Wherein, Si=v | (vi,v)∈E∧vi∈VN∧v∈VDIt is security sensitive method collection, indicate that sensitive behavior is called
Scheme SBG=(VD,VN, E, μ) in, all security sensitive sides for directly or indirectly calling of i-th of non-sensitive safety method of VN set
The set that method is constituted;M=| VN| it is the length of set SBS.
It is step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, obtain each spy
Levy the probability that component occurs, structure Android malware family multiple features model M, to build Malware family feature
Library;
The Android malware family multiple features model of the structure is following hexa-atomic group:
M=(SBSc,α,Fc,β,Pc,γ)
Wherein,It is same by statistical analysis for the sensitive behavior collection that Malware family shares
The sensitive behavior collection SBS of one Malware family sample is obtained;Labeling functionFor marking SBScMiddle sensitive method
Collect the probability occurred in Malware family sample;FcTo pass through the installation kit feature for analyzing same Malware family sample
Vectorial F, the shared software installation packet feature that the Malware family sample counted has;Labeling function β:f∈Fc→[0,
1] it is used for flag FcIn the probability that occurs in Malware family sample of various features;PcFor by analyzing same Malware
The permissions list P of family's sample, the permissions list that the Malware family sample counted is frequently applied;Labeling function γ:p
∈Pc→ [0,1] is for marking PcIn the probability that occurs in Malware family sample of each permission.
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature and Malware of software under testing
Family's feature database carries out characteristic matching, is similarly spent highest Malware household name, if similarity is more than threshold value
It is Malware then to export the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software.
The software under testing and the similarity of Malware family are expressed as:
Wherein SfFor the similarity of software features vector, SpFor the similarity of permissions list, SsbsFor the phase of sensitive behavior collection
Like degree, μiFor weighted value of each similarity when calculating;
Software features vector similarity SfComputational methods be:Feature vector F={ the f of given software under testing1,f2,
f3..., fm, the feature vector in Malware family multiple features model to be matchedAnd it is right
The labeling function β answered, then:
According to the probability calculation similarity that each feature occurs, if the value in feature vector in malice family multiple features model
It is 0, then similarity is 0;Wherein modifying factor ωfComputational methods be:It is all in vectorial F to make fifi c=1 feature quantity
Divided by vector FcThe feature quantity that intermediate value is 1;
The permissions list similarity S of softwarepComputational methods be:The permissions list P of given software under testing, evil to be matched
Permissions list P in meaning software family multiple features modelc={ p1 c,p2 c,...,pn cAnd corresponding labeling function γ, then:
Wherein modifying factor ωpComputational methods be:Belong to P in permission set PcPermission quantity divided by set PcLength
Degree;As permissions list PcIn elementWhen included in the permissions list P of software under testing,Value is 1, is otherwise 0;
Sensitive behavior collection similarity SsbsComputational methods be:The sensitive behavior collection SBS of given software, malice to be matched
Sensitive behavior collection in software family multiple featuresAnd corresponding labeling function α, then:
In formula, ωsbsFor modifying factor, computational methods are:It is all in SBS to make's
Set Si cQuantity divided by set SBScLength;Wherein, functionIt indicates:It is deposited in SBS
In a certain set S, with setIn similar element account for two set all elements ratio be more than θ (0<θ≤1).
From the foregoing, it will be observed that the present invention uses statistical analysis technique, the feature of extraction Malware family to construct Malware man
Race's feature database proposes Malware multi-tag detection method based on this feature library, can reach preferable malice sex determination essence
Degree and malice family classification precision.
In order to make those skilled in the art more fully understand the technical problem in the present invention, technical solution and technique effect,
Invention is further described in detail in the following with reference to the drawings and specific embodiments.
Embodiment
A kind of mobile network's terminal Malware multiple features detection method towards Android, uses Drebin data sets
With the non-malicious software sample obtained in Google Play, data set is constituted, Malicious Code Detection and family classification specifically include
Following steps:
Step 1:Sample in Drebin is split according to the malice family belonging to it, using web crawlers method,
Non-malicious software is obtained on Google Play, and is verified using VirusTotal on-line checking services, to build sample
Notebook data collection includes the 4486 Malware samples and 2140 benign software samples of 24 Malware families;
Step 2:The software installation packet being analysed to using Zip decompression tools is decompressed, and the installation kit for extracting software is special
Sign, including:With the presence or absence of .so files, with the presence or absence of for root systems file, whether there is abnormal document, and whether
There are subprograms, to construct installation kit feature vector F;When judging whether the file for root systems, by that will show
The MD5 values of some root exploit library files are compared with the file in software installation packet;It judges whether abnormal literary
Part obtains file type, and compared with file suffixes by Apache Tika tool analysis file contents;Judge whether
There are subprograms, are realized with the presence or absence of jar file, dex files and apk files by checking in program;
Step 3:Android software sample is handled using APKParser, parses AndroidManifest.xml files, root
According to the tag field in xml, the permissions list P of software application is extracted;
Step 4:Using Soot tool decompiling installation kits, software function calling figure is built, security sensitive therein is positioned
Method builds the sensitive behavior figure SBG of software, and dataflow analysis method is then used to obtain the context letter of security sensitive method
The security sensitive method directly or indirectly called is constituted the sensitive behavior collection SBS of software by breath;
The security sensitive method of concern includes:The method of protection of usage right, information flow Source/Sink methods and other are suspicious
Method;The method of protection of usage right refers to the API, information flow Source/Sink for needing to apply for that permission could use in android system
The method that method refers to there may be or sends sensitive information, other suspicious methods include dynamic load function, reflective function plus solution
Close function, Native codes execute and call function.
The sensitive behavior calling figure of structure is following four-tuple:
SBG=(VD,VN,E,μ)
Wherein, VDFor the subset of software sensitive behavior calling figure Point Set, any node v thereind∈VDFor security sensitive
One kind of method;VNFor the subset of software function calling figure Point Set, any node v thereinn∈VNFor non-security sensitivity side
Method, but direct or indirect have invoked security sensitive method;E∈VN×VDFor the set on sensitive behavior calling figure side, expression side
There is call relation between method.Any of which side e=(vn,vd) ∈ E indicate the non-security sensitive method v in softwaren∈VNDirectly
Meet or indirectly have invoked security sensitive method vd∈VDOr component CsIn method vnGroup is directly or indirectly triggered by ICC
Part CtIn method vd;Labeling function μ:Vd→<ID,EntryType,Para>For marking the content that vertex includes in figure, wrap
Include method ID, entrance vertex type EntryType and parameter Para.
The set that sensitive behavior collection is as follows:
SBS={ S1,S2,…,Sm}
Wherein, Si=v | (vi,v)∈E∧vi∈VN∧v∈VDIt is security sensitive method collection, indicate that sensitive behavior is called
Scheme SBG=(VD,VN, E, μ) in, VnAll security sensitive sides that i-th of non-sensitive safety method of set directly or indirectly calls
The set that method is constituted;M=| VN| it is the length of set SBS;
Sample of 75% (3341 samples) as feature extraction in 24 step 5, selection Malware family samples,
Build Malware family feature database.Software features to belonging to same Malware family in malice sample carry out statistical
Analysis, obtains the probability that each characteristic component occurs, and structure Android malware family multiple features model M is soft to build malice
Part family feature database;
The Android malware family multiple features model of structure is following hexa-atomic group:
M=(SBSc,α,Fc,β,Pc,γ)
Wherein,It is same by statistical analysis for the sensitive behavior collection that Malware family shares
The sensitive behavior collection SBS of Malware family sample is obtained;Labeling functionFor marking SBScMiddle sensitive method collection
The probability occurred in Malware family sample;FcFor by the installation kit feature F for analyzing same Malware family sample,
Count the shared software installation packet feature that obtained Malware family sample has;Labeling function β:f∈Fc→ [0,1] is used for
Flag FcIn the probability that occurs in Malware family sample of each feature;PcFor by analyzing same Malware family sample
This permissions list P, the permissions list that the Malware family sample counted is frequently applied;Labeling function γ:p∈Pc→
[0,1] it is used to mark PcIn the probability that occurs in Malware family sample of each permission;
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature and Malware of software under testing
Family's feature database carries out characteristic matching, highest Malware household name is similarly spent, if similarity is more than 0.7
It is Malware to export the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software;
Software under testing and the similarity of Malware family are expressed as:
Wherein SfFor the similarity of feature vector, SpFor the similarity of permissions list, SsbsFor the similarity of sensitive behavior collection,
μiFor weighted value of each similarity when calculating, three weighted values take in experiment
The similarity calculating method of software features vector is to give the feature vector F={ f of software under testing1,f2,f3...,
fm, the feature vector F in Malware family multiple features model to be matchedc={ f1 c,f2 c,f3 c..., fm c, and it is corresponding
Labeling function β, the computational methods of similarity are shown below:
According to the probability calculation similarity that each feature occurs, if the value of the feature vector in malice family multiple features model is equal
It is 0, then similarity is 0.Wherein modifying factor ωfComputational methods be:It is all in vectorial F to make fifi c=1 feature quantity is removed
With vectorial FcThe feature quantity that intermediate value is 1.
The computational methods of software permissions list similarity are to give the permissions list P of software under testing, and malice to be matched is soft
Permissions list P in part family multiple features modelc={ p1 c,p2 c,...,pn cAnd corresponding labeling function γ, similarity
Computational methods be shown below:
Wherein modifying factor ωpComputational methods be:Belong to P in permission set PcPermission quantity divided by set PcLength
Degree.
The computational methods of sensitive behavior collection similarity are to give the sensitive behavior collection SBS of software, Malware to be matched
Sensitive behavior collection in family's multiple featuresAnd corresponding labeling function α, the calculating side of similarity
Method is shown below:
The less family of the more Malware family Cover Characteristics of feature in order to prevent introduces modifying factor ωsbs,
Computational methods are:It is all in SBS to makeSetQuantity divided by set SBScLength
Degree.Wherein, functionIt indicates:There are a certain set S in SBS, with setIn it is similar
The ratio that element accounts for two set all elements is more than 80%.
Using the above method to the Malware sample of remaining 25% (1145) and 2140 benign software samples into
Row test experiments, software malice sex determination and malice family classification as a result, drawing with 8 anti-virus common in VirusTotal
The comparison for the testing result held up is as shown in Figure 2.
From the foregoing, it will be observed that Selection Software packet feature of the present invention, permission feature and software sensitive behavior call feature as malice
The foundation of software judgement, can be improved the accuracy of software malicious act detection, while have the ability of Malware family classification.
Claims (6)
1. a kind of mobile network's terminal Malware multiple features detection method towards Android, which is characterized in that including following
Step:
Step 1 obtains Android malware sample, and marks the Android malware family belonging to each sample, then
Non-malicious software sample is obtained, to build malice and non-malicious software sample data set;
Step 2, the installation kit feature for extracting software, including:With the presence or absence of .so files, with the presence or absence of the text for root systems
Part whether there is abnormal document and whether there is subprogram, to construct installation kit feature vector F;
Step 3 handles Android software sample using decompiling instrument, parses AndroidManifest.xml files, according to
Tag field in xml extracts the permissions list P of software application;
Step 4, decompiling installation kit build software function calling figure, position security sensitive method therein, build the quick of software
Feel behavior figure SBG, dataflow analysis method is then used to obtain the contextual information of security sensitive method, it will be direct or indirect
The security sensitive method of calling constitutes the sensitive behavior collection SBS of software;
It is step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, obtain each feature point
Measure the probability occurred, structure Android malware family multiple features model M, to build Malware family feature database;
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature of software under testing and Malware family
Feature database carries out characteristic matching, is similarly spent highest Malware household name, defeated if similarity is more than threshold value
It is Malware to go out the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software.
2. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special
Sign is, the unmatched file of type that the abnormal document in step 2 refers to the suffix of file and file content itself is specified;Judge
File whether there is .so files, and judge whether library file is root exploit files by MD5 values;Judge jar file,
Dex files and apk files whether there is subprogram.
3. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special
Sign is that the security sensitive method in step 4 includes:The method of protection of usage right, information flow Source/Sink methods and other can
The method of doubting;Protection of usage right method refers to the API, information flow Source/Sink for needing to apply for that permission could use in android system
The method that method refers to there may be or sends sensitive information, other suspicious methods include dynamic load function, reflective function plus solution
Close function, Native codes execute and call function.
4. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special
Sign is that the software function calling figure built in step 4 is following four-tuple:
SBG=(VD,VN,E,μ)
Wherein, VDFor the subset of software sensitive behavior calling figure Point Set, any node v thereind∈VDFor security sensitive method
One kind;VNFor the subset of software sensitive behavior calling figure Point Set, any node v thereinn∈VNFor non-security sensitivity side
Method, but direct or indirect have invoked security sensitive method;E∈VN×VDFor the set on software sensitive behavior calling figure side, table
Show between method that there is call relation, any of which side e=(vn,vd) ∈ E indicate the non-security sensitive method v in softwaren∈
VNDirect or indirect has invoked security sensitive method vd∈VDOr component CsIn method vnIt is directly or indirectly triggered by ICC
Component CtIn method vd;Labeling function μ:Vd→<ID,EntryType,Para>For marking in figure in node includes
Hold, i.e. the contextual information of this method, including method ID, entrance vertex type EntryType and parameter Para;
The set that sensitive behavior collection is as follows:
SBS={ S1,…,Si,…,Sm}
Wherein, Si=v | (vi,v)∈E∧vi∈VN∧v∈VDIt is security sensitive method collection, indicate sensitive behavior calling figure SBG
=(VD,VN, E, μ) in, VNAll security sensitive method structures that i-th of non-sensitive safety method of set directly or indirectly calls
At set;M=| VN| it is the length of set SBS.
5. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special
Sign is that the Android malware family multiple features model built in step 5 is following hexa-atomic group:
M=(SBSc,α,Fc,β,Pc,γ)
Wherein,For the sensitive behavior collection that Malware family shares, pass through the same evil of statistical analysis
The sensitive behavior collection SBS of meaning software family sample is obtained;Labeling function α:For marking SBScMiddle sensitive method collection exists
The probability occurred in Malware family sample;FcTo pass through the installation kit feature vector for analyzing same Malware family sample
F, the shared software installation packet feature that the Malware family sample counted has;Labeling function β:f∈FcIt uses → [0,1]
In flag FcIn the probability that occurs in Malware family sample of various features;PcFor by analyzing same Malware family
The permissions list P of sample, the permissions list that the Malware family sample counted is frequently applied;Labeling function γ:p∈Pc
→ [0,1] is for marking PcIn the probability that occurs in Malware family sample of each permission.
6. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special
Sign is that software under testing and the similarity of Malware family are expressed as in step 6:
Wherein SfFor the similarity of software features vector, SpFor the similarity of permissions list, SsbsFor the similarity of sensitive behavior collection,
μiFor weighted value of each similarity when calculating;
Software features vector similarity SfComputational methods be:Feature vector F={ the f of given software under testing1,f2,f3...,
fm, the feature vector in Malware family multiple features model to be matchedAnd corresponding mark
Remember function β, then:
According to the probability calculation similarity that each feature occurs, if the value in feature vector in malice family multiple features model is
0, then similarity is 0;Wherein modifying factor ωfComputational methods be:It is all in vectorial F to makeFeature quantity divided by
Measure FcThe feature quantity that intermediate value is 1;
The permissions list similarity S of softwarepComputational methods be:The permissions list P of given software under testing, malice to be matched are soft
Permissions list P in part family multiple features modelc={ p1 c,p2 c,...,pn cAnd corresponding labeling function γ, then:
Wherein modifying factor ωpComputational methods be:Belong to P in permission set PcPermission quantity divided by set PcLength;When
Permissions list PcIn elementWhen included in the permissions list P of software under testing,Value is 1, is otherwise 0;
Sensitive behavior collection similarity SsbsComputational methods be:The sensitive behavior collection SBS of given software, Malware to be matched
Sensitive behavior collection in family's multiple featuresAnd corresponding labeling function α, then:
In formula, ωsbsFor modifying factor, computational methods are:It is all in SBS to makeSet
Quantity divided by set SBScLength;Wherein, functionIt indicates:There are a certain collection in SBS
S is closed, with setIn similar element account for two set all elements ratio be more than θ (0<θ≤1).
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810109044.6A CN108280350B (en) | 2018-02-05 | 2018-02-05 | Android-oriented mobile network terminal malicious software multi-feature detection method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810109044.6A CN108280350B (en) | 2018-02-05 | 2018-02-05 | Android-oriented mobile network terminal malicious software multi-feature detection method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108280350A true CN108280350A (en) | 2018-07-13 |
CN108280350B CN108280350B (en) | 2021-09-28 |
Family
ID=62807459
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810109044.6A Active CN108280350B (en) | 2018-02-05 | 2018-02-05 | Android-oriented mobile network terminal malicious software multi-feature detection method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108280350B (en) |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109167753A (en) * | 2018-07-23 | 2019-01-08 | 中国科学院计算机网络信息中心 | A kind of detection method and device of network intrusions flow |
CN110392056A (en) * | 2019-07-24 | 2019-10-29 | 成都积微物联集团股份有限公司 | A kind of the Internet of Things malware detection system and method for lightweight |
CN110414234A (en) * | 2019-06-28 | 2019-11-05 | 奇安信科技集团股份有限公司 | The recognition methods of malicious code family and device |
CN110457009A (en) * | 2019-07-06 | 2019-11-15 | 天津大学 | The implementation method of software security demand recommended models based on data analysis |
CN110516446A (en) * | 2019-08-26 | 2019-11-29 | 南京信息职业技术学院 | A kind of Malware family ownership determination method, system and storage medium |
CN110795732A (en) * | 2019-10-10 | 2020-02-14 | 南京航空航天大学 | SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal |
CN111368297A (en) * | 2020-02-02 | 2020-07-03 | 西安电子科技大学 | Privacy protection mobile malicious software detection method, system, storage medium and application |
CN111460448A (en) * | 2020-03-09 | 2020-07-28 | 北京邮电大学 | Malicious software family detection method and device |
CN112287345A (en) * | 2020-10-29 | 2021-01-29 | 中南大学 | Credible edge computing system based on intelligent risk detection |
CN112632539A (en) * | 2020-12-28 | 2021-04-09 | 西北工业大学 | Dynamic and static mixed feature extraction method in Android system malicious software detection |
CN112887328A (en) * | 2021-02-24 | 2021-06-01 | 深信服科技股份有限公司 | Sample detection method, device, equipment and computer readable storage medium |
CN113378163A (en) * | 2020-03-10 | 2021-09-10 | 四川大学 | Android malicious software family classification method based on DEX file partition characteristics |
CN113468532A (en) * | 2021-07-20 | 2021-10-01 | 国网湖南省电力有限公司 | Malicious software family inference method and system |
CN113591079A (en) * | 2020-04-30 | 2021-11-02 | 中移互联网有限公司 | Method and device for acquiring abnormal application installation package and electronic equipment |
US20220207141A1 (en) * | 2020-12-31 | 2022-06-30 | Estsecurity Corp. | Apparatus for generating a signature that reflects the similarity of a malware detection and classification system based on deep neural networks, method therefor, and computer-readable recording medium recorded with a program for performing the method |
US20230004645A1 (en) * | 2019-11-28 | 2023-01-05 | Nippon Telegraph And Telephone Corporation | Labeling device and labeling program |
CN112287345B (en) * | 2020-10-29 | 2024-04-16 | 中南大学 | Trusted edge computing system based on intelligent risk detection |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103440459A (en) * | 2013-09-25 | 2013-12-11 | 西安交通大学 | Function-call-based Android malicious code detection method |
US20140181973A1 (en) * | 2012-12-26 | 2014-06-26 | National Taiwan University Of Science And Technology | Method and system for detecting malicious application |
CN104794051A (en) * | 2014-01-21 | 2015-07-22 | 中国科学院声学研究所 | Automatic Android platform malicious software detecting method |
CN105447388A (en) * | 2015-12-17 | 2016-03-30 | 福建六壬网安股份有限公司 | Android malicious code detection system and method based on weight |
CN107169351A (en) * | 2017-05-11 | 2017-09-15 | 北京理工大学 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
CN107180192A (en) * | 2017-05-09 | 2017-09-19 | 北京理工大学 | Android malicious application detection method and system based on multi-feature fusion |
CN107392021A (en) * | 2017-07-20 | 2017-11-24 | 中南大学 | A kind of Android malicious application detection methods based on multiclass feature |
-
2018
- 2018-02-05 CN CN201810109044.6A patent/CN108280350B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140181973A1 (en) * | 2012-12-26 | 2014-06-26 | National Taiwan University Of Science And Technology | Method and system for detecting malicious application |
CN103440459A (en) * | 2013-09-25 | 2013-12-11 | 西安交通大学 | Function-call-based Android malicious code detection method |
CN104794051A (en) * | 2014-01-21 | 2015-07-22 | 中国科学院声学研究所 | Automatic Android platform malicious software detecting method |
CN105447388A (en) * | 2015-12-17 | 2016-03-30 | 福建六壬网安股份有限公司 | Android malicious code detection system and method based on weight |
CN107180192A (en) * | 2017-05-09 | 2017-09-19 | 北京理工大学 | Android malicious application detection method and system based on multi-feature fusion |
CN107169351A (en) * | 2017-05-11 | 2017-09-15 | 北京理工大学 | With reference to the Android unknown malware detection methods of dynamic behaviour feature |
CN107392021A (en) * | 2017-07-20 | 2017-11-24 | 中南大学 | A kind of Android malicious application detection methods based on multiclass feature |
Non-Patent Citations (4)
Title |
---|
"APPCONTEXT: DIFFERENTIATING MALICIOUS AND BENIGN MOBILE APP BEH: ""AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context",", 《2015 IEEE/ACM 37TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, FLORENCE》 * |
STEVEN ARZT等: ""FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps"", 《ACM SIGPLAN NOTICES》 * |
王军 等: ""一种Android恶意软件多标签检测方法"", 《小型微型计算机系统》 * |
缪小川: ""基于敏感路径识别的安卓应用安全性分析方法"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Cited By (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109167753A (en) * | 2018-07-23 | 2019-01-08 | 中国科学院计算机网络信息中心 | A kind of detection method and device of network intrusions flow |
CN110414234A (en) * | 2019-06-28 | 2019-11-05 | 奇安信科技集团股份有限公司 | The recognition methods of malicious code family and device |
CN110457009B (en) * | 2019-07-06 | 2023-04-14 | 天津大学 | Method for realizing software security requirement recommendation model based on data analysis |
CN110457009A (en) * | 2019-07-06 | 2019-11-15 | 天津大学 | The implementation method of software security demand recommended models based on data analysis |
CN110392056A (en) * | 2019-07-24 | 2019-10-29 | 成都积微物联集团股份有限公司 | A kind of the Internet of Things malware detection system and method for lightweight |
CN110516446A (en) * | 2019-08-26 | 2019-11-29 | 南京信息职业技术学院 | A kind of Malware family ownership determination method, system and storage medium |
CN110795732A (en) * | 2019-10-10 | 2020-02-14 | 南京航空航天大学 | SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal |
US20230004645A1 (en) * | 2019-11-28 | 2023-01-05 | Nippon Telegraph And Telephone Corporation | Labeling device and labeling program |
CN111368297A (en) * | 2020-02-02 | 2020-07-03 | 西安电子科技大学 | Privacy protection mobile malicious software detection method, system, storage medium and application |
CN111368297B (en) * | 2020-02-02 | 2023-02-28 | 西安电子科技大学 | Privacy protection mobile malicious software detection method, system, storage medium and application |
CN111460448A (en) * | 2020-03-09 | 2020-07-28 | 北京邮电大学 | Malicious software family detection method and device |
CN113378163A (en) * | 2020-03-10 | 2021-09-10 | 四川大学 | Android malicious software family classification method based on DEX file partition characteristics |
CN113591079B (en) * | 2020-04-30 | 2023-08-15 | 中移互联网有限公司 | Method and device for acquiring abnormal application installation package and electronic equipment |
CN113591079A (en) * | 2020-04-30 | 2021-11-02 | 中移互联网有限公司 | Method and device for acquiring abnormal application installation package and electronic equipment |
CN112287345A (en) * | 2020-10-29 | 2021-01-29 | 中南大学 | Credible edge computing system based on intelligent risk detection |
CN112287345B (en) * | 2020-10-29 | 2024-04-16 | 中南大学 | Trusted edge computing system based on intelligent risk detection |
CN112632539B (en) * | 2020-12-28 | 2024-04-09 | 西北工业大学 | Dynamic and static hybrid feature extraction method in Android system malicious software detection |
CN112632539A (en) * | 2020-12-28 | 2021-04-09 | 西北工业大学 | Dynamic and static mixed feature extraction method in Android system malicious software detection |
US20220207141A1 (en) * | 2020-12-31 | 2022-06-30 | Estsecurity Corp. | Apparatus for generating a signature that reflects the similarity of a malware detection and classification system based on deep neural networks, method therefor, and computer-readable recording medium recorded with a program for performing the method |
CN112887328A (en) * | 2021-02-24 | 2021-06-01 | 深信服科技股份有限公司 | Sample detection method, device, equipment and computer readable storage medium |
CN113468532B (en) * | 2021-07-20 | 2022-09-23 | 国网湖南省电力有限公司 | Malicious software family inference method and system |
CN113468532A (en) * | 2021-07-20 | 2021-10-01 | 国网湖南省电力有限公司 | Malicious software family inference method and system |
Also Published As
Publication number | Publication date |
---|---|
CN108280350B (en) | 2021-09-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108280350A (en) | A kind of mobile network's terminal Malware multiple features detection method towards Android | |
Salehi et al. | MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values | |
Chowdhury et al. | Malware analysis and detection using data mining and machine learning classification | |
CN109271788B (en) | Android malicious software detection method based on deep learning | |
Narouei et al. | DLLMiner: structural mining for malware detection | |
CN107408176A (en) | The execution of malicious objects dissects detection | |
KR20110108491A (en) | System for detecting malicious script and method for detecting malicious script using the same | |
CN110795732A (en) | SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal | |
Lee et al. | Screening smartphone applications using malware family signatures | |
CN106599688A (en) | Application category-based Android malicious software detection method | |
Sun et al. | Malware detection on Android smartphones using keywords vector and SVM | |
Ravi et al. | Android malware detection with classification based on hybrid analysis and N-gram feature extraction | |
Thakur et al. | Android anti-malware techniques and its vulnerabilities: A survey | |
Alharbi et al. | A Systematic Review of Android Malware Detection Techniques. | |
Muhammad et al. | A systematic evaluation of android anti-malware tools for detection of contemporary malware | |
CN113343219B (en) | Automatic and efficient high-risk mobile application program detection method | |
Bashari Rad et al. | Morphed virus family classification based on opcodes statistical feature using decision tree | |
Ahmad et al. | Android mobile malware classification using a tokenization approach | |
Jalilian et al. | Static signature-based malware detection using opcode and binary information | |
Guo et al. | Classification of malware variant based on ensemble learning | |
Kumari et al. | Malware and piracy detection in android applications | |
Fujita | Anti-obfuscation techniques: Recent analysis of malware detection | |
Zhao et al. | HFA-MD: An efficient hybrid features analysis based Android Malware Detection Method | |
Wang et al. | Deep Learning-Based Multi-Classification for Malware Detection in IoT | |
Bhakta et al. | Android Malware Detection Against String Encryption Based Obfuscation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |