CN111046384A - Android application security detection method based on Metropolis algorithm - Google Patents
Android application security detection method based on Metropolis algorithm Download PDFInfo
- Publication number
- CN111046384A CN111046384A CN201911081802.9A CN201911081802A CN111046384A CN 111046384 A CN111046384 A CN 111046384A CN 201911081802 A CN201911081802 A CN 201911081802A CN 111046384 A CN111046384 A CN 111046384A
- Authority
- CN
- China
- Prior art keywords
- authority
- android application
- algorithm
- dangerous
- android
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N20/00—Machine learning
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- Virology (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- General Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Artificial Intelligence (AREA)
- General Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Evolutionary Computation (AREA)
- Medical Informatics (AREA)
- Computing Systems (AREA)
- Mathematical Physics (AREA)
- Telephonic Communication Services (AREA)
Abstract
According to the Android application safety detection method based on the Metropolis algorithm, the danger authority is extracted by decompiling an apk file; calculating the certainty of each dangerous authority as posterior probability through a Metropolis algorithm, and acquiring the dangerous authority of which the posterior probability is higher than a preset credibility threshold value as a target authority; and performing machine learning and training according to the target authority to obtain an Android application security detection model. According to the Android application safety detection method, the Android application safety detection model obtained according to the target authority training is used for detecting the safety of the Android application only through the characteristic of danger authority, so that the complexity of a detection system is greatly reduced, and the detection efficiency is improved.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a Metropolis algorithm-based Android application security detection method.
Background
With the widespread popularity of mobile applications, security issues are becoming a serious challenge. A large amount of user privacy data exists in activities such as mobile payment, electronic commerce, social networking and the like, and the use of a large amount of third-party mobile applications causes the privacy data to be difficult to effectively protect. The occurrence of Android malicious applications seriously threatens user data, and the types of the malicious applications mainly include behaviors such as malicious fee deduction, privacy stealing, remote control, malicious propagation, expense consumption, system destruction, cheating fraud and the like, and may cause economic loss of users or leakage of private data.
The existing malicious Android application detection method mainly comprises three types of detection, namely static analysis, dynamic test and malicious application based on data mining. The static analysis mainly judges whether the application is malicious or not by analyzing a program installation package or a source code, and the code coverage rate of the method is high, but the false alarm rate is high because no program is actually executed; and malicious manufacturers can evade static analysis through techniques such as code obfuscation. The dynamic test judges the application maliciousness by actually running the application on a simulator or a real machine and collecting program behavior information in the running process, and the discovered application is real malicious application, and has the defects of low code coverage rate and high expense. The detection method based on data mining constructs a classifier through characteristics such as learning authority and function calling, and accordingly judges the maliciousness of Android application. Such methods also do not require actual running applications, and therefore, there is also a high false alarm rate.
Disclosure of Invention
Based on the technical problems in the background art, the invention provides a Metropolis algorithm-based Android application security detection method.
According to the Android application safety detection method based on the Metropolis algorithm, the danger authority is extracted by decompiling an apk file; calculating the certainty of each dangerous authority as posterior probability through a Metropolis algorithm, and acquiring the dangerous authority of which the posterior probability is higher than a preset credibility threshold value as a target authority; and performing machine learning and training according to the target authority to obtain an Android application security detection model.
Preferably, the method comprises the following steps:
s1, collecting malicious applications to establish a data set, and extracting apk files from the data set to perform decompiling so as to obtain dangerous rights;
s2, for the dangerous authorities, authority codes are extracted through a Metropolis algorithm, and the posterior probability of each dangerous authority is calculated according to at least one of alpha values and beta values of authority RECODE _ AUDIO sampling;
s3, acquiring the danger authority with the posterior probability higher than a preset credibility threshold value as a target authority;
and S4, extracting code samples of all target authorities from the data set, and training an Android application security detection model.
Preferably, step S1 specifically includes: decompiling the apk file through ApkTool, and obtaining a folder containing a manifest file and a smali file; and then extracting an Android Manifest.xml file containing the authority declaration through a python program, and extracting a danger authority from the Android Manifest.xml file.
Preferably, step S4 specifically includes:
s41, extracting code samples of each target authority from the data set, and performing model training through a Naive Bayes algorithm, a Bayesian Network algorithm, a J48, a Random Tree algorithm and a Random Forest algorithm respectively to obtain corresponding machine learning models;
and S42, testing the obtained machine learning models through a proportional segmentation method and a K-fold cross method, and obtaining the optimal machine learning model as an Android application safety detection model.
According to the Android application safety detection method based on the Metropolis algorithm, Android dangerous permission characteristics are analyzed through the Metropolis algorithm, target permission with certainty for Android safety judgment is extracted, and Android applications are learned and classified through a machine learning classification technology.
According to the Android application safety detection method, the Android application safety detection model obtained according to the target authority training is used for detecting the safety of the Android application only through the characteristic of danger authority, so that the complexity of a detection system is greatly reduced, and the detection efficiency is improved.
According to the method, the certainty of the dangerous authority playing a key role in the Android application detection process on the Android application safety detection is calculated through the Metropolis algorithm, and the method has high detection accuracy and low false judgment rate.
Drawings
FIG. 1 is a flowchart of an Android application security detection method based on a Metropolis algorithm provided by the invention;
FIG. 2 is a flowchart of another Metropolis algorithm-based Android application security detection method provided by the invention.
Detailed Description
Referring to fig. 1, according to the Android application security detection method based on the Metropolis algorithm, danger authorities are extracted by decompiling an apk file; calculating the certainty of each dangerous authority as posterior probability through a Metropolis algorithm, and acquiring the dangerous authority of which the posterior probability is higher than a preset credibility threshold value as a target authority; and performing machine learning and training according to the target authority to obtain an Android application security detection model.
Specifically, in this embodiment, the danger authorities are 24 danger authorities officially declared by the Android source code provider google.
In the embodiment, the target permission is further screened from the danger permission according to the posterior probability, and then the Android application security detection model is trained according to the target permission. Therefore, by screening the target permission, the dangerous permission with lower certainty is deleted, so that the characteristics of sample data for training the Android application safety detection model are more obvious, the Android application safety detection model at the training position is more accurate, and the target permission has high recognition degree. Therefore, in the Android application security detection process, as long as any one target authority is contained in the authority combination of the application program, the target authority can be detected by the Android application security detection model, and the detection precision and accuracy are greatly improved.
Referring to fig. 2, the Android application security detection method based on the Metropolis algorithm in the embodiment specifically includes the following steps:
and S1, collecting malicious applications to establish a data set, and extracting apk files from the data set to perform decompiling so as to obtain dangerous rights.
Specifically, in the step, the apk file is decompiled through ApkTool, and a folder containing a manifest file and a smali file is obtained; and then extracting an Android Manifest.xml file containing the authority declaration through a python program, and extracting a danger authority from the Android Manifest.xml file.
Specifically, in the embodiment, after extracting the Android manifest xml file, all permission permissions are analyzed, and each permission is compared with 24 dangerous permissions declared by google official authority to extract dangerous permissions.
S2, for the dangerous authority, an authority code is extracted through a Metropolis algorithm, and the posterior probability of each dangerous authority is calculated according to at least one of alpha and beta values sampled by the authority RECODE _ AUDIO.
And S3, acquiring the danger authority with the posterior probability higher than the preset credibility threshold value as the target authority.
Specifically, in a certain embodiment, the posterior probability is calculated by sampling Metropolis of beta parameters of 24 dangerous authorities through a forest tree, and the reliability threshold is set to be 95%. In this embodiment, 7 dangerous authorities with low certainty can be screened out finally, which are: ADD _ VOICEMAIL, USE _ SIP, WRITE _ CONTACTS, BODY _ SENSORS, RECEIVE _ SMS, READ _ SMS, and SEND _ SMS. That is, in the present embodiment, 17 target authorities are acquired.
S41, extracting code samples of each target authority from the data set, and performing model training through a Naive Bayes algorithm, a Bayesian Network algorithm, a J48, a Random Tree algorithm and a Random Forest algorithm respectively to obtain corresponding machine learning models;
and S42, testing the obtained machine learning models through a proportional segmentation method and a K-fold cross method, and obtaining the optimal machine learning model as an Android application safety detection model.
In this way, in combination with step S41 and step S42, code samples of each target authority are extracted from the dataset, and an Android application security detection model is trained. The final model training is only detected according to the characteristic of authority behaviors, so that the complexity of Android application safety detection is greatly reduced, and the detection efficiency is improved.
In the embodiment, the machine learning model is respectively trained according to various algorithms, and then the accuracy and reliability of the finally obtained Android application safety detection model are further ensured through testing and preferential recording.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art should be considered to be within the technical scope of the present invention, and the technical solutions and the inventive concepts thereof according to the present invention are equivalent to or changed within the technical scope of the present invention.
Claims (4)
1. A safety detection method for Android application based on a Metropolis algorithm is characterized by comprising the following steps: extracting dangerous authority through decompiling the apk file; calculating the certainty of each dangerous authority as posterior probability through a Metropolis algorithm, and acquiring the dangerous authority of which the posterior probability is higher than a preset credibility threshold value as a target authority; and performing machine learning and training according to the target authority to obtain an Android application security detection model.
2. The Metropolis algorithm-based Android application security detection method of claim 1, comprising the following steps:
s1, collecting malicious applications to establish a data set, and extracting apk files from the data set to perform decompiling so as to obtain dangerous rights;
s2, for the dangerous authorities, authority codes are extracted through a Metropolis algorithm, and the posterior probability of each dangerous authority is calculated according to at least one of alpha values and beta values of authority RECODE _ AUDIO sampling;
s3, acquiring the danger authority with the posterior probability higher than a preset credibility threshold value as a target authority;
and S4, extracting code samples of all target authorities from the data set, and training an Android application security detection model.
3. The method for detecting the safety of the Android application based on the Metropolis algorithm as claimed in claim 2, wherein the step S1 specifically comprises: decompiling the apk file through ApkTool, and obtaining a folder containing a manifest file and a smali file; and then extracting an Android Manifest.xml file containing the authority declaration through a python program, and extracting a danger authority from the Android Manifest.xml file.
4. The method for detecting the safety of the Android application based on the Metropolis algorithm as claimed in claim 2, wherein the step S4 specifically includes:
s41, extracting code samples of each target authority from the data set, and performing model training through a Naive Bayes algorithm, a Bayesian network algorithm, a J48, a Random Tree algorithm and a Random Forest algorithm respectively to obtain corresponding machine learning models;
and S42, testing the obtained machine learning models through a proportional segmentation method and a K-fold cross method, and obtaining the optimal machine learning model as an Android application safety detection model.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911081802.9A CN111046384A (en) | 2019-11-07 | 2019-11-07 | Android application security detection method based on Metropolis algorithm |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911081802.9A CN111046384A (en) | 2019-11-07 | 2019-11-07 | Android application security detection method based on Metropolis algorithm |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111046384A true CN111046384A (en) | 2020-04-21 |
Family
ID=70231865
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911081802.9A Pending CN111046384A (en) | 2019-11-07 | 2019-11-07 | Android application security detection method based on Metropolis algorithm |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111046384A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140181973A1 (en) * | 2012-12-26 | 2014-06-26 | National Taiwan University Of Science And Technology | Method and system for detecting malicious application |
| CN106845240A (en) * | 2017-03-10 | 2017-06-13 | 西京学院 | A kind of Android malware static detection method based on random forest |
| CN106919841A (en) * | 2017-03-10 | 2017-07-04 | 西京学院 | A kind of efficient Android malware detection model DroidDet based on rotation forest |
| CN109766729A (en) * | 2018-12-12 | 2019-05-17 | 西安电子科技大学 | A kind of integrated circuit and its encryption method for defending hardware Trojan horse |
-
2019
- 2019-11-07 CN CN201911081802.9A patent/CN111046384A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140181973A1 (en) * | 2012-12-26 | 2014-06-26 | National Taiwan University Of Science And Technology | Method and system for detecting malicious application |
| CN106845240A (en) * | 2017-03-10 | 2017-06-13 | 西京学院 | A kind of Android malware static detection method based on random forest |
| CN106919841A (en) * | 2017-03-10 | 2017-07-04 | 西京学院 | A kind of efficient Android malware detection model DroidDet based on rotation forest |
| CN109766729A (en) * | 2018-12-12 | 2019-05-17 | 西安电子科技大学 | A kind of integrated circuit and its encryption method for defending hardware Trojan horse |
Non-Patent Citations (1)
| Title |
|---|
| 李晓东;祝跃飞;刘胜利;肖睿卿;: "基于权限的Android应用程序安全审计方法" * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10915659B2 (en) | Privacy detection of a mobile application program | |
| CN107888554B (en) | Method and device for detecting server attack | |
| US10986103B2 (en) | Signal tokens indicative of malware | |
| US9798981B2 (en) | Determining malware based on signal tokens | |
| WO2016015680A1 (en) | Security detection method and security detection apparatus for mobile terminal input window | |
| CN108073813B (en) | Android application program overflow vulnerability detection and malicious behavior identification method | |
| CN111460446B (en) | Malicious file detection method and device based on model | |
| AU2016351177A1 (en) | Method and device for use in risk management of application information | |
| CN106919841A (en) | A kind of efficient Android malware detection model DroidDet based on rotation forest | |
| CN114003903B (en) | Network attack tracing method and device | |
| CN110851834B (en) | Android malicious application detection method integrating multi-feature classification | |
| CN103500307A (en) | Mobile internet malignant application software detection method based on behavior model | |
| CN103617393A (en) | Method for mobile internet malicious application software detection based on support vector machines | |
| CN109271788A (en) | A kind of Android malware detection method based on deep learning | |
| CN108965251B (en) | A kind of safe mobile phone guard system that cloud combines | |
| CN111324893B (en) | Detection method and background system for android malicious software based on sensitive mode | |
| CN113177205A (en) | Malicious application detection system and method | |
| CN106375303A (en) | Attack defense method and apparatus | |
| CN112632538A (en) | Android malicious software detection method and system based on mixed features | |
| Kwon et al. | Droidgraph: discovering android malware by analyzing semantic behavior | |
| CN111046384A (en) | Android application security detection method based on Metropolis algorithm | |
| Wang et al. | Malware detection using cnn via word embedding in cloud computing infrastructure | |
| Nasri et al. | Android malware detection system using machine learning | |
| CN109840417B (en) | Malicious software detection method and device | |
| TWI668592B (en) | Method for automatically determining the malicious degree of Android App by using multiple dimensions |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |