CN108280350A - A kind of mobile network's terminal Malware multiple features detection method towards Android - Google Patents

A kind of mobile network's terminal Malware multiple features detection method towards Android Download PDF

Info

Publication number
CN108280350A
CN108280350A CN201810109044.6A CN201810109044A CN108280350A CN 108280350 A CN108280350 A CN 108280350A CN 201810109044 A CN201810109044 A CN 201810109044A CN 108280350 A CN108280350 A CN 108280350A
Authority
CN
China
Prior art keywords
software
malware
feature
family
sample
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810109044.6A
Other languages
Chinese (zh)
Other versions
CN108280350B (en
Inventor
庄毅
王军
顾晶晶
蒋理
杨帆
孙炳林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Aeronautics and Astronautics
Original Assignee
Nanjing University of Aeronautics and Astronautics
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Aeronautics and Astronautics filed Critical Nanjing University of Aeronautics and Astronautics
Priority to CN201810109044.6A priority Critical patent/CN108280350B/en
Publication of CN108280350A publication Critical patent/CN108280350A/en
Application granted granted Critical
Publication of CN108280350B publication Critical patent/CN108280350B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly

Abstract

Mobile network's terminal Malware multiple features detection method towards Android that the invention discloses a kind of.Include the following steps:Step 1, Android software data set, including malice sample and non-malicious sample are obtained;Step 2, the installation kit for analyzing Malware extracts the installation kit feature of software, constructs installation kit feature vector;Step 3, the permission of software application is obtained, permissions list is built;Step 4, the installation kit of decompiling Malware builds the sensitive behavior figure of software, extracts the sensitive behavior collection of software;Step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, structure Malware family feature database;Step 6, software features are extracted, and carry out malicious judgement and malice family classification.Selection Software packet feature, permission feature and software sensitive behavior of the present invention call the foundation that feature judges as Malware, and the accuracy of software malicious act detection can be improved, while having the ability of Malware family classification.

Description

A kind of mobile network's terminal Malware multiple features detection method towards Android
Technical field
The invention belongs to mobile software analysis and information security fields, and in particular to a kind of mobile network towards Android Network terminal Malware multiple features detection method.
Background technology
Android malicious code multi-tag test problems are the challenging problems in academia and industrial quarters. Judgement software should also provide its affiliated family while malicious.The application of current smart mobile phone has been directed to people's life Various aspects, and android system occupies a large amount of share, therefore accurately detection Android malice generations in smart mobile phone Code is of great significance and value for protection Android privacy of user and property safety.
Existing Android malware detection technique is broadly divided into 2 classes:Respectively it is based on static analysis and based on dynamic The detection technique of analysis.The execution of dynamic analysing method simulation softward can bypass Code obfuscation and add that static method encounters The problems such as close;But dynamic test code coverage is low, and some rogue programs can prevent from running under simulator certainly. Control stream and data-flow analysis are mainly studied using inverse compiling technique or carried out in smali intermediate codes to Static Analysis Method Technology can carry out automated analysis to software, have higher detection efficiency, and code coverage is high, is suitable for a large amount of soft Part sample is analyzed;The disadvantage is that solution static method is needed to be difficult to the Code obfuscation detected, encryption and in Dynamic Execution The problem of just decoding malicious code.In order to cope with the problem, has researcher and consider encryption, code in malware detection The technologies such as dynamic load, Native code dynamic loads, such as Riskranker and DroidRanger.
There are many scholars at present has carried out correlative study for the multi-tag detection method of Android malware.Such as Daniel Arp et al. propose the Android malicious code multi-tag detection methods based on Static Analysis Method, pacify in software It is extracted a large amount of static nature in dress packet, and is classified using support vector machines, efficient detection is realized;Yu Feng etc. People proposes the feature description language of description Android malice family, and is divided software under testing using Feature Correspondence Algorithm Class realizes semantic-based Android malware detection;Chao Yang et al. are retouched using two-stage behavior figure representation method The logic behavior for stating software is judged soft in conjunction with the behavior figure of static stain analysis and inter-module by malicious act pattern analysis Part it is malicious, and realize the classification to malice family.
However, the research of existing Android malware multi-tag detection technique, multiselect takes all samples of Malware This is analyzed, and extracts feature possessed by Malware, and in this, as the foundation of software under testing malice sex determination.And belong to There is the Malware of different families different malicious acts, malicious showed feature also to have larger difference. The Malware of same Malware family has similar malicious act.But existing malware detection tool for The multi-tag detectability of Malware is weaker, when being detected for the malice sample in Genome data sets such as McAfee, The pattern detection that will be wherein more than 90% is Trojan or Downloader, and actually belongs to multiple and different Malware men Race (such as DroidDream).Therefore, speed and accuracy need to be further improved, and need to study efficient Malware more Label detection method.
Invention content
The purpose of the present invention is to provide a kind of mobile network's terminal Malware multiple features detection side towards Android Method improves the precision of Android malware detection to effectively extract the feature of Android malware, and has The ability of Android malice family classifications.
Realize that technical solution of the invention is:How special a kind of mobile network's terminal Malware towards Android is Detection method is levied, following steps are specifically included:
Step 1 obtains Android malware sample, and marks the Android malware family belonging to each sample, Then non-malicious software sample is obtained, to build malice and non-malicious software sample data set;
Step 2, the installation kit feature for extracting software, including:With the presence or absence of .so files, with the presence or absence of for root systems File, whether there is abnormal document, and whether there is subprogram, to construct installation kit feature vector F;
Step 3 handles Android software sample using decompiling instrument, parses AndroidManifest.xml files, According to the tag field in xml, the permissions list P of software application is extracted;
Step 4, decompiling installation kit build software function calling figure, position security sensitive method therein, build software Sensitive behavior figure SBG, then use dataflow analysis method obtain security sensitive method contextual information, will by directly or The security sensitive method called indirectly constitutes the sensitive behavior collection SBS of software;
It is step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, obtain each spy Levy the probability that component occurs, structure Android malware family multiple features model M, to build Malware family feature Library;
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature and Malware of software under testing Family's feature database carries out characteristic matching, is similarly spent highest Malware household name, if similarity is more than threshold value It is Malware then to export the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software.
Compared with prior art, the present invention its remarkable advantage is:1) present invention proposes a kind of movement towards Android Network terminal Malware multiple features detection method is based on Static Analysis Method, from software for different Malware families The behavior of packet feature, application permission feature and software calls three aspects of feature to analyze software;2) present invention is using system Analysis method, the feature of extraction Malware family are counted, construction Malware family feature database proposes evil based on this feature library Meaning software multi-tag detection method can reach preferable malicious judgement precision and malice family classification precision.
The present invention is further elaborated below in conjunction with the accompanying drawings.
Description of the drawings
Fig. 1 is a kind of stream of mobile network's terminal Malware multiple features detection method towards Android of the present invention Cheng Tu.
Fig. 2 is with the malware detection precision and malice family classification precision of the present invention and part in VirusTotal The comparing result of engine.
Specific implementation mode
In conjunction with attached drawing, a kind of mobile network's terminal Malware multiple features detection method towards Android of the invention, Include the following steps:
Step 1 obtains Android malware sample, and marks the Android malware family belonging to each sample, Then non-malicious software sample is obtained, to build malice and non-malicious software sample data set;
Step 2, the installation kit feature for extracting software, including:With the presence or absence of .so files, with the presence or absence of for root systems File, with the presence or absence of abnormal document and whether there is subprogram, to construct installation kit feature vector F;
The unmatched file of type that the abnormal document refers to the suffix of file and file content itself is specified;Judge file Judge whether library file is root exploit files with the presence or absence of .so files, and by MD5 values;Judge jar file, dex texts Part and apk files whether there is subprogram.
Step 3 handles Android software sample using decompiling instrument, parses AndroidManifest.xml files, According to the tag field in xml, the permissions list P of software application is extracted;
Step 4, decompiling installation kit build software function calling figure, position security sensitive method therein, build software Sensitive behavior figure SBG, then use dataflow analysis method obtain security sensitive method contextual information, will by directly or The security sensitive method called indirectly constitutes the sensitive behavior collection SBS of software;
The security sensitive method includes:Method, information flow Source/Sink methods and other suspicious sides of protection of usage right Method;Protection of usage right method refers to the API for needing to apply for that permission could use in android system, information flow Source/Sink methods The method for referring to there may be or sending sensitive information, other suspicious methods include dynamic load function, reflective function, encryption and decryption letter Number, Native codes execute and call function.
The software function calling figure of structure is following four-tuple:
SBG=(VD,VN,E,μ)
Wherein, VDFor the subset of software sensitive behavior calling figure Point Set, any node v thereind∈VDFor security sensitive One kind of method;VNFor the subset of software sensitive behavior calling figure Point Set, any node v thereinn∈VNFor non-security sensitivity Method, but direct or indirect have invoked security sensitive method;E∈VN×VDFor the set on software sensitive behavior calling figure side, There is call relation, any of which side e=(v between representation methodn,vd) ∈ E indicate the non-security sensitive method v in softwaren ∈VNDirect or indirect has invoked security sensitive method vd∈VDOr component CsIn method vnIt is directly or indirectly touched by ICC Component C is sent outtIn method vd;Labeling function μ:Vd→<ID, EntryType, Para > are for marking the node in figure to include Content, the i.e. contextual information of this method, including method ID, entrance vertex type EntryType and parameter Para;
The set that sensitive behavior collection is as follows:
SBS={ S1,…,Si,…,Sm}
Wherein, Si=v | (vi,v)∈E∧vi∈VN∧v∈VDIt is security sensitive method collection, indicate that sensitive behavior is called Scheme SBG=(VD,VN, E, μ) in, all security sensitive sides for directly or indirectly calling of i-th of non-sensitive safety method of VN set The set that method is constituted;M=| VN| it is the length of set SBS.
It is step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, obtain each spy Levy the probability that component occurs, structure Android malware family multiple features model M, to build Malware family feature Library;
The Android malware family multiple features model of the structure is following hexa-atomic group:
M=(SBSc,α,Fc,β,Pc,γ)
Wherein,It is same by statistical analysis for the sensitive behavior collection that Malware family shares The sensitive behavior collection SBS of one Malware family sample is obtained;Labeling functionFor marking SBScMiddle sensitive method Collect the probability occurred in Malware family sample;FcTo pass through the installation kit feature for analyzing same Malware family sample Vectorial F, the shared software installation packet feature that the Malware family sample counted has;Labeling function β:f∈Fc→[0, 1] it is used for flag FcIn the probability that occurs in Malware family sample of various features;PcFor by analyzing same Malware The permissions list P of family's sample, the permissions list that the Malware family sample counted is frequently applied;Labeling function γ:p ∈Pc→ [0,1] is for marking PcIn the probability that occurs in Malware family sample of each permission.
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature and Malware of software under testing Family's feature database carries out characteristic matching, is similarly spent highest Malware household name, if similarity is more than threshold value It is Malware then to export the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software.
The software under testing and the similarity of Malware family are expressed as:
Wherein SfFor the similarity of software features vector, SpFor the similarity of permissions list, SsbsFor the phase of sensitive behavior collection Like degree, μiFor weighted value of each similarity when calculating;
Software features vector similarity SfComputational methods be:Feature vector F={ the f of given software under testing1,f2, f3..., fm, the feature vector in Malware family multiple features model to be matchedAnd it is right The labeling function β answered, then:
According to the probability calculation similarity that each feature occurs, if the value in feature vector in malice family multiple features model It is 0, then similarity is 0;Wherein modifying factor ωfComputational methods be:It is all in vectorial F to make fifi c=1 feature quantity Divided by vector FcThe feature quantity that intermediate value is 1;
The permissions list similarity S of softwarepComputational methods be:The permissions list P of given software under testing, evil to be matched Permissions list P in meaning software family multiple features modelc={ p1 c,p2 c,...,pn cAnd corresponding labeling function γ, then:
Wherein modifying factor ωpComputational methods be:Belong to P in permission set PcPermission quantity divided by set PcLength Degree;As permissions list PcIn elementWhen included in the permissions list P of software under testing,Value is 1, is otherwise 0;
Sensitive behavior collection similarity SsbsComputational methods be:The sensitive behavior collection SBS of given software, malice to be matched Sensitive behavior collection in software family multiple featuresAnd corresponding labeling function α, then:
In formula, ωsbsFor modifying factor, computational methods are:It is all in SBS to make's Set Si cQuantity divided by set SBScLength;Wherein, functionIt indicates:It is deposited in SBS In a certain set S, with setIn similar element account for two set all elements ratio be more than θ (0<θ≤1).
From the foregoing, it will be observed that the present invention uses statistical analysis technique, the feature of extraction Malware family to construct Malware man Race's feature database proposes Malware multi-tag detection method based on this feature library, can reach preferable malice sex determination essence Degree and malice family classification precision.
In order to make those skilled in the art more fully understand the technical problem in the present invention, technical solution and technique effect, Invention is further described in detail in the following with reference to the drawings and specific embodiments.
Embodiment
A kind of mobile network's terminal Malware multiple features detection method towards Android, uses Drebin data sets With the non-malicious software sample obtained in Google Play, data set is constituted, Malicious Code Detection and family classification specifically include Following steps:
Step 1:Sample in Drebin is split according to the malice family belonging to it, using web crawlers method, Non-malicious software is obtained on Google Play, and is verified using VirusTotal on-line checking services, to build sample Notebook data collection includes the 4486 Malware samples and 2140 benign software samples of 24 Malware families;
Step 2:The software installation packet being analysed to using Zip decompression tools is decompressed, and the installation kit for extracting software is special Sign, including:With the presence or absence of .so files, with the presence or absence of for root systems file, whether there is abnormal document, and whether There are subprograms, to construct installation kit feature vector F;When judging whether the file for root systems, by that will show The MD5 values of some root exploit library files are compared with the file in software installation packet;It judges whether abnormal literary Part obtains file type, and compared with file suffixes by Apache Tika tool analysis file contents;Judge whether There are subprograms, are realized with the presence or absence of jar file, dex files and apk files by checking in program;
Step 3:Android software sample is handled using APKParser, parses AndroidManifest.xml files, root According to the tag field in xml, the permissions list P of software application is extracted;
Step 4:Using Soot tool decompiling installation kits, software function calling figure is built, security sensitive therein is positioned Method builds the sensitive behavior figure SBG of software, and dataflow analysis method is then used to obtain the context letter of security sensitive method The security sensitive method directly or indirectly called is constituted the sensitive behavior collection SBS of software by breath;
The security sensitive method of concern includes:The method of protection of usage right, information flow Source/Sink methods and other are suspicious Method;The method of protection of usage right refers to the API, information flow Source/Sink for needing to apply for that permission could use in android system The method that method refers to there may be or sends sensitive information, other suspicious methods include dynamic load function, reflective function plus solution Close function, Native codes execute and call function.
The sensitive behavior calling figure of structure is following four-tuple:
SBG=(VD,VN,E,μ)
Wherein, VDFor the subset of software sensitive behavior calling figure Point Set, any node v thereind∈VDFor security sensitive One kind of method;VNFor the subset of software function calling figure Point Set, any node v thereinn∈VNFor non-security sensitivity side Method, but direct or indirect have invoked security sensitive method;E∈VN×VDFor the set on sensitive behavior calling figure side, expression side There is call relation between method.Any of which side e=(vn,vd) ∈ E indicate the non-security sensitive method v in softwaren∈VNDirectly Meet or indirectly have invoked security sensitive method vd∈VDOr component CsIn method vnGroup is directly or indirectly triggered by ICC Part CtIn method vd;Labeling function μ:Vd→<ID,EntryType,Para>For marking the content that vertex includes in figure, wrap Include method ID, entrance vertex type EntryType and parameter Para.
The set that sensitive behavior collection is as follows:
SBS={ S1,S2,…,Sm}
Wherein, Si=v | (vi,v)∈E∧vi∈VN∧v∈VDIt is security sensitive method collection, indicate that sensitive behavior is called Scheme SBG=(VD,VN, E, μ) in, VnAll security sensitive sides that i-th of non-sensitive safety method of set directly or indirectly calls The set that method is constituted;M=| VN| it is the length of set SBS;
Sample of 75% (3341 samples) as feature extraction in 24 step 5, selection Malware family samples, Build Malware family feature database.Software features to belonging to same Malware family in malice sample carry out statistical Analysis, obtains the probability that each characteristic component occurs, and structure Android malware family multiple features model M is soft to build malice Part family feature database;
The Android malware family multiple features model of structure is following hexa-atomic group:
M=(SBSc,α,Fc,β,Pc,γ)
Wherein,It is same by statistical analysis for the sensitive behavior collection that Malware family shares The sensitive behavior collection SBS of Malware family sample is obtained;Labeling functionFor marking SBScMiddle sensitive method collection The probability occurred in Malware family sample;FcFor by the installation kit feature F for analyzing same Malware family sample, Count the shared software installation packet feature that obtained Malware family sample has;Labeling function β:f∈Fc→ [0,1] is used for Flag FcIn the probability that occurs in Malware family sample of each feature;PcFor by analyzing same Malware family sample This permissions list P, the permissions list that the Malware family sample counted is frequently applied;Labeling function γ:p∈Pc→ [0,1] it is used to mark PcIn the probability that occurs in Malware family sample of each permission;
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature and Malware of software under testing Family's feature database carries out characteristic matching, highest Malware household name is similarly spent, if similarity is more than 0.7 It is Malware to export the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software;
Software under testing and the similarity of Malware family are expressed as:
Wherein SfFor the similarity of feature vector, SpFor the similarity of permissions list, SsbsFor the similarity of sensitive behavior collection, μiFor weighted value of each similarity when calculating, three weighted values take in experiment
The similarity calculating method of software features vector is to give the feature vector F={ f of software under testing1,f2,f3..., fm, the feature vector F in Malware family multiple features model to be matchedc={ f1 c,f2 c,f3 c..., fm c, and it is corresponding Labeling function β, the computational methods of similarity are shown below:
According to the probability calculation similarity that each feature occurs, if the value of the feature vector in malice family multiple features model is equal It is 0, then similarity is 0.Wherein modifying factor ωfComputational methods be:It is all in vectorial F to make fifi c=1 feature quantity is removed With vectorial FcThe feature quantity that intermediate value is 1.
The computational methods of software permissions list similarity are to give the permissions list P of software under testing, and malice to be matched is soft Permissions list P in part family multiple features modelc={ p1 c,p2 c,...,pn cAnd corresponding labeling function γ, similarity Computational methods be shown below:
Wherein modifying factor ωpComputational methods be:Belong to P in permission set PcPermission quantity divided by set PcLength Degree.
The computational methods of sensitive behavior collection similarity are to give the sensitive behavior collection SBS of software, Malware to be matched Sensitive behavior collection in family's multiple featuresAnd corresponding labeling function α, the calculating side of similarity Method is shown below:
The less family of the more Malware family Cover Characteristics of feature in order to prevent introduces modifying factor ωsbs, Computational methods are:It is all in SBS to makeSetQuantity divided by set SBScLength Degree.Wherein, functionIt indicates:There are a certain set S in SBS, with setIn it is similar The ratio that element accounts for two set all elements is more than 80%.
Using the above method to the Malware sample of remaining 25% (1145) and 2140 benign software samples into Row test experiments, software malice sex determination and malice family classification as a result, drawing with 8 anti-virus common in VirusTotal The comparison for the testing result held up is as shown in Figure 2.
From the foregoing, it will be observed that Selection Software packet feature of the present invention, permission feature and software sensitive behavior call feature as malice The foundation of software judgement, can be improved the accuracy of software malicious act detection, while have the ability of Malware family classification.

Claims (6)

1. a kind of mobile network's terminal Malware multiple features detection method towards Android, which is characterized in that including following Step:
Step 1 obtains Android malware sample, and marks the Android malware family belonging to each sample, then Non-malicious software sample is obtained, to build malice and non-malicious software sample data set;
Step 2, the installation kit feature for extracting software, including:With the presence or absence of .so files, with the presence or absence of the text for root systems Part whether there is abnormal document and whether there is subprogram, to construct installation kit feature vector F;
Step 3 handles Android software sample using decompiling instrument, parses AndroidManifest.xml files, according to Tag field in xml extracts the permissions list P of software application;
Step 4, decompiling installation kit build software function calling figure, position security sensitive method therein, build the quick of software Feel behavior figure SBG, dataflow analysis method is then used to obtain the contextual information of security sensitive method, it will be direct or indirect The security sensitive method of calling constitutes the sensitive behavior collection SBS of software;
It is step 5, for statistical analysis to belonging to the software features of same Malware family in malice sample, obtain each feature point Measure the probability occurred, structure Android malware family multiple features model M, to build Malware family feature database;
Step 6, the feature that software under testing is extracted using the method for step 2~4, by the feature of software under testing and Malware family Feature database carries out characteristic matching, is similarly spent highest Malware household name, defeated if similarity is more than threshold value It is Malware to go out the software, and exports the Malware family belonging to it, and it is benign software otherwise to export the software.
2. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special Sign is, the unmatched file of type that the abnormal document in step 2 refers to the suffix of file and file content itself is specified;Judge File whether there is .so files, and judge whether library file is root exploit files by MD5 values;Judge jar file, Dex files and apk files whether there is subprogram.
3. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special Sign is that the security sensitive method in step 4 includes:The method of protection of usage right, information flow Source/Sink methods and other can The method of doubting;Protection of usage right method refers to the API, information flow Source/Sink for needing to apply for that permission could use in android system The method that method refers to there may be or sends sensitive information, other suspicious methods include dynamic load function, reflective function plus solution Close function, Native codes execute and call function.
4. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special Sign is that the software function calling figure built in step 4 is following four-tuple:
SBG=(VD,VN,E,μ)
Wherein, VDFor the subset of software sensitive behavior calling figure Point Set, any node v thereind∈VDFor security sensitive method One kind;VNFor the subset of software sensitive behavior calling figure Point Set, any node v thereinn∈VNFor non-security sensitivity side Method, but direct or indirect have invoked security sensitive method;E∈VN×VDFor the set on software sensitive behavior calling figure side, table Show between method that there is call relation, any of which side e=(vn,vd) ∈ E indicate the non-security sensitive method v in softwaren∈ VNDirect or indirect has invoked security sensitive method vd∈VDOr component CsIn method vnIt is directly or indirectly triggered by ICC Component CtIn method vd;Labeling function μ:Vd→<ID,EntryType,Para>For marking in figure in node includes Hold, i.e. the contextual information of this method, including method ID, entrance vertex type EntryType and parameter Para;
The set that sensitive behavior collection is as follows:
SBS={ S1,…,Si,…,Sm}
Wherein, Si=v | (vi,v)∈E∧vi∈VN∧v∈VDIt is security sensitive method collection, indicate sensitive behavior calling figure SBG =(VD,VN, E, μ) in, VNAll security sensitive method structures that i-th of non-sensitive safety method of set directly or indirectly calls At set;M=| VN| it is the length of set SBS.
5. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special Sign is that the Android malware family multiple features model built in step 5 is following hexa-atomic group:
M=(SBSc,α,Fc,β,Pc,γ)
Wherein,For the sensitive behavior collection that Malware family shares, pass through the same evil of statistical analysis The sensitive behavior collection SBS of meaning software family sample is obtained;Labeling function α:For marking SBScMiddle sensitive method collection exists The probability occurred in Malware family sample;FcTo pass through the installation kit feature vector for analyzing same Malware family sample F, the shared software installation packet feature that the Malware family sample counted has;Labeling function β:f∈FcIt uses → [0,1] In flag FcIn the probability that occurs in Malware family sample of various features;PcFor by analyzing same Malware family The permissions list P of sample, the permissions list that the Malware family sample counted is frequently applied;Labeling function γ:p∈Pc → [0,1] is for marking PcIn the probability that occurs in Malware family sample of each permission.
6. mobile network's terminal Malware multiple features detection method according to claim 1 towards Android, special Sign is that software under testing and the similarity of Malware family are expressed as in step 6:
Wherein SfFor the similarity of software features vector, SpFor the similarity of permissions list, SsbsFor the similarity of sensitive behavior collection, μiFor weighted value of each similarity when calculating;
Software features vector similarity SfComputational methods be:Feature vector F={ the f of given software under testing1,f2,f3..., fm, the feature vector in Malware family multiple features model to be matchedAnd corresponding mark Remember function β, then:
According to the probability calculation similarity that each feature occurs, if the value in feature vector in malice family multiple features model is 0, then similarity is 0;Wherein modifying factor ωfComputational methods be:It is all in vectorial F to makeFeature quantity divided by Measure FcThe feature quantity that intermediate value is 1;
The permissions list similarity S of softwarepComputational methods be:The permissions list P of given software under testing, malice to be matched are soft Permissions list P in part family multiple features modelc={ p1 c,p2 c,...,pn cAnd corresponding labeling function γ, then:
Wherein modifying factor ωpComputational methods be:Belong to P in permission set PcPermission quantity divided by set PcLength;When Permissions list PcIn elementWhen included in the permissions list P of software under testing,Value is 1, is otherwise 0;
Sensitive behavior collection similarity SsbsComputational methods be:The sensitive behavior collection SBS of given software, Malware to be matched Sensitive behavior collection in family's multiple featuresAnd corresponding labeling function α, then:
In formula, ωsbsFor modifying factor, computational methods are:It is all in SBS to makeSet Quantity divided by set SBScLength;Wherein, functionIt indicates:There are a certain collection in SBS S is closed, with setIn similar element account for two set all elements ratio be more than θ (0<θ≤1).
CN201810109044.6A 2018-02-05 2018-02-05 Android-oriented mobile network terminal malicious software multi-feature detection method Active CN108280350B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810109044.6A CN108280350B (en) 2018-02-05 2018-02-05 Android-oriented mobile network terminal malicious software multi-feature detection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810109044.6A CN108280350B (en) 2018-02-05 2018-02-05 Android-oriented mobile network terminal malicious software multi-feature detection method

Publications (2)

Publication Number Publication Date
CN108280350A true CN108280350A (en) 2018-07-13
CN108280350B CN108280350B (en) 2021-09-28

Family

ID=62807459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810109044.6A Active CN108280350B (en) 2018-02-05 2018-02-05 Android-oriented mobile network terminal malicious software multi-feature detection method

Country Status (1)

Country Link
CN (1) CN108280350B (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167753A (en) * 2018-07-23 2019-01-08 中国科学院计算机网络信息中心 A kind of detection method and device of network intrusions flow
CN110392056A (en) * 2019-07-24 2019-10-29 成都积微物联集团股份有限公司 A kind of the Internet of Things malware detection system and method for lightweight
CN110414234A (en) * 2019-06-28 2019-11-05 奇安信科技集团股份有限公司 The recognition methods of malicious code family and device
CN110457009A (en) * 2019-07-06 2019-11-15 天津大学 The implementation method of software security demand recommended models based on data analysis
CN110516446A (en) * 2019-08-26 2019-11-29 南京信息职业技术学院 A kind of Malware family ownership determination method, system and storage medium
CN110795732A (en) * 2019-10-10 2020-02-14 南京航空航天大学 SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal
CN111368297A (en) * 2020-02-02 2020-07-03 西安电子科技大学 Privacy protection mobile malicious software detection method, system, storage medium and application
CN111460448A (en) * 2020-03-09 2020-07-28 北京邮电大学 Malicious software family detection method and device
CN112287345A (en) * 2020-10-29 2021-01-29 中南大学 Credible edge computing system based on intelligent risk detection
CN112632539A (en) * 2020-12-28 2021-04-09 西北工业大学 Dynamic and static mixed feature extraction method in Android system malicious software detection
CN112887328A (en) * 2021-02-24 2021-06-01 深信服科技股份有限公司 Sample detection method, device, equipment and computer readable storage medium
CN113378163A (en) * 2020-03-10 2021-09-10 四川大学 Android malicious software family classification method based on DEX file partition characteristics
CN113468532A (en) * 2021-07-20 2021-10-01 国网湖南省电力有限公司 Malicious software family inference method and system
CN113591079A (en) * 2020-04-30 2021-11-02 中移互联网有限公司 Method and device for acquiring abnormal application installation package and electronic equipment
US20220207141A1 (en) * 2020-12-31 2022-06-30 Estsecurity Corp. Apparatus for generating a signature that reflects the similarity of a malware detection and classification system based on deep neural networks, method therefor, and computer-readable recording medium recorded with a program for performing the method
US20230004645A1 (en) * 2019-11-28 2023-01-05 Nippon Telegraph And Telephone Corporation Labeling device and labeling program
CN112287345B (en) * 2020-10-29 2024-04-16 中南大学 Trusted edge computing system based on intelligent risk detection

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103440459A (en) * 2013-09-25 2013-12-11 西安交通大学 Function-call-based Android malicious code detection method
US20140181973A1 (en) * 2012-12-26 2014-06-26 National Taiwan University Of Science And Technology Method and system for detecting malicious application
CN104794051A (en) * 2014-01-21 2015-07-22 中国科学院声学研究所 Automatic Android platform malicious software detecting method
CN105447388A (en) * 2015-12-17 2016-03-30 福建六壬网安股份有限公司 Android malicious code detection system and method based on weight
CN107169351A (en) * 2017-05-11 2017-09-15 北京理工大学 With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN107180192A (en) * 2017-05-09 2017-09-19 北京理工大学 Android malicious application detection method and system based on multi-feature fusion
CN107392021A (en) * 2017-07-20 2017-11-24 中南大学 A kind of Android malicious application detection methods based on multiclass feature

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20140181973A1 (en) * 2012-12-26 2014-06-26 National Taiwan University Of Science And Technology Method and system for detecting malicious application
CN103440459A (en) * 2013-09-25 2013-12-11 西安交通大学 Function-call-based Android malicious code detection method
CN104794051A (en) * 2014-01-21 2015-07-22 中国科学院声学研究所 Automatic Android platform malicious software detecting method
CN105447388A (en) * 2015-12-17 2016-03-30 福建六壬网安股份有限公司 Android malicious code detection system and method based on weight
CN107180192A (en) * 2017-05-09 2017-09-19 北京理工大学 Android malicious application detection method and system based on multi-feature fusion
CN107169351A (en) * 2017-05-11 2017-09-15 北京理工大学 With reference to the Android unknown malware detection methods of dynamic behaviour feature
CN107392021A (en) * 2017-07-20 2017-11-24 中南大学 A kind of Android malicious application detection methods based on multiclass feature

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
"APPCONTEXT: DIFFERENTIATING MALICIOUS AND BENIGN MOBILE APP BEH: ""AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context",", 《2015 IEEE/ACM 37TH IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING, FLORENCE》 *
STEVEN ARZT等: ""FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps"", 《ACM SIGPLAN NOTICES》 *
王军 等: ""一种Android恶意软件多标签检测方法"", 《小型微型计算机系统》 *
缪小川: ""基于敏感路径识别的安卓应用安全性分析方法"", 《中国优秀硕士学位论文全文数据库 信息科技辑》 *

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109167753A (en) * 2018-07-23 2019-01-08 中国科学院计算机网络信息中心 A kind of detection method and device of network intrusions flow
CN110414234A (en) * 2019-06-28 2019-11-05 奇安信科技集团股份有限公司 The recognition methods of malicious code family and device
CN110457009B (en) * 2019-07-06 2023-04-14 天津大学 Method for realizing software security requirement recommendation model based on data analysis
CN110457009A (en) * 2019-07-06 2019-11-15 天津大学 The implementation method of software security demand recommended models based on data analysis
CN110392056A (en) * 2019-07-24 2019-10-29 成都积微物联集团股份有限公司 A kind of the Internet of Things malware detection system and method for lightweight
CN110516446A (en) * 2019-08-26 2019-11-29 南京信息职业技术学院 A kind of Malware family ownership determination method, system and storage medium
CN110795732A (en) * 2019-10-10 2020-02-14 南京航空航天大学 SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal
US20230004645A1 (en) * 2019-11-28 2023-01-05 Nippon Telegraph And Telephone Corporation Labeling device and labeling program
CN111368297A (en) * 2020-02-02 2020-07-03 西安电子科技大学 Privacy protection mobile malicious software detection method, system, storage medium and application
CN111368297B (en) * 2020-02-02 2023-02-28 西安电子科技大学 Privacy protection mobile malicious software detection method, system, storage medium and application
CN111460448A (en) * 2020-03-09 2020-07-28 北京邮电大学 Malicious software family detection method and device
CN113378163A (en) * 2020-03-10 2021-09-10 四川大学 Android malicious software family classification method based on DEX file partition characteristics
CN113591079B (en) * 2020-04-30 2023-08-15 中移互联网有限公司 Method and device for acquiring abnormal application installation package and electronic equipment
CN113591079A (en) * 2020-04-30 2021-11-02 中移互联网有限公司 Method and device for acquiring abnormal application installation package and electronic equipment
CN112287345A (en) * 2020-10-29 2021-01-29 中南大学 Credible edge computing system based on intelligent risk detection
CN112287345B (en) * 2020-10-29 2024-04-16 中南大学 Trusted edge computing system based on intelligent risk detection
CN112632539B (en) * 2020-12-28 2024-04-09 西北工业大学 Dynamic and static hybrid feature extraction method in Android system malicious software detection
CN112632539A (en) * 2020-12-28 2021-04-09 西北工业大学 Dynamic and static mixed feature extraction method in Android system malicious software detection
US20220207141A1 (en) * 2020-12-31 2022-06-30 Estsecurity Corp. Apparatus for generating a signature that reflects the similarity of a malware detection and classification system based on deep neural networks, method therefor, and computer-readable recording medium recorded with a program for performing the method
CN112887328A (en) * 2021-02-24 2021-06-01 深信服科技股份有限公司 Sample detection method, device, equipment and computer readable storage medium
CN113468532B (en) * 2021-07-20 2022-09-23 国网湖南省电力有限公司 Malicious software family inference method and system
CN113468532A (en) * 2021-07-20 2021-10-01 国网湖南省电力有限公司 Malicious software family inference method and system

Also Published As

Publication number Publication date
CN108280350B (en) 2021-09-28

Similar Documents

Publication Publication Date Title
CN108280350A (en) A kind of mobile network&#39;s terminal Malware multiple features detection method towards Android
Salehi et al. MAAR: Robust features to detect malicious activity based on API calls, their arguments and return values
Chowdhury et al. Malware analysis and detection using data mining and machine learning classification
CN109271788B (en) Android malicious software detection method based on deep learning
Narouei et al. DLLMiner: structural mining for malware detection
CN107408176A (en) The execution of malicious objects dissects detection
KR20110108491A (en) System for detecting malicious script and method for detecting malicious script using the same
CN110795732A (en) SVM-based dynamic and static combination detection method for malicious codes of Android mobile network terminal
Lee et al. Screening smartphone applications using malware family signatures
CN106599688A (en) Application category-based Android malicious software detection method
Sun et al. Malware detection on Android smartphones using keywords vector and SVM
Ravi et al. Android malware detection with classification based on hybrid analysis and N-gram feature extraction
Thakur et al. Android anti-malware techniques and its vulnerabilities: A survey
Alharbi et al. A Systematic Review of Android Malware Detection Techniques.
Muhammad et al. A systematic evaluation of android anti-malware tools for detection of contemporary malware
CN113343219B (en) Automatic and efficient high-risk mobile application program detection method
Bashari Rad et al. Morphed virus family classification based on opcodes statistical feature using decision tree
Ahmad et al. Android mobile malware classification using a tokenization approach
Jalilian et al. Static signature-based malware detection using opcode and binary information
Guo et al. Classification of malware variant based on ensemble learning
Kumari et al. Malware and piracy detection in android applications
Fujita Anti-obfuscation techniques: Recent analysis of malware detection
Zhao et al. HFA-MD: An efficient hybrid features analysis based Android Malware Detection Method
Wang et al. Deep Learning-Based Multi-Classification for Malware Detection in IoT
Bhakta et al. Android Malware Detection Against String Encryption Based Obfuscation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant