CN108681670A - The method and device of Android malicious applications detection based on fine granularity feature - Google Patents
The method and device of Android malicious applications detection based on fine granularity feature Download PDFInfo
- Publication number
- CN108681670A CN108681670A CN201810289216.2A CN201810289216A CN108681670A CN 108681670 A CN108681670 A CN 108681670A CN 201810289216 A CN201810289216 A CN 201810289216A CN 108681670 A CN108681670 A CN 108681670A
- Authority
- CN
- China
- Prior art keywords
- permission
- api
- detected
- application programs
- android application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
- G06F21/563—Static detection by source code analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/43—Checking; Contextual analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/41—Compilation
- G06F8/44—Encoding
- G06F8/445—Exploiting fine grain parallelism, i.e. parallelism at instruction level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/40—Transformation of program code
- G06F8/53—Decompilation; Disassembly
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Stored Programmes (AREA)
Abstract
The embodiment of the present invention discloses a kind of method and device of the Android malicious applications detection based on fine granularity feature, can improve Detection accuracy, reduce expense.Method includes:S1, the static nature for obtaining Android application programs to be detected, and feature vector is generated according to the static nature, wherein, the static nature includes API features and permission feature, the API features include the API that the Android application programs to be detected the directly invoke and API that reflection is called, and the permission is characterized as removing remaining permission after the permission for having applied not actually using but in all permissions of the Android application programs statement to be detected;S2, described eigenvector is inputted into the detection model that builds in advance, obtain the Android application programs to be detected whether be malicious application testing result.
Description
Technical field
The present embodiments relate to computer realms, and in particular to it is a kind of based on fine granularity feature Android malice answer
With the method and device of detection.
Background technology
The appearance of Android malicious applications makes user data be seriously threatened, cause user's economic loss or
The leakage of person's privacy information.With reaching its maturity for its attack technology, emerging Malware is difficult to detect, or even leakage country
Secret causes hardly imaginable consequence.Therefore, the detection of Android malicious applications receives the extensive of academia and industrial quarters
Concern.
Existing detection method mainly has two kinds of static analysis and dynamic analysis, and dynamic analysis are to real-time and running environment
It is more demanding, take it is longer, behavior difficulty triggering, and static analysis have low energy consumption, risk is small, speed is fast, to requirement of real-time
Low advantage has become current the most widely used detection method.The specific implementation of static detection method is:First,
Extract Android application programs static nature (such as:Authority request or API (Application Programming
Interface, application programming interface) call), the feature vector of application program is generated in conjunction with static nature;If using journey
Sequence is detected features described above will be marked as 1 in the feature vector of application program, be otherwise 0.Then, using certain machine
Device learning algorithm is trained the training set being collected into, and generates detection model;Finally, using the detection model of generation to be measured
Android application programs are detected.Currently, realizing that the document of this detection method has:
1. Wei Li is bold and unconstrained, Ai Xieqing, Zou Hong, multiple features cooperation decision detection method [J] meters of .Android Malwares are waited
Calculation machine engineering and application, 2016,52 (20):5-13.
2. Shao Shu enlightening, the Android malware detection method [C] that Yu Hui crowds of are combined based on permission and API features // complete
State's software and application academic conference .2015.
3. Bao the U.S. and Britain detects [J] softwares, 2017,38 (2) based on the Android malware for improving decision tree classification:
33-36.
Main deficiency existing for current detection method is:Since extraction is characterized in coarseness, testing result is caused not have
Have and reaches ideal accuracy rate.Mainly there are 2 reasons:The developer of application program exploitation in the future and upgrading meeting for convenience
Apply for excessive permission in the starting stage, this just causes a degree of erroneous judgement to the detection method based on permission;In addition, super
Cross 90% Static Analysis Method all do not account for API reflection call situation, this is also existing malware detection instrumental
One main cause of energy difference.
Invention content
In view of the shortcomings of the prior art and defect, the embodiment of the present invention provides a kind of based on fine granularity feature
The method and device of Android malicious applications detection.
On the one hand, the embodiment of the present invention proposes a kind of method of the Android malicious applications detection based on fine granularity feature,
Including:
S1, the static nature for obtaining Android application programs to be detected, and according to the static nature generate feature to
Amount, wherein the static nature includes API features and permission feature, and the API features include that the Android to be detected is answered
The API that the API and reflection directly invoked with program is called, the permission are characterized as the Android application programs sound to be detected
Remaining permission after the permission for having applied not actually using but is removed in bright all permissions;
S2, described eigenvector is inputted to the detection model built in advance, obtains the Android application programs to be detected
Whether be malicious application testing result.
On the other hand, the embodiment of the present invention proposes a kind of dress of the Android malicious applications detection based on fine granularity feature
It sets, including:
Generation unit, the static nature for obtaining Android application programs to be detected, and given birth to according to the static nature
At feature vector, wherein the static nature includes API features and permission feature, and the API features include described to be detected
The API that the API and reflection that Android application programs directly invoke are called, the permission are characterized as that the Android to be detected is answered
Remaining permission after the permission for having applied not actually using but is removed in all permissions stated with program;
Detection unit obtains described to be detected for described eigenvector to be inputted the detection model built in advance
Android application programs whether be malicious application testing result.
The third aspect, the embodiment of the present invention provide a kind of electronic equipment, including:It processor, memory, bus and is stored in
On memory and the computer program that can run on a processor;
Wherein, the processor, memory complete mutual communication by the bus;
The processor realizes the above method when executing the computer program.
Fourth aspect, the embodiment of the present invention provide a kind of non-transient computer readable storage medium, on the storage medium
It is stored with computer program, which realizes the above method when being executed by processor.
The method and device of Android malicious applications detection provided in an embodiment of the present invention based on fine granularity feature, leads to
It crosses and feature extraction step is improved, it includes that Android application programs to be detected directly invoke to make the static nature of extraction
It removes and has applied in all permissions of API and the Android application programs statement to be detected that API and reflection are called
But remaining permission after the permission not actually used, even if frequently appearing in two kinds of feature (i.e. permissions in Android applications
And API) acquisition more fine granularity, the overhead and brought to testing result that invalid characteristic strip comes can be reduced
Interference reduces expense to which compared to the prior art, this programme can improve Detection accuracy.
Description of the drawings
Fig. 1 is that the flow of one embodiment of method detected the present invention is based on the Android malicious applications of fine granularity feature is shown
It is intended to;
Fig. 2 is the flow of another embodiment of method detected the present invention is based on the Android malicious applications of fine granularity feature
Schematic diagram;
Fig. 3 is that the structure of one embodiment of device detected the present invention is based on the Android malicious applications of fine granularity feature is shown
It is intended to;
Fig. 4 is the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention.
Specific implementation mode
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical solution in the embodiment of the present invention is explicitly described, it is clear that described embodiment is the present invention
A part of the embodiment, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art are not having
The every other embodiment obtained under the premise of creative work is made, the range of protection of the embodiment of the present invention is belonged to.
Referring to Fig. 1, the present embodiment discloses a kind of method of the Android malicious applications detection based on fine granularity feature, packet
It includes:
S1, the static nature for obtaining Android application programs to be detected, and according to the static nature generate feature to
Amount, wherein the static nature includes API features and permission feature, and the API features include that the Android to be detected is answered
The API that the API and reflection directly invoked with program is called, the permission are characterized as the Android application programs sound to be detected
Remaining permission after the permission for having applied not actually using but is removed in bright all permissions;
S2, described eigenvector is inputted to the detection model built in advance, obtains the Android application programs to be detected
Whether be malicious application testing result.
The method of Android malicious applications detection provided in an embodiment of the present invention based on fine granularity feature, by spy
Sign extraction link is improved, and the static nature of extraction is made to include the API that directly invokes of Android application programs to be detected and anti-
It penetrates in the API of calling and all permissions of the Android application programs statement to be detected to remove and apply but without real
Remaining permission after the permission that border uses, even if frequently appearing in two kinds of features (i.e. permission and API) in Android applications
More fine granularity is obtained, the overhead that invalid characteristic strip comes and the interference brought to testing result can be reduced, from
And compared to the prior art, this programme can improve Detection accuracy, reduce expense.
On the basis of preceding method embodiment, the static nature for obtaining Android application programs to be detected can be with
Including:
All .smali files for obtaining the Android application programs to be detected, from all .smali files
The .smali files called without sensitive API are excluded, target .smali files are obtained;
For each target .smali files, by by target .smali file contents and the permission-that builds in advance
API library is matched, obtain the invoke-virtual for including in the target .smali file contents instruction and it is corresponding quick
Feel API, and the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the power
Limit-API library includes and Android malicious applications detect related permission and API corresponding with the permission, the sensitive API
For the API in the permission-API library.
In the present embodiment, the .smali files that no sensitive API is called include the .smali texts for being not belonging to major function file
The files such as part, such as R.smali, R $ attr.smali, R $ id.smali, R $ layout.smali.In structure permission-API library
When, the permission-API that Open-Source Tools PScout is provided can be used to map.Some in the permission-API mappings examine Malware
Survey is invalid, not only can bring extra overhead that can also influence system performance.Therefore it can use filter algorithm that will open
Detected with Android malicious applications in the permission-API mapping that source tool PScout is provided unrelated permission and with the permission pair
The API answered removes, and obtains the permission-API library.
On the basis of preceding method embodiment, the static nature for obtaining Android application programs to be detected can be with
Including:
APK (AndroidPackage, Android installation kit) file of the Android application programs to be detected is turned
Change Jimple codes into;
By carrying out reflective analysis to the Jimple codes, obtains the Android application programs reflection to be detected and adjust
API.
In the present embodiment, before carrying out reflective analysis, it is thus necessary to determine that analysis entrance simultaneously ensures that all answer is covered in analysis
With code, specific reflective analysis can use the analysis method of the entitled DroidRA based on context, based on data flow.
On the basis of preceding method embodiment, the static nature for obtaining Android application programs to be detected can be with
Including:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected
AndroidManifest.xml files in obtain all permissions of the Android application programs to be detected statement;
The permission not actually used but is applied for described in determining, and has removed and applied in all permissions
But the permission not actually used obtains the permission feature, wherein the permission packet for having applied not actually using but
It includes in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke
The permission of corresponding A PI is called with reflection.
It is illustrated in figure 2 that the present invention is based on another embodiments of method that the Android malicious applications of fine granularity feature detect
Flow diagram, referring to Fig. 2, the method the present invention is based on the detection of the Android malicious applications of fine granularity feature may include
Following steps:
(a) it builds and trains detection model;
(b) obtain the static nature of Android application programs to be detected, and according to the static nature generate feature to
Amount, described eigenvector is inputted into the detection model, obtain the Android application programs to be detected be malicious application or
The testing result of benign application.
Wherein, the process of above-mentioned steps (a) includes the following steps:
Build permission-API library;
Static nature is carried out to the training sample set comprising benign application and malicious application based on the permission-API library
The fine granularity of extraction, the fine granularity extraction and permission that specifically include API is extracted, wherein the fine granularity of API is extracted, including one by one
Scanning smali file acquisitions API's directly invokes, and in addition to this, also obtains the API called by reflection mode, final structure
Fine-grained API set FG (API) is built;The fine granularity of permission is extracted, including according to API- permissions mappings library, from statement
Whole permissions in remove and applied but practical and not used permission, form final fine-grained permission set FG
(Permission);
Construction feature set, final characteristic set consist of two parts:A part is fine-grained API set, including
The API that application program the directly invokes and API called by reflex mechanism;Another part is fine-grained permission set, is referred to
Be from it is stated that whole permissions in remove the permission excessively applying not actually using but;
Detection model is built, feature vector is generated according to the characteristic set, using described eigenvector to the detection
Model is trained.
The acquisition side of the acquisition methods of the static nature of Android application programs to be detected and the static nature of training sample
Method is consistent, and details are not described herein again.
Referring to Fig. 3, the present embodiment discloses a kind of device of the Android malicious applications detection based on fine granularity feature, packet
It includes:
Generation unit 1, the static nature for obtaining Android application programs to be detected, and according to the static nature
Generate feature vector, wherein the static nature includes API features and permission feature, and the API features include described to be detected
The API that the API and reflection that Android application programs directly invoke are called, the permission are characterized as that the Android to be detected is answered
Remaining permission after the permission for having applied not actually using but is removed in all permissions stated with program;
Detection unit 2 obtains described to be detected for described eigenvector to be inputted the detection model built in advance
Android application programs whether be malicious application testing result.
Specifically, the generation unit 1 obtains the static nature of Android application programs to be detected, and according to described quiet
State feature generates feature vector, wherein the static nature includes API features and permission feature, and the API features include described
The API that the API and reflection that Android application programs to be detected directly invoke are called, the permission is characterized as described to be detected
Remaining permission after the permission for having applied not actually using but is removed in all permissions of Android application programs statement;
Described eigenvector is inputted the detection model built in advance by the detection unit 2, obtains the Android applications journey to be detected
Sequence whether be malicious application testing result.
The device of Android malicious applications detection provided in an embodiment of the present invention based on fine granularity feature, by spy
Sign extraction link is improved, and the static nature of extraction is made to include the API that directly invokes of Android application programs to be detected and anti-
It penetrates in the API of calling and all permissions of the Android application programs statement to be detected to remove and apply but without real
Remaining permission after the permission that border uses, even if frequently appearing in two kinds of features (i.e. permission and API) in Android applications
More fine granularity is obtained, the overhead that invalid characteristic strip comes and the interference brought to testing result can be reduced, from
And compared to the prior art, this programme can improve Detection accuracy, reduce expense.
On the basis of aforementioned device embodiment, the generation unit specifically can be used for:
All .smali files for obtaining the Android application programs to be detected, from all .smali files
The .smali files called without sensitive API are excluded, target .smali files are obtained;
For each target .smali files, by by target .smali file contents and the permission-that builds in advance
API library is matched, obtain the invoke-virtual for including in the target .smali file contents instruction and it is corresponding quick
Feel API, and the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the power
Limit-API library includes and Android malicious applications detect related permission and API corresponding with the permission, the sensitive API
For the API in the permission-API library.
On the basis of aforementioned device embodiment, the generation unit specifically can be used for:
The APK file of the Android application programs to be detected is converted into Jimple codes;
By carrying out reflective analysis to the Jimple codes, obtains the Android application programs reflection to be detected and adjust
API.
On the basis of aforementioned device embodiment, the generation unit specifically can be used for:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected
AndroidManifest.xml files in obtain all permissions of the Android application programs to be detected statement;
The permission not actually used but is applied for described in determining, and has removed and applied in all permissions
But the permission not actually used obtains the permission feature, wherein the permission packet for having applied not actually using but
It includes in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke
The permission of corresponding A PI is called with reflection.
The device of the Android malicious applications detection based on fine granularity feature of the present embodiment, can be used for executing aforementioned
The technical solution of embodiment of the method, implementing principle and technical effect are similar, and details are not described herein again.
The present invention has the advantages that:It realizes and utilizes a kind of Android malicious applications based on fine granularity feature
The method of detection is extracted the refinement of permission and API so that more accurate to APK behavior descriptions to be measured, and a large amount of experiment shows
The method of the present invention improves the accuracy rate of testing result and reduces rate of false alarm.
Fig. 4 shows the entity structure schematic diagram of a kind of electronic equipment provided in an embodiment of the present invention, as shown in figure 4, should
Electronic equipment may include:It processor 11, memory 12, bus 13 and is stored on memory 12 and can be transported on processor 11
Capable computer program;
Wherein, the processor 11, memory 12 complete mutual communication by the bus 13;
The processor 11 realizes the method that above-mentioned each method embodiment is provided when executing the computer program, such as
Including:The static nature of Android application programs to be detected is obtained, and feature vector is generated according to the static nature, wherein
The static nature includes API features and permission feature, and the API features include that the Android application programs to be detected are straight
The API of the API and reflection calling of calling are met, the permission is characterized as all of the Android application programs statement to be detected
Remaining permission after the permission for having applied not actually using but is removed in permission;Described eigenvector is inputted into structure in advance
Detection model, obtain the Android application programs to be detected whether be malicious application testing result.
The embodiment of the present invention provides a kind of non-transient computer readable storage medium, is stored thereon with computer program, should
Realize the method that above-mentioned each method embodiment is provided when computer program is executed by processor, such as including:It obtains to be detected
The static nature of Android application programs, and feature vector is generated according to the static nature, wherein the static nature packet
Include API features and permission feature, the API features include the API that the Android application programs to be detected directly invoke and anti-
The API of calling is penetrated, the permission is characterized as removing Shen in all permissions of the Android application programs statement to be detected
Remaining permission after the permission not actually used but please;Described eigenvector is inputted to the detection model built in advance, is obtained
The Android application programs to be detected whether be malicious application testing result.
It should be understood by those skilled in the art that, embodiments herein can be provided as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.Moreover, the application can be used in one or more wherein include computer usable program code computer
The computer program production implemented in usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
The form of product.
The application is with reference to method, the flow of equipment (system) and computer program product according to the embodiment of the present application
Figure and/or block diagram describe.It should be understood that can be realized by computer program instructions every first-class in flowchart and/or the block diagram
The combination of flow and/or box in journey and/or box and flowchart and/or the block diagram.These computer programs can be provided
Instruct the processor of all-purpose computer, special purpose computer, Embedded Processor or other programmable data processing devices to produce
A raw machine so that the instruction executed by computer or the processor of other programmable data processing devices is generated for real
The device for the function of being specified in present one flow of flow chart or one box of multiple flows and/or block diagram or multiple boxes.
These computer program instructions, which may also be stored in, can guide computer or other programmable data processing devices with spy
Determine in the computer-readable memory that mode works so that instruction generation stored in the computer readable memory includes referring to
Enable the manufacture of device, the command device realize in one flow of flow chart or multiple flows and/or one box of block diagram or
The function of being specified in multiple boxes.
These computer program instructions also can be loaded onto a computer or other programmable data processing device so that count
Series of operation steps are executed on calculation machine or other programmable devices to generate computer implemented processing, in computer or
The instruction executed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in a box or multiple boxes.
It should be noted that herein, relational terms such as first and second and the like are used merely to a reality
Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation
In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to
Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also include other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.The fingers such as term "upper", "lower"
The orientation or positional relationship shown is to be based on the orientation or positional relationship shown in the drawings, and is merely for convenience of the description present invention and simplifies
Description, does not indicate or imply the indicated device or element must have a particular orientation, with specific azimuth configuration and behaviour
Make, therefore is not considered as limiting the invention.Unless otherwise clearly defined and limited, term " installation ", " connected ",
" connection " shall be understood in a broad sense, for example, it may be being fixedly connected, may be a detachable connection, or be integrally connected;Can be
Mechanical connection can also be electrical connection;It can be directly connected, can also can be indirectly connected through an intermediary two
Connection inside element.For the ordinary skill in the art, above-mentioned term can be understood at this as the case may be
Concrete meaning in invention.
In the specification of the present invention, numerous specific details are set forth.Although it is understood that the embodiment of the present invention can
To put into practice without these specific details.In some instances, well known method, structure and skill is not been shown in detail
Art, so as not to obscure the understanding of this description.Similarly, it should be understood that disclose in order to simplify the present invention and helps to understand respectively
One or more of a inventive aspect, in the above description of the exemplary embodiment of the present invention, each spy of the invention
Sign is grouped together into sometimes in single embodiment, figure or descriptions thereof.However, should not be by the method solution of the disclosure
It releases and is intended in reflection is following:The feature that i.e. the claimed invention requirement ratio is expressly recited in each claim is more
More features.More precisely, as the following claims reflect, inventive aspect is to be less than single reality disclosed above
Apply all features of example.Therefore, it then follows thus claims of specific implementation mode are expressly incorporated in the specific implementation mode,
Wherein each claim itself is as a separate embodiment of the present invention.It should be noted that in the absence of conflict, this
The feature in embodiment and embodiment in application can be combined with each other.The invention is not limited in any single aspect,
It is not limited to any single embodiment, is also not limited to the arbitrary combination and/or displacement of these aspects and/or embodiment.And
And can be used alone of the invention each aspect and/or embodiment or with other one or more aspects and/or its implement
Example is used in combination.
Finally it should be noted that:The above embodiments are only used to illustrate the technical solution of the present invention., rather than its limitations;To the greatest extent
Present invention has been described in detail with reference to the aforementioned embodiments for pipe, it will be understood by those of ordinary skill in the art that:Its according to
So can with technical scheme described in the above embodiments is modified, either to which part or all technical features into
Row equivalent replacement;And these modifications or replacements, various embodiments of the present invention technology that it does not separate the essence of the corresponding technical solution
The range of scheme should all cover in the claim of the present invention and the range of specification.
Claims (10)
1. a kind of method of the Android malicious applications detection based on fine granularity feature, which is characterized in that including:
S1, the static nature for obtaining Android application programs to be detected, and feature vector is generated according to the static nature,
In, the static nature includes API features and permission feature, and the API features include the Android application programs to be detected
The API that the API and reflection directly invoked is called, the permission are characterized as the institute of the Android application programs statement to be detected
It has permission removal and has applied for remaining permission after the permission not actually used but;
S2, described eigenvector is inputted to the detection model built in advance, whether obtains the Android application programs to be detected
For the testing result of malicious application.
2. according to the method described in claim 1, it is characterized in that, the static state for obtaining Android application programs to be detected
Feature, including:
All .smali files for obtaining the Android application programs to be detected are excluded from all .smali files
The .smali files that no sensitive API is called, obtain target .smali files;
For each target .smali files, by by target .smali file contents and permission-API library for building in advance
It is matched, obtains the invoke-virtual for including in target .smali file contents instructions and corresponding sensitive API,
And the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the permission-API
Library include and Android malicious applications to detect related permission and API corresponding with the permission, the sensitive API be described
API in permission-API library.
3. according to the method described in claim 2, it is characterized in that, the static state for obtaining Android application programs to be detected
Feature, including:
The APK file of the Android application programs to be detected is converted into Jimple codes;
By carrying out reflective analysis to the Jimple codes, obtain what the Android application programs reflection to be detected was called
API。
4. according to the method described in claim 3, it is characterized in that, the static state for obtaining Android application programs to be detected
Feature, including:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected
The all permissions of the Android application programs statement to be detected are obtained in AndroidManifest.xml files;
The permission not actually used but is applied for described in determining, and has been removed in all permissions and applied for not having but
The permission for having actual use obtains the permission feature, wherein described to have applied for that the permission not actually used but includes institute
It states in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke and instead
Penetrate the permission for calling corresponding A PI.
5. a kind of device of the Android malicious applications detection based on fine granularity feature, which is characterized in that including:
Generation unit, the static nature for obtaining Android application programs to be detected, and spy is generated according to the static nature
Sign vector, wherein the static nature includes API features and permission feature, and the API features include described to be detected
The API that the API and reflection that Android application programs directly invoke are called, the permission are characterized as that the Android to be detected is answered
Remaining permission after the permission for having applied not actually using but is removed in all permissions stated with program;
Detection unit obtains the Android to be detected and answers for described eigenvector to be inputted the detection model built in advance
With program whether be malicious application testing result.
6. device according to claim 5, which is characterized in that the generation unit is specifically used for:
All .smali files for obtaining the Android application programs to be detected are excluded from all .smali files
The .smali files that no sensitive API is called, obtain target .smali files;
For each target .smali files, by by target .smali file contents and permission-API library for building in advance
It is matched, obtains the invoke-virtual for including in target .smali file contents instructions and corresponding sensitive API,
And the sensitive API is determined as the API that the Android application programs to be detected directly invoke, wherein the permission-API
Library include and Android malicious applications to detect related permission and API corresponding with the permission, the sensitive API be described
API in permission-API library.
7. device according to claim 6, which is characterized in that the generation unit is specifically used for:
The APK file of the Android application programs to be detected is converted into Jimple codes;
By carrying out reflective analysis to the Jimple codes, obtain what the Android application programs reflection to be detected was called
API。
8. device according to claim 7, which is characterized in that the generation unit is specifically used for:
After carrying out decompiling to the Android application programs to be detected, from the Android application programs to be detected
The all permissions of the Android application programs statement to be detected are obtained in AndroidManifest.xml files;
The permission not actually used but is applied for described in determining, and has been removed in all permissions and applied for not having but
The permission for having actual use obtains the permission feature, wherein described to have applied for that the permission not actually used but includes institute
It states in all permissions and exists in the permission-API library, but the Android application programs to be detected do not directly invoke and instead
Penetrate the permission for calling corresponding A PI.
9. a kind of electronic equipment, which is characterized in that including:Processor, memory, bus and storage on a memory and can located
The computer program run on reason device;
Wherein, the processor, memory complete mutual communication by the bus;
The processor realizes the method as described in any one of claim 1-4 when executing the computer program.
10. a kind of non-transient computer readable storage medium, which is characterized in that be stored with computer journey on the storage medium
Sequence realizes the method as described in any one of claim 1-4 when the computer program is executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810289216.2A CN108681670A (en) | 2018-03-30 | 2018-03-30 | The method and device of Android malicious applications detection based on fine granularity feature |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810289216.2A CN108681670A (en) | 2018-03-30 | 2018-03-30 | The method and device of Android malicious applications detection based on fine granularity feature |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108681670A true CN108681670A (en) | 2018-10-19 |
Family
ID=63800276
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810289216.2A Pending CN108681670A (en) | 2018-03-30 | 2018-03-30 | The method and device of Android malicious applications detection based on fine granularity feature |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108681670A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109670310A (en) * | 2019-01-28 | 2019-04-23 | 杭州师范大学 | A kind of Android malware detection method based on semi-supervised K-Means clustering algorithm |
CN110781081A (en) * | 2019-10-12 | 2020-02-11 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103310153A (en) * | 2013-04-28 | 2013-09-18 | 中国人民解放军理工大学 | Fine-grained authority control method based on Android platform |
CN105550583A (en) * | 2015-12-22 | 2016-05-04 | 电子科技大学 | Random forest classification method based detection method for malicious application in Android platform |
CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
CN107832610A (en) * | 2017-09-25 | 2018-03-23 | 暨南大学 | Android malware detection method based on assemblage characteristic pattern |
-
2018
- 2018-03-30 CN CN201810289216.2A patent/CN108681670A/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103310153A (en) * | 2013-04-28 | 2013-09-18 | 中国人民解放军理工大学 | Fine-grained authority control method based on Android platform |
CN105550583A (en) * | 2015-12-22 | 2016-05-04 | 电子科技大学 | Random forest classification method based detection method for malicious application in Android platform |
CN107832610A (en) * | 2017-09-25 | 2018-03-23 | 暨南大学 | Android malware detection method based on assemblage characteristic pattern |
CN107798242A (en) * | 2017-11-13 | 2018-03-13 | 南京大学 | A kind of malice Android application automatic checkout system of quiet dynamic bind |
Non-Patent Citations (2)
Title |
---|
邵舒迪 等: "基于权限和API特征结合的Android恶意软件检测方法", 《计算机科学》 * |
黄浩华 等: "静动态结合的恶意Android应用自动检测技术", 《信息安全学报》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109670310A (en) * | 2019-01-28 | 2019-04-23 | 杭州师范大学 | A kind of Android malware detection method based on semi-supervised K-Means clustering algorithm |
CN110781081A (en) * | 2019-10-12 | 2020-02-11 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
CN110781081B (en) * | 2019-10-12 | 2024-04-09 | 南京信息职业技术学院 | Mobile application callback forced triggering method, system and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
KR102017756B1 (en) | Apparatus and method for detecting abnormal behavior | |
US10380349B2 (en) | Security analysis using relational abstraction of data structures | |
CN102622536B (en) | Method for catching malicious codes | |
CN102831339B (en) | Method, device and browser for protecting webpage against malicious attack | |
CN111125716A (en) | Method and device for detecting Ethernet intelligent contract vulnerability | |
CN108769070A (en) | One kind is gone beyond one's commission leak detection method and device | |
CN109784062A (en) | Leak detection method and device | |
CN103577323A (en) | Dynamic key command sequence birthmark-based software plagiarism detecting method | |
CN105975858A (en) | Method and system for malicious code detection based on virtual technology in Android system | |
CN108681670A (en) | The method and device of Android malicious applications detection based on fine granularity feature | |
JP2021051745A (en) | Computer device and memory management method | |
CN109992532A (en) | The access authority management method and storage rights management unit of memory space | |
CN108197476A (en) | The leak detection method and device of a kind of intelligent terminal | |
CN105718793A (en) | Method and system for preventing malicious code from identifying sandbox on the basis of sandbox environment modification | |
CN113051624B (en) | Intelligent contract information flow integrity verification method and system based on type detection | |
CN111159718B (en) | Method and device for bug repair and household appliance | |
CN112583805A (en) | Data processing method and device based on block chain, electronic equipment and storage medium | |
CN116595523A (en) | Multi-engine file detection method, system, equipment and medium based on dynamic arrangement | |
CN103116543B (en) | The Web application safety detection method that white black box combines | |
CN111382416B (en) | Application program operation identification method and device, terminal equipment and storage medium | |
CN112395615A (en) | Android malicious application detection method | |
CN106709359A (en) | Detection method of Android application vulnerabilities | |
JP6258189B2 (en) | Specific apparatus, specific method, and specific program | |
CN112487414B (en) | Method, device, equipment and storage medium for acquiring process command line | |
CN110162734A (en) | A kind of fractional calculus algorithm solving system and method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20181019 |