CN108681670A - The method and device of Android malicious applications detection based on fine granularity feature - Google Patents

The method and device of Android malicious applications detection based on fine granularity feature Download PDF

Info

Publication number
CN108681670A
CN108681670A CN201810289216.2A CN201810289216A CN108681670A CN 108681670 A CN108681670 A CN 108681670A CN 201810289216 A CN201810289216 A CN 201810289216A CN 108681670 A CN108681670 A CN 108681670A
Authority
CN
China
Prior art keywords
permission
api
detected
application programs
android application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810289216.2A
Other languages
Chinese (zh)
Inventor
喻民
刘超
李佳楠
姜建国
黄伟庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201810289216.2A priority Critical patent/CN108681670A/en
Publication of CN108681670A publication Critical patent/CN108681670A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/43Checking; Contextual analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/445Exploiting fine grain parallelism, i.e. parallelism at instruction level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the present invention discloses a kind of method and device of the Android malicious applications detection based on fine granularity feature, can improve Detection accuracy, reduce expense.Method includes:S1, the static nature for obtaining Android application programs to be detected, and feature vector is generated according to the static nature, wherein, the static nature includes API features and permission feature, the API features include the API that the Android application programs to be detected the directly invoke and API that reflection is called, and the permission is characterized as removing remaining permission after the permission for having applied not actually using but in all permissions of the Android application programs statement to be detected;S2, described eigenvector is inputted into the detection model that builds in advance, obtain the Android application programs to be detected whether be malicious application testing result.

Description

The method and device of Android malicious applications detection based on fine granularity feature
Technical field
The present embodiments relate to computer realms, and in particular to it is a kind of based on fine granularity feature Android malice answer With the method and device of detection.
Background technology
The appearance of Android malicious applications makes user data be seriously threatened, cause user's economic loss or The leakage of person's privacy information.With reaching its maturity for its attack technology, emerging Malware is difficult to detect, or even leakage country Secret causes hardly imaginable consequence.Therefore, the detection of Android malicious applications receives the extensive of academia and industrial quarters Concern.
Existing detection method mainly has two kinds of static analysis and dynamic analysis, and dynamic analysis are to real-time and running environment It is more demanding, take it is longer, behavior difficulty triggering, and static analysis have low energy consumption, risk is small, speed is fast, to requirement of real-time Low advantage has become current the most widely used detection method.The specific implementation of static detection method is:First, Extract Android application programs static nature (such as:Authority request or API (Application Programming Interface, application programming interface) call), the feature vector of application program is generated in conjunction with static nature;If using journey Sequence is detected features described above will be marked as 1 in the feature vector of application program, be otherwise 0.Then, using certain machine Device learning algorithm is trained the training set being collected into, and generates detection model;Finally, using the detection model of generation to be measured Android application programs are detected.Currently, realizing that the document of this detection method has:
1. Wei Li is bold and unconstrained, Ai Xieqing, Zou Hong, multiple features cooperation decision detection method [J] meters of .Android Malwares are waited Calculation machine engineering and application, 2016,52 (20):5-13.
2. Shao Shu enlightening, the Android malware detection method [C] that Yu Hui crowds of are combined based on permission and API features // complete State's software and application academic conference .2015.
3. Bao the U.S. and Britain detects [J] softwares, 2017,38 (2) based on the Android malware for improving decision tree classification: 33-36.
Main deficiency existing for current detection method is:Since extraction is characterized in coarseness, testing result is caused not have Have and reaches ideal accuracy rate.Mainly there are 2 reasons:The developer of application program exploitation in the future and upgrading meeting for convenience Apply for excessive permission in the starting stage, this just causes a degree of erroneous judgement to the detection method based on permission;In addition, super Cross 90% Static Analysis Method all do not account for API reflection call situation, this is also existing malware detection instrumental One main cause of energy difference.
Invention content
In view of the shortcomings of the prior art and defect, the embodiment of the present invention provides a kind of based on fine granularity feature The method and device of Android malicious applications detection.
On the one hand, the embodiment of the present invention proposes a kind of method of the Android malicious applications detection based on fine granularity feature, Including:
S1, the static nature for obtaining Android application programs to be detected, and according to the static nature generate feature to Amount, wherein the static nature includes API features and permission feature, and the API features include that the Android to be detected is answered The API that the API and reflection directly invoked with program is called, the permission are characterized as the Android application programs sound to be detected Remaining permission after the permission for having applied not actually using but is removed in bright all permissions;
S2, described eigenvector is inputted to the detection model built in advance, obtains the Android application programs to be detected Whether be malicious application testing result.
On the other hand, the embodiment of the present invention proposes a kind of dress of the Android malicious applications detection based on fine granularity feature It sets, including:
Generation unit, the static nature for obtaining Android application programs to be detected, and given birth to according to the static nature At feature vector, wherein the static nature includes API features and permission feature, and the API features include described to be detected The API that the API and reflection that Android application programs directly invoke are called, the permission are characterized as that the Android to be detected is answered Remaining permission after the permission for having applied not actually using but is removed in all permissions stated with program;
Detection unit obtains described to be detected for described eigenvector to be inputted the detection model built in advance Android application programs whether be malicious application testing result.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:It processor, memory, bus and is stored in On memory and the computer program that can run on a processor;
Wherein, the processor, memory complete mutual communication by the bus;
The processor realizes the above method when executing the computer program.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, on the storage medium It is stored with computer program, which realizes the above method when being executed by processor.
The method and device of Android malicious applications detection provided in an embodiment of the present invention based on fine granularity feature, leads to It crosses and feature extraction step is improved, it includes that Android application programs to be detected directly invoke to make the static nature of extraction It removes and has applied in all permissions of API and the Android application programs statement to be detected that API and reflection are called But remaining permission after the permission not actually used, even if frequently appearing in two kinds of feature (i.e. permissions in Android applications And API) acquisition more fine granularity, the overhead and brought to testing result that invalid characteristic strip comes can be reduced Interference reduces expense to which compared to the prior art, this programme can improve Detection accuracy.
Description of the drawings
Fig. 1 is that the flow of one embodiment of method detected the present invention is based on the Android malicious applications of fine granularity feature is shown It is intended to;
Fig. 2 is the flow of another embodiment of method detected the present invention is based on the Android malicious applications of fine granularity feature Schematic diagram;
Fig. 3 is that the structure of one embodiment of device detected the present invention is based on the Android malicious applications of fine granularity feature is shown It is intended to;
Fig. 4 is the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention In attached drawing, technical solution in the embodiment of the present invention is explicitly described, it is clear that described embodiment is the present invention A part of the embodiment, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not having The every other embodiment obtained under the premise of creative work is made, the range of protection of the embodiment of the present invention is belonged to.
Referring to Fig. 1, the present embodiment discloses a kind of method of the Android malicious applications detection based on fine granularity feature, packet It includes:
S1, the static nature for obtaining Android application programs to be detected, and according to the static nature generate feature to Amount, wherein the static nature includes API features and permission feature, and the API features include that the Android to be detected is answered The API that the API and reflection directly invoked with program is called, the permission are characterized as the Android application programs sound to be detected Remaining permission after the permission for having applied not actually using but is removed in bright all permissions;
S2, described eigenvector is inputted to the detection model built in advance, obtains the Android application programs to be detected Whether be malicious application testing result.
The method of Android malicious applications detection provided in an embodiment of the present invention based on fine granularity feature, by spy Sign extraction link is improved, and the static nature of extraction is made to include the API that directly invokes of Android application programs to be detected and anti- It penetrates in the API of calling and all permissions of the Android application programs statement to be detected to remove and apply but without real Remaining permission after the permission that border uses, even if frequently appearing in two kinds of features (i.e. permission and API) in Android applications More fine granularity is obtained, the overhead that invalid characteristic strip comes and the interference brought to testing result can be reduced, from And compared to the prior art, this programme can improve Detection accuracy, reduce expense.
On the basis of preceding method embodiment, the static nature for obtaining Android application programs to be detected can be with Including:
All .smali files for obtaining the Android application programs to be detected, from all .smali files The .smali files called without sensitive API are excluded, target .smali files are obtained;
For each target .smali files, by by target .smali file contents and the permission-that builds in advance API library is matched, obtain the invoke-virtual for including in the target .smali file contents instruction and it is corresponding quick Feel API, and the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the power Limit-API library includes and Android malicious applications detect related permission and API corresponding with the permission, the sensitive API For the API in the permission-API library.
In the present embodiment, the .smali files that no sensitive API is called include the .smali texts for being not belonging to major function file The files such as part, such as R.smali, R $ attr.smali, R $ id.smali, R $ layout.smali.In structure permission-API library When, the permission-API that Open-Source Tools PScout is provided can be used to map.Some in the permission-API mappings examine Malware Survey is invalid, not only can bring extra overhead that can also influence system performance.Therefore it can use filter algorithm that will open Detected with Android malicious applications in the permission-API mapping that source tool PScout is provided unrelated permission and with the permission pair The API answered removes, and obtains the permission-API library.
On the basis of preceding method embodiment, the static nature for obtaining Android application programs to be detected can be with Including:
APK (AndroidPackage, Android installation kit) file of the Android application programs to be detected is turned Change Jimple codes into;
By carrying out reflective analysis to the Jimple codes, obtains the Android application programs reflection to be detected and adjust API.
In the present embodiment, before carrying out reflective analysis, it is thus necessary to determine that analysis entrance simultaneously ensures that all answer is covered in analysis With code, specific reflective analysis can use the analysis method of the entitled DroidRA based on context, based on data flow.
On the basis of preceding method embodiment, the static nature for obtaining Android application programs to be detected can be with Including:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected AndroidManifest.xml files in obtain all permissions of the Android application programs to be detected statement;
The permission not actually used but is applied for described in determining, and has removed and applied in all permissions But the permission not actually used obtains the permission feature, wherein the permission packet for having applied not actually using but It includes in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke The permission of corresponding A PI is called with reflection.
It is illustrated in figure 2 that the present invention is based on another embodiments of method that the Android malicious applications of fine granularity feature detect Flow diagram, referring to Fig. 2, the method the present invention is based on the detection of the Android malicious applications of fine granularity feature may include Following steps:
(a) it builds and trains detection model;
(b) obtain the static nature of Android application programs to be detected, and according to the static nature generate feature to Amount, described eigenvector is inputted into the detection model, obtain the Android application programs to be detected be malicious application or The testing result of benign application.
Wherein, the process of above-mentioned steps (a) includes the following steps:
Build permission-API library;
Static nature is carried out to the training sample set comprising benign application and malicious application based on the permission-API library The fine granularity of extraction, the fine granularity extraction and permission that specifically include API is extracted, wherein the fine granularity of API is extracted, including one by one Scanning smali file acquisitions API's directly invokes, and in addition to this, also obtains the API called by reflection mode, final structure Fine-grained API set FG (API) is built;The fine granularity of permission is extracted, including according to API- permissions mappings library, from statement Whole permissions in remove and applied but practical and not used permission, form final fine-grained permission set FG (Permission);
Construction feature set, final characteristic set consist of two parts:A part is fine-grained API set, including The API that application program the directly invokes and API called by reflex mechanism;Another part is fine-grained permission set, is referred to Be from it is stated that whole permissions in remove the permission excessively applying not actually using but;
Detection model is built, feature vector is generated according to the characteristic set, using described eigenvector to the detection Model is trained.
The acquisition side of the acquisition methods of the static nature of Android application programs to be detected and the static nature of training sample Method is consistent, and details are not described herein again.
Referring to Fig. 3, the present embodiment discloses a kind of device of the Android malicious applications detection based on fine granularity feature, packet It includes:
Generation unit 1, the static nature for obtaining Android application programs to be detected, and according to the static nature Generate feature vector, wherein the static nature includes API features and permission feature, and the API features include described to be detected The API that the API and reflection that Android application programs directly invoke are called, the permission are characterized as that the Android to be detected is answered Remaining permission after the permission for having applied not actually using but is removed in all permissions stated with program;
Detection unit 2 obtains described to be detected for described eigenvector to be inputted the detection model built in advance Android application programs whether be malicious application testing result.
Specifically, the generation unit 1 obtains the static nature of Android application programs to be detected, and according to described quiet State feature generates feature vector, wherein the static nature includes API features and permission feature, and the API features include described The API that the API and reflection that Android application programs to be detected directly invoke are called, the permission is characterized as described to be detected Remaining permission after the permission for having applied not actually using but is removed in all permissions of Android application programs statement; Described eigenvector is inputted the detection model built in advance by the detection unit 2, obtains the Android applications journey to be detected Sequence whether be malicious application testing result.
The device of Android malicious applications detection provided in an embodiment of the present invention based on fine granularity feature, by spy Sign extraction link is improved, and the static nature of extraction is made to include the API that directly invokes of Android application programs to be detected and anti- It penetrates in the API of calling and all permissions of the Android application programs statement to be detected to remove and apply but without real Remaining permission after the permission that border uses, even if frequently appearing in two kinds of features (i.e. permission and API) in Android applications More fine granularity is obtained, the overhead that invalid characteristic strip comes and the interference brought to testing result can be reduced, from And compared to the prior art, this programme can improve Detection accuracy, reduce expense.
On the basis of aforementioned device embodiment, the generation unit specifically can be used for:
All .smali files for obtaining the Android application programs to be detected, from all .smali files The .smali files called without sensitive API are excluded, target .smali files are obtained;
For each target .smali files, by by target .smali file contents and the permission-that builds in advance API library is matched, obtain the invoke-virtual for including in the target .smali file contents instruction and it is corresponding quick Feel API, and the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the power Limit-API library includes and Android malicious applications detect related permission and API corresponding with the permission, the sensitive API For the API in the permission-API library.
On the basis of aforementioned device embodiment, the generation unit specifically can be used for:
The APK file of the Android application programs to be detected is converted into Jimple codes;
By carrying out reflective analysis to the Jimple codes, obtains the Android application programs reflection to be detected and adjust API.
On the basis of aforementioned device embodiment, the generation unit specifically can be used for:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected AndroidManifest.xml files in obtain all permissions of the Android application programs to be detected statement;
The permission not actually used but is applied for described in determining, and has removed and applied in all permissions But the permission not actually used obtains the permission feature, wherein the permission packet for having applied not actually using but It includes in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke The permission of corresponding A PI is called with reflection.
The device of the Android malicious applications detection based on fine granularity feature of the present embodiment, can be used for executing aforementioned The technical solution of embodiment of the method, implementing principle and technical effect are similar, and details are not described herein again.
The present invention has the advantages that:It realizes and utilizes a kind of Android malicious applications based on fine granularity feature The method of detection is extracted the refinement of permission and API so that more accurate to APK behavior descriptions to be measured, and a large amount of experiment shows The method of the present invention improves the accuracy rate of testing result and reduces rate of false alarm.
Fig. 4 shows the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention, as shown in figure 4, should Electronic equipment may include:It processor 11, memory 12, bus 13 and is stored on memory 12 and can be transported on processor 11 Capable computer program;
Wherein, the processor 11, memory 12 complete mutual communication by the bus 13;
The processor 11 realizes the method that above-mentioned each method embodiment is provided when executing the computer program, such as Including:The static nature of Android application programs to be detected is obtained, and feature vector is generated according to the static nature, wherein The static nature includes API features and permission feature, and the API features include that the Android application programs to be detected are straight The API of the API and reflection calling of calling are met, the permission is characterized as all of the Android application programs statement to be detected Remaining permission after the permission for having applied not actually using but is removed in permission;Described eigenvector is inputted into structure in advance Detection model, obtain the Android application programs to be detected whether be malicious application testing result.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, should Realize the method that above-mentioned each method embodiment is provided when computer program is executed by processor, such as including:It obtains to be detected The static nature of Android application programs, and feature vector is generated according to the static nature, wherein the static nature packet Include API features and permission feature, the API features include the API that the Android application programs to be detected directly invoke and anti- The API of calling is penetrated, the permission is characterized as removing Shen in all permissions of the Android application programs statement to be detected Remaining permission after the permission not actually used but please;Described eigenvector is inputted to the detection model built in advance, is obtained The Android application programs to be detected whether be malicious application testing result.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) The form of product.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one The step of function of being specified in a box or multiple boxes.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.The fingers such as term "upper", "lower" The orientation or positional relationship shown is to be based on the orientation or positional relationship shown in the drawings, and is merely for convenience of the description present invention and simplifies Description, does not indicate or imply the indicated device or element must have a particular orientation, with specific azimuth configuration and behaviour Make, therefore is not considered as limiting the invention.Unless otherwise clearly defined and limited, term " installation ", " connected ", " connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;Can be Mechanical connection can also be electrical connection;It can be directly connected, can also can be indirectly connected through an intermediary two Connection inside element.For the ordinary skill in the art, above-mentioned term can be understood at this as the case may be Concrete meaning in invention.
In the specification of the present invention, numerous specific details are set forth.Although it is understood that the embodiment of the present invention can To put into practice without these specific details.In some instances, well known method, structure and skill is not been shown in detail Art, so as not to obscure the understanding of this description.Similarly, it should be understood that disclose in order to simplify the present invention and helps to understand respectively One or more of a inventive aspect, in the above description of the exemplary embodiment of the present invention, each spy of the invention Sign is grouped together into sometimes in single embodiment, figure or descriptions thereof.However, should not be by the method solution of the disclosure It releases and is intended in reflection is following:The feature that i.e. the claimed invention requirement ratio is expressly recited in each claim is more More features.More precisely, as the following claims reflect, inventive aspect is to be less than single reality disclosed above Apply all features of example.Therefore, it then follows thus claims of specific implementation mode are expressly incorporated in the specific implementation mode, Wherein each claim itself is as a separate embodiment of the present invention.It should be noted that in the absence of conflict, this The feature in embodiment and embodiment in application can be combined with each other.The invention is not limited in any single aspect, It is not limited to any single embodiment, is also not limited to the arbitrary combination and/or displacement of these aspects and/or embodiment.And And can be used alone of the invention each aspect and/or embodiment or with other one or more aspects and/or its implement Example is used in combination.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent Present invention has been described in detail with reference to the aforementioned embodiments for pipe, it will be understood by those of ordinary skill in the art that:Its according to So can with technical scheme described in the above embodiments is modified, either to which part or all technical features into Row equivalent replacement;And these modifications or replacements, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution The range of scheme should all cover in the claim of the present invention and the range of specification.

Claims (10)

1. a kind of method of the Android malicious applications detection based on fine granularity feature, which is characterized in that including:
S1, the static nature for obtaining Android application programs to be detected, and feature vector is generated according to the static nature, In, the static nature includes API features and permission feature, and the API features include the Android application programs to be detected The API that the API and reflection directly invoked is called, the permission are characterized as the institute of the Android application programs statement to be detected It has permission removal and has applied for remaining permission after the permission not actually used but;
S2, described eigenvector is inputted to the detection model built in advance, whether obtains the Android application programs to be detected For the testing result of malicious application.
2. according to the method described in claim 1, it is characterized in that, the static state for obtaining Android application programs to be detected Feature, including:
All .smali files for obtaining the Android application programs to be detected are excluded from all .smali files The .smali files that no sensitive API is called, obtain target .smali files;
For each target .smali files, by by target .smali file contents and permission-API library for building in advance It is matched, obtains the invoke-virtual for including in target .smali file contents instructions and corresponding sensitive API, And the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the permission-API Library include and Android malicious applications to detect related permission and API corresponding with the permission, the sensitive API be described API in permission-API library.
3. according to the method described in claim 2, it is characterized in that, the static state for obtaining Android application programs to be detected Feature, including:
The APK file of the Android application programs to be detected is converted into Jimple codes;
By carrying out reflective analysis to the Jimple codes, obtain what the Android application programs reflection to be detected was called API。
4. according to the method described in claim 3, it is characterized in that, the static state for obtaining Android application programs to be detected Feature, including:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected The all permissions of the Android application programs statement to be detected are obtained in AndroidManifest.xml files;
The permission not actually used but is applied for described in determining, and has been removed in all permissions and applied for not having but The permission for having actual use obtains the permission feature, wherein described to have applied for that the permission not actually used but includes institute It states in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke and instead Penetrate the permission for calling corresponding A PI.
5. a kind of device of the Android malicious applications detection based on fine granularity feature, which is characterized in that including:
Generation unit, the static nature for obtaining Android application programs to be detected, and spy is generated according to the static nature Sign vector, wherein the static nature includes API features and permission feature, and the API features include described to be detected The API that the API and reflection that Android application programs directly invoke are called, the permission are characterized as that the Android to be detected is answered Remaining permission after the permission for having applied not actually using but is removed in all permissions stated with program;
Detection unit obtains the Android to be detected and answers for described eigenvector to be inputted the detection model built in advance With program whether be malicious application testing result.
6. device according to claim 5, which is characterized in that the generation unit is specifically used for:
All .smali files for obtaining the Android application programs to be detected are excluded from all .smali files The .smali files that no sensitive API is called, obtain target .smali files;
For each target .smali files, by by target .smali file contents and permission-API library for building in advance It is matched, obtains the invoke-virtual for including in target .smali file contents instructions and corresponding sensitive API, And the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the permission-API Library include and Android malicious applications to detect related permission and API corresponding with the permission, the sensitive API be described API in permission-API library.
7. device according to claim 6, which is characterized in that the generation unit is specifically used for:
The APK file of the Android application programs to be detected is converted into Jimple codes;
By carrying out reflective analysis to the Jimple codes, obtain what the Android application programs reflection to be detected was called API。
8. device according to claim 7, which is characterized in that the generation unit is specifically used for:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected The all permissions of the Android application programs statement to be detected are obtained in AndroidManifest.xml files;
The permission not actually used but is applied for described in determining, and has been removed in all permissions and applied for not having but The permission for having actual use obtains the permission feature, wherein described to have applied for that the permission not actually used but includes institute It states in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke and instead Penetrate the permission for calling corresponding A PI.
9. a kind of electronic equipment, which is characterized in that including:Processor, memory, bus and storage on a memory and can located The computer program run on reason device;
Wherein, the processor, memory complete mutual communication by the bus;
The processor realizes the method as described in any one of claim 1-4 when executing the computer program.
10. a kind of non-transient computer readable storage medium, which is characterized in that be stored with computer journey on the storage medium Sequence realizes the method as described in any one of claim 1-4 when the computer program is executed by processor.
CN201810289216.2A 2018-03-30 2018-03-30 The method and device of Android malicious applications detection based on fine granularity feature Pending CN108681670A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810289216.2A CN108681670A (en) 2018-03-30 2018-03-30 The method and device of Android malicious applications detection based on fine granularity feature

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810289216.2A CN108681670A (en) 2018-03-30 2018-03-30 The method and device of Android malicious applications detection based on fine granularity feature

Publications (1)

Publication Number Publication Date
CN108681670A true CN108681670A (en) 2018-10-19

Family

ID=63800276

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810289216.2A Pending CN108681670A (en) 2018-03-30 2018-03-30 The method and device of Android malicious applications detection based on fine granularity feature

Country Status (1)

Country Link
CN (1) CN108681670A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109670310A (en) * 2019-01-28 2019-04-23 杭州师范大学 A kind of Android malware detection method based on semi-supervised K-Means clustering algorithm
CN110781081A (en) * 2019-10-12 2020-02-11 南京信息职业技术学院 Mobile application callback forced triggering method, system and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103310153A (en) * 2013-04-28 2013-09-18 中国人民解放军理工大学 Fine-grained authority control method based on Android platform
CN105550583A (en) * 2015-12-22 2016-05-04 电子科技大学 Random forest classification method based detection method for malicious application in Android platform
CN107798242A (en) * 2017-11-13 2018-03-13 南京大学 A kind of malice Android application automatic checkout system of quiet dynamic bind
CN107832610A (en) * 2017-09-25 2018-03-23 暨南大学 Android malware detection method based on assemblage characteristic pattern

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103310153A (en) * 2013-04-28 2013-09-18 中国人民解放军理工大学 Fine-grained authority control method based on Android platform
CN105550583A (en) * 2015-12-22 2016-05-04 电子科技大学 Random forest classification method based detection method for malicious application in Android platform
CN107832610A (en) * 2017-09-25 2018-03-23 暨南大学 Android malware detection method based on assemblage characteristic pattern
CN107798242A (en) * 2017-11-13 2018-03-13 南京大学 A kind of malice Android application automatic checkout system of quiet dynamic bind

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
邵舒迪 等: "基于权限和API特征结合的Android恶意软件检测方法", 《计算机科学》 *
黄浩华 等: "静动态结合的恶意Android应用自动检测技术", 《信息安全学报》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109670310A (en) * 2019-01-28 2019-04-23 杭州师范大学 A kind of Android malware detection method based on semi-supervised K-Means clustering algorithm
CN110781081A (en) * 2019-10-12 2020-02-11 南京信息职业技术学院 Mobile application callback forced triggering method, system and storage medium
CN110781081B (en) * 2019-10-12 2024-04-09 南京信息职业技术学院 Mobile application callback forced triggering method, system and storage medium

Similar Documents

Publication Publication Date Title
KR102017756B1 (en) Apparatus and method for detecting abnormal behavior
US10380349B2 (en) Security analysis using relational abstraction of data structures
CN102622536B (en) Method for catching malicious codes
CN102831339B (en) Method, device and browser for protecting webpage against malicious attack
CN111125716A (en) Method and device for detecting Ethernet intelligent contract vulnerability
CN108769070A (en) One kind is gone beyond one's commission leak detection method and device
CN109784062A (en) Leak detection method and device
CN103577323A (en) Dynamic key command sequence birthmark-based software plagiarism detecting method
CN105975858A (en) Method and system for malicious code detection based on virtual technology in Android system
CN108681670A (en) The method and device of Android malicious applications detection based on fine granularity feature
JP2021051745A (en) Computer device and memory management method
CN109992532A (en) The access authority management method and storage rights management unit of memory space
CN108197476A (en) The leak detection method and device of a kind of intelligent terminal
CN105718793A (en) Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification
CN113051624B (en) Intelligent contract information flow integrity verification method and system based on type detection
CN111159718B (en) Method and device for bug repair and household appliance
CN112583805A (en) Data processing method and device based on block chain, electronic equipment and storage medium
CN116595523A (en) Multi-engine file detection method, system, equipment and medium based on dynamic arrangement
CN103116543B (en) The Web application safety detection method that white black box combines
CN111382416B (en) Application program operation identification method and device, terminal equipment and storage medium
CN112395615A (en) Android malicious application detection method
CN106709359A (en) Detection method of Android application vulnerabilities
JP6258189B2 (en) Specific apparatus, specific method, and specific program
CN112487414B (en) Method, device, equipment and storage medium for acquiring process command line
CN110162734A (en) A kind of fractional calculus algorithm solving system and method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20181019