KR20200061830A - Malware detection and classification method and system, including pattern key parts of android applications - Google Patents

Abstract

The present invention relates to a technique which patterns (imaging, sounding, etc.) a main part representing an executable code that may contain a malicious code in Android applications, and applies the patterned information to machine learning to diagnose the malicious code, thereby improving the malware detection performance in the Android environment. A system for detecting and classifying Android malware comprises: an inspection area extractor for selectively extracting major parts of the Android application that may contain malicious code; a conversion unit for generating pattern data by patterning the data of the major parts extracted by the inspection area extractor; and a malicious code inspection unit which diagnoses whether pattern data generated by the conversion unit includes malicious code in the pattern data by comparing it with a conventional malicious code pattern.

Description

Malware detection classification method and system patterning major parts of Android applications {MALWARE DETECTION AND CLASSIFICATION METHOD AND SYSTEM, INCLUDING PATTERN KEY PARTS OF ANDROID APPLICATIONS}

The present invention relates to a malware detection classification method and system patterning a main part of an Android application, and more specifically, patterning (imaging, sounding, etc.) the main part including the execution code in the Android application, and the pattern thereof. It is a technology for a method and system for improving malware detection and family classification performance in the Android environment by diagnosing malicious code by applying the refined information to machine learning.

The emergence rate of malicious codes targeting Android in the mobile platform market is increasing day by day. According to security solution company McAfee, 57.6 million new malicious codes appeared in the third quarter of 2017, breaking the peak.

Compared to the explosively increasing malicious code, the Android malware detection system based on the existing signature and abnormal behavior detection has a limitation that the update rate of the signature and anomaly DB is not fast enough to cope with the current situation.

Due to these limitations, there is a disadvantage that the bypass is relatively easy and vulnerable to new types of malware or zero-day.

Machine learning techniques have been introduced to overcome the limitations of conventional malware detection.

There are largely static and dynamic analysis methods for analyzing malicious code. Static analysis, which is a method of analyzing decompiled or disassembled code without executing malicious code, has the advantage of high code coverage, but it takes a lot of time to analyze and is limited by analysis obstruction techniques such as obfuscation. Can be used as On the other hand, dynamic analysis is a method of executing a malicious code in a limited environment and analyzing a part. This has the advantage that it is relatively free from analysis interference techniques and requires relatively little analysis time, but it has disadvantages that it is difficult to cope with logic bombs or time bombs due to narrow code coverage, and it is difficult to construct a limited environment.

United States Patent Publication 2012-0047580

Accordingly, the present invention has been proposed to solve the above-mentioned general problems, and the object of the present invention is to pattern the main part including the execution code in an Android application (image, sound, etc.), and to pattern the It is intended to provide a method and system for improving malware detection and family classification performance in an Android environment by diagnosing malware by applying information to machine learning.

In addition, the object of the present invention is to pattern the entire DEX file of the Android application (APK) to improve the conventional technique of inputting into machine learning, patterning the code_item including the execution code in the DEX file, and patterning the DEX file It is intended to provide a method and system for detecting and classifying malicious codes by applying information to machine learning.

In order to achieve the above object, the malware detection classification system patterning the main part of the Android application according to the technical idea of the present invention is an inspection area extracting unit for selectively extracting and extracting data of a main part that may contain malicious code in the Android application. Wow; A conversion unit for patterning the main part extracted by the inspection area extraction unit to generate pattern data; It characterized in that it comprises a malicious code inspection unit for diagnosing whether the pattern data includes the malicious code by inputting the pattern data generated by the conversion unit into the machine learning in which the conventional malicious code pattern is learned.

In addition, the pattern data generated by the conversion unit may be characterized in that the image format data.

In addition, the conversion unit may be characterized in that after loading the main portion in the form of a binary code (binary code), and divides into a predetermined unit, and converts the divided binary code into a corresponding lightness or color.

In addition, the conversion unit may be characterized in that the pattern data of the image format is enlarged or compressed in response to a data format input to the machine learning algorithm of the malicious code inspection unit.

In addition, the pattern data generated by the conversion unit may be characterized in that the data of the sound format.

In addition, the conversion unit may be characterized in that after converting the binary code of the main part to MIDI format, the converted MIDI format data to a wav format or MFCC (Mel-Frequency Cepstral Coefficients) format.

In addition, when converting the MIDI format of the main part, the converter may divide the main part into 1-byte units, and then configure the 1 byte into a first channel composed of 2 bits and a second channel composed of 6 bits. have.

In addition, the conversion unit may be characterized in that the first channel and the second channel are converted into MIDI format after adding weights to at least one channel so that the sound does not overlap with each other.

In addition, the main part may be characterized in that a code-item indicating execution code is included in the DEX file of the Android application.

In addition, the inspection area extraction unit may be characterized in that it extracts the execution code portion of the Data section, and an additional area corresponding to the programming language of the Android application.

In addition, the additional area is a file with a so extension when the programming language is C or C++, a dll file such as Assembly-CSharp.dll or App.dll when the programming language is C#, and System when the programming language is .NET libraries. It may be characterized by dll files such as .dll and System.core.dll, index.html file when the programming language is HTML, and js file such as index.js when the programming language is Javascript.

In addition, the scanning area extracting unit extracts the execution code portion of the Data section, and an additional area corresponding to the Google Play category of the Android application, and the malicious code scanning unit performs diagnostics corresponding to the category of the application. can do.

In addition, the inspection area extraction unit may be characterized in that the execution section of the data section, and the malicious code inspection unit extracts an additional area corresponding to the malware family of the malicious code to be diagnosed.

On the other hand, in order to achieve the above object, the malware detection classification method patterning the main part of the Android application according to the technical idea of the present invention extracts the data of the main part that may include malicious code from the Android application in the scan area extraction unit. And generating a pattern data by patterning the data of the main part extracted from the inspection area extracting unit, and comparing the pattern data generated by the conversion unit with the conventional malicious code pattern by the malicious code inspection unit. And diagnosing whether the pattern data includes malicious code.

According to the malware detection classification method and system patterning the main part of the Android application according to the present invention,

First, in the conventional Android application malicious code diagnosis technology, since the entire DEX file is diagnosed without additional processing, the volume of data for diagnosis is considerable, and even unnecessary information for malicious code diagnosis is considered. Since only the execution code (code_item) is extracted to diagnose malicious code, the volume of data to be analyzed can be reduced, and unnecessary information can be excluded, thereby improving the diagnostic rate of malicious code.

Second, according to the present invention, the probability of failing to scan a malicious code is significantly reduced by discovering an area that can be additionally infected according to a programming language and adding the areas to the inspection data.

Third, if the scan area extractor extracts only the main part from the Android application, even if the pattern data is compressed to a size that can be input to machine learning, the loss is significantly less, and the diagnosis rate of malware can be significantly improved.

1 is a reference diagram showing a file included in an Android application.
2 is a reference diagram showing the detailed configuration of sections and Data sections included in the classes.dex file among files included in the Android application.
Figure 3 is a reference diagram showing the index (Dex class member indexing) of the DEX class configuration.
4 is a reference diagram showing a relationship between a data section and a class_defs section.
5 is a block diagram of an Android malware detection classification system according to an embodiment of the present invention.
6 is an exemplary diagram showing a list of malware families.
7 is a view showing a process of generating an image by converting a binary code of a main part into a corresponding color in an embodiment of converting the main part into an image format.
8 is a diagram illustrating a process of converting a binary code of a main part into a MIDI format in an embodiment of converting the main part into a sound format.
FIG. 9 is a diagram showing that data converted to MIDI format is converted to other formats such as wav and MFCC in an embodiment in which the main part is converted into a sound format.
10 is a flow chart of a method for detecting malicious apps in Android according to an embodiment of the present invention.

With reference to the accompanying drawings will be described in detail with respect to the malware detection classification method and system patterning the main part of the Android application according to embodiments of the present invention. The present invention can be variously changed and can have various forms, and specific embodiments will be illustrated in the drawings and described in detail in the text. However, this is not intended to limit the present invention to a specific disclosure form, and it should be understood that it includes all modifications, equivalents, and substitutes included in the spirit and scope of the present invention. In describing each drawing, similar reference numerals are used for similar components.

In addition, unless defined otherwise, all terms used herein, including technical or scientific terms, have the same meaning as commonly understood by a person skilled in the art to which the present invention pertains. Terms, such as those defined in a commonly used dictionary, should be interpreted as having meanings consistent with meanings in the context of related technologies, and should not be interpreted as ideal or excessively formal meanings unless explicitly defined in the present application. Does not.

This embodiment may be executed in a single or multiple computing system to perform functions of each configuration.

First, the structure of the Android application will be described.

1 is an internal structure of an Android application APK developed in Java, and includes files such as AndroidManifest.xml, assets/, META-INF/, lib/, classes.dex, res/, resources.arsc (Unity, Xamarin For applications developed with cross-platform app development tools such as, PhoneGap, Cordova, Cocos2d, etc., the APK structure may be different).

Referring to FIG. 2, among them, the structures of classes.dex (hereinafter, DEX file) are largely header, string_ids, type_ids, proto_ids, fields_ids, method_ids, class_defs, link_data, arrays in which identifiers and class-related offsets are stored, and in DEX files It consists of a Data section, which is an area that contains actual data and executable code (commands).

Data section is code_item where byte information and method information exist, string_data where String value is stored, optional including debugging related information, and map with size and offset of all sections and components It consists of a list.

Sections other than the Data section contain information about offset and size, not data.

3 and 4, the class_defs section of the DEX file includes class_def_item representing classes. class_def_item includes class_data_off, where class_data_off points to class_data_item.

class_data_item contains data of each class. Also, class_data_item exists in the data section of the DEX file.

The class_data_item in the data section contains direct method and virtual method members in the encoded method format. The encoded method format includes code_off, where each method is represented by an encoded method. code_off means code_item, and code_item contains instructions of each method. The insns_size and insns member fields of code_item indicate the byte code of the method, that is, instructions.

As a result of in-depth analysis of the DEX file in light of the research experience of the Android application, it was found that the executable code in which the malicious code operates is located in code_item.

Referring to FIG. 5, the Android malware detection classification system 100 according to an embodiment of the present invention includes an inspection area extraction unit 120 for extracting data of a main part that may contain malicious code in an Android application, and extracting the inspection area The conversion unit 140 for patterning the main part extracted by the unit 120 to generate pattern data, and inputting the pattern data generated by the conversion unit 140 into machine learning in which a conventional malicious code pattern has been learned, so that the pattern data It includes a malicious code inspection unit 160 for diagnosing whether the malicious code is included.

In addition, the input unit 110 for receiving the diagnosis target Android application may be included.

Data of the main part includes code_item of Data section among DEX files of Android applications.

The inspection area extraction unit 120 extracts the DEX file by unzipping the APK of the Android application, and then parses the header of the DEX file to obtain the offset of the data section. After that, the file is separated based on the offset, and the code_item including the execution code is defined as the main part.

In the conventional Android application malicious code diagnosis technology, the entire DEX file is diagnosed without a separate pre-processing process, so the data volume for diagnosis is considerable. On the other hand, since the embodiment of the present invention deeply separates the DEX file and extracts only code_item and diagnoses the malicious code, the data volume to be analyzed is significantly reduced, but the diagnostic rate of the malicious code is not affected.

On the other hand, Android can make applications in various development environments. For example, applications can be produced not only in Java but also in programming languages such as C#, Javascript, C++, and HTML. However, it was found that an additional area where malicious codes can be located is generated depending on the programming language.

Therefore, the inspection area extraction unit 120 of the Android malware detection classification system 100 according to an embodiment of the present invention selects an additional area to be extracted together with code_item in correspondence with the programming language of the Android application.

Specifically, the inspection area extraction unit 120 necessarily extracts code_item from an application made in Java. In applications written in C or C++, files with code_item and so extensions are extracted. In C# applications, code_item and dll files such as Assembly-CSharp.dll or App.dll are extracted. In applications created with .NET libraries, dll files such as code_item, System.dll and System.core.dll are extracted. Code_item and index.html files are extracted from applications created in HTML. In applications created with Javascript, dll files such as code_item and index.js are extracted.

As another embodiment, the inspection area extraction unit 120 may collectively extract code_item, so extension files, dll extension files, js extension files, and html extension files regardless of the programming language of the application.

Since this embodiment selectively extracts an area that can be infected with malicious code in addition to code_item in the application, the effect of reducing the volume of data that is subject to malicious code scanning is reduced compared to the prior art that performs malicious code scanning on the entire application. There is. When the volume of data is reduced, the time to scan malicious code is reduced, and a number of improved effects such as more precise inspection are possible. In addition, the prior art tends to scan only the DEX file, but when the application is made in a different programming language, there is a problem of not scanning the area containing the malicious code, but this embodiment may be additionally infected depending on the programming language. By discovering the area and adding the areas to the inspection data, the probability of malicious code inspection failure is significantly reduced.

In addition, the application differs in class, method (API), code, component (activity, service, content provider, broadcast receiver), string (string), and intent used according to the category. A category is a group that categorizes applications such as games, finance, text editors, vaccines, and utilities by function. Google Play, which leads the distribution of Android applications (as of 2018), categorizes and provides registered applications by category. As another embodiment, the inspection area extraction unit 120 selects an additional area to be extracted along with the code-item corresponding to the application category of Google Play, and the malicious code inspection unit 160 performs diagnosis corresponding to the application category. can do. For example, based on the machine learning of the malicious code inspection unit 160, the voice API (API used by many malicious apps) and the positive API (API used by many normal apps) used by categories are used by the malicious code. Learning, and the inspection area extracting unit 120 extracts the API called by the application to be inspected, so that the extracted API is similar to the pattern of the positive API of the related category or the pattern of the malicious API. Can be. In addition, after unique characteristics appearing in an application are defined in advance according to a category, malicious code diagnosis may be performed in response to a category of an application to be inspected.

6 is a table showing an example of a malware family. Malicious codes can be classified into malware families according to their types. The types of malicious codes include viruses, worms, Trojan horses, backdoors, logical bombs, bots, adware, spyware, ransomware, etc., and the malware family is the basis for classifying these malicious codes by type.

As another embodiment, the inspection area extraction unit 120 may be characterized in that the additional area to be extracted together with the code-item is selected by the malicious code inspection unit 160 corresponding to the type of malicious code to be diagnosed.

Theoretically, it is desirable to diagnose all malware in an application, but companies that provide diagnostic software in the real industry have excellent diagnostic skills in only a few types of malware families. For example, one company is a leader in the detection of viruses, worms, and Trojan horses, but can be powerless against adware, spyware, and ransomware. Another company is leading in the diagnosis and treatment of ransomware, but may be powerless for other malware. For this reason, the type of malicious code to be diagnosed may be limited to a part of the malware family, and the scan area extracting unit 120 selects an extraction area corresponding to the limited type of malicious code.

Referring to FIG. 7, the Android malware detection classification system 100 according to the first embodiment of the present invention diagnoses malicious code after converting the main part data and additional areas into image format pattern data. In the first embodiment, the pattern data generated by the conversion unit 140 is image format data, and the malicious code inspection unit 160 diagnoses whether the pattern data includes malicious code using a machine learning algorithm robust to static data analysis. .

Specifically, the conversion unit 140 loads the main portion in the form of binary code and divides it into predetermined units. In addition, an image is generated by converting the divided binary code into a corresponding contrast or color. Referring to the drawings, this embodiment reads the data extracted by the inspection area extractor 120 as a binary code, converts it into an 8-bit vector, and expresses it as one pixel, from 0 per pixel. A grayscale image with a value of 255 was generated.

The image is composed of rows having a certain width corresponding to the volume of data. The width can be in pixels. As an embodiment, the width of the image may be the number of pixels that become a square corresponding to the volume of data. For example, if the volume of data is 524,288 bits, the width of the image may be 256 pixels (256×256 image creation).

Data volume range [KB] Image width [pixel] <10 32 10-30 64 30-60 128 60-100 256 100-200 384 200-500 512 500-1000 768 >1000 1024

The converting unit 140 is unable to generate a pixel because the last binary code is completed without completing 8 bits, or if the final region of the square image is not partially completed due to the binary code being terminated, an insufficient region to complete the square image Insert 0-padding in In this way, the conversion unit 140 can generate an image of a linear nature.

The malicious code inspection unit 160 uses a machine learning algorithm robust to static data analysis in order to diagnose whether the image includes malicious code. Machine learning algorithms that are robust to static data analysis include a convolutional neural network (CNN). This example used CNN for analysis of imaged pattern data.

CNN is an algorithm specialized for image analysis. Typically, Google's AlphaGo and Facebook's face recognition algorithms use CNN. CNN has excellent performance in finding the optimal output for a specific input, and has a wide range of advantages in code coverage.

In the experiment, the state-of-the-art CNN models Inception-V3 and Inception-ResNet-V2 were used among the CNNs. Inception-V3 is an improved model of GoogLeNet and is applied in many static data analysis studies. Meanwhile, Inception-ResNet-V2 is a model that combines the characteristics of ResNet with Inception-V3. As an optimization method applied to each CNN model, RMSprop (Root Mean Square Propagation), Adam (Adaptive Moment Estimation), and SGD (Stochastic Gradient Descent) were used. Adam is a popular algorithm and is used by many deep learning frameworks. SGD is a prototype algorithm of RMSprop and Adam, and when combined with Inception-v3, it has the feature of detecting malicious code with high performance.

In order to accurately diagnose the malicious code of the malicious code inspection unit 160, the machine learning algorithm is trained as an image pattern converted from a known malicious code. The learning unit 180 patterns the known malicious codes and inputs them into the machine learning of the malicious code inspection unit 160 to support machine learning to learn the patterns of the malicious codes. It is preferable that the pattern data generated by the conversion unit 140 and the image-patterned malicious code generated by the learning unit 180 have the same format.

Data input to the machine learning algorithm must satisfy a preset format. For example, the machine learning algorithm can receive only 256×256 images. In this case, pattern data generated with a smaller image should be enlarged, and pattern data generated with a larger image should be compressed. The conversion unit 140 performs enlargement or compression of the imaged pattern data corresponding to the input format of the machine learning.

At this time, the feature that the inspection area extraction unit 120 extracts only the main part of the data from the Android application is a great strength. As in the prior art, if all areas of the application or all DEX files are set as inspection targets and imaged pattern data is generated, the size of the image is also increased by the massive data volume. It is obvious that the larger the image is compressed into a smaller image, the more loss occurs. In this embodiment, since the inspection area extracting unit 120 selectively extracts only the area in which the malicious code may be included, the image size of the generated pattern data is much smaller even if the same application is diagnosed in comparison with the prior art. Therefore, even if the pattern data is compressed to a size that can be input to machine learning, the loss is significantly less. Since the pattern of the image compressed with little loss is easier to contrast with the pattern of the malicious code previously learned by the machine learning, the diagnosis rate of the malicious code inspection unit 160 can be significantly improved.

Meanwhile, referring to FIG. 8, the Android malware detection classification system 100 according to the second embodiment of the present invention diagnoses malicious code after converting the main part data and the additional area into pattern data in a sound format. In the second embodiment, the pattern data generated by the conversion unit 140 is sound format data, and the malicious code inspection unit 160 diagnoses whether the pattern data includes malicious code using a machine learning algorithm robust to dynamic data analysis. .

Specifically, the conversion unit 140 converts the data of the main part and the binary code of the additional area into a MIDI (Musical Instrument Digital Interface) format. In addition, data and additional areas of the main part of the converted MIDI format are re-converted to a wav format or a Mel-Frequency Cepstral Coefficients (MFCC) format.

MIDI is a language for generating digital sound sources, but is not a sound source, but records information about sounds. MIDI includes information such as the type of instrument, the pitch of the sound, the attenuation, the channel representing the instrument being studied at the same time, and Note ON/OFF.

One channel can be viewed as one instrument. If multiple channels are set, it can be viewed as a concert of several instruments. The notes are set for each channel as if the notes were written for each instrument in the 5 papers.

As an embodiment, the conversion unit 140 divides the data of the main part and the binary code of the additional area into 1 byte units and converts it into MIDI format.

Pitch (Pitch) is a frequency that means the pitch of the note, it can be represented by a note.

The range of notes in MIDI can represent data from 0 to 127, that is, 7 beats. However, since 1 byte is 8 bits and can represent 0 to 255, it is impossible to express 1 byte as a note in a MIDI note.

To solve this problem, the conversion unit 140 of the second embodiment sets two bits out of 8 bits of one byte as notes of the first channel and sets the remaining six bits as notes of the second channel. Assuming that the first channel is an instrument that outputs 4 notes from 0 to 3, and that the second channel is an instrument that outputs 64 notes from 0 to 63, it is assumed that the two instruments form harmony at the same time. will be. When MIDI is divided into 1 byte in this way, 256 (1 byte) information can be stored at the timing at which a single sound is reproduced.

In addition, the converter 140 of the second embodiment adds a weight to at least one channel and converts it into MIDI format in order to prevent the sound from overlapping each other in the first channel and the second channel. That is, the range in which the first channel sets the note and the range in which the second channel sets the note do not overlap. For example, if the binary value of the first channel is 11 and the binary value of the second channel is 000011, the notes of the two channels are set at the same position, making it difficult to identify data. To solve this problem, in this embodiment, a note is set after adding a weight of 24 to the binary value of the second channel. The reason for adding 24 is that the maximum value represented by 6 beats becomes 88 when the piano is added to 24, considering that the piano has up to 88 notes. By the number 24 added to the second channel, notes corresponding to 0 to 23 are not displayed in the second channel. Therefore, the note appearing in the range of 0 to 23 can be identified as being the note of the first channel.

In addition, the first channel can express four kinds of notes, but since a note can be set in a wide range of 0 to 23, in order to enhance the discrimination between the notes, a weight can be added to or multiplied with a binary value. In this example, the binary value of the first channel is multiplied by 3. If the binary value is 1, the 3rd note is set, 2 is the 6th note, and 3 is the 9th note, making it easier to identify the first channel.

Referring to FIG. 8, the conversion unit 140 converts data and additional areas of main parts converted to MIDI format into a wav format. MIDI contains sound information, but it is not itself an audio file. Audio of the main part converted to wav format can be played.

A wav file has a capacity of 87KB per second when converted to a normal level of 16 bits, 44100Hz. The higher the sampling rate, the more sophisticated audio is played, but if it exceeds a certain level, the volume of the wav file becomes too large, and the resources for audio analysis are excessive. Therefore, in this example, the sampling rate was set to 22050 Hz or less.

In addition, the conversion unit 140 may convert data and an additional area of a main part of a MIDI format or a wav format into a MFC-Mel-frequency cepstral coefficients (MFCC) format.

The malicious code inspection unit 160 uses a machine learning algorithm robust to dynamic data analysis to diagnose whether malicious code is included in the sound format pattern data. Since the data outputted along the time axis of the sound format information is different, it is preferable to apply a dynamic data analysis technique. Machine learning algorithms that are robust to dynamic data analysis include Recurrent Neural Network (RNN). This example used RNN for analysis of sounded pattern data.

CNN does not express a temporal dependency in which the current output is affected by the past input. However, the Recurrent Neural Network (RNN) is suitable for mathematical modeling of time series pattern or sequence data analysis. Time series data measured in a time-dependent manner at regular time intervals include stock prices, sales, price index, exchange rates, and unemployment rates. In addition, there are texts, voices, videos, base pairs of DNA strands, etc. in sequence data having a sequence. RNN has the ability to express temporal dependencies in which the current output is influenced by the past input. When RNN is deployed in a neural network structure over time, it exhibits the same structure as a feed-forward network. Therefore, RNN is widely used for voice, video, and language model analysis.

In order to accurately diagnose the malicious code of the malicious code inspection unit 160, the machine learning algorithm is trained with a sound pattern converted from a known malicious code. The learning unit 180 patterns known malicious codes and inputs them into the machine learning of the malicious code inspection unit 160, thereby enabling machine learning to learn patterns of the malicious codes.

The sound pattern of the malicious code converted by the learning unit 180 is preferably in the same format as the pattern data converted by the conversion unit 140.

The Android malware detection classification system 100 is proposed in view of the fact that the malicious code has a certain pattern, and it detects in the method of diagnosing the conventional data code because it prepares for the pattern of the main area and the malicious code of the application to be diagnosed. It can also detect malicious codes that could not be hidden (using obfuscation, packing, etc.).

Next, a method for detecting an Android malicious app according to an embodiment of the present invention will be described with reference to FIG. 10.

In the Android malicious app detection method according to an embodiment of the present invention, the scanning area extracting unit 120 extracts data of a main part that may include malicious code from the Android application (S120) and the converting unit 140 includes the above. Patterning the data of the main part extracted from the inspection area extraction unit 120 to generate pattern data (S140), and the malicious code inspection unit 160 uses the pattern data generated by the conversion unit 140 as a conventional malicious And diagnosing whether or not the pattern data includes malicious codes (S160).

In addition, the Android malicious app detection method according to an embodiment of the present invention may be implemented as the functions performed in the Android malicious app detection are sequentially executed in response to each step.

The preferred embodiments of the present invention have been described above, but the present invention can use various changes, modifications, and equivalents. It is clear that the present invention can be equally applied by appropriately modifying the above embodiments. Therefore, the above description is not intended to limit the scope of the present invention as defined by the following claims.

100: Android malware detection classification system
110: input unit
120: inspection area extraction unit
140: conversion unit
160: malicious code inspection unit
180: learning department

Claims (14)

An inspection area extracting unit for selectively extracting and extracting data of a main part that may contain malicious code from the Android application;
A conversion unit for patterning the main portion extracted by the inspection area extraction unit to generate pattern data;
Android malware detection classification system, characterized in that it comprises a malicious code inspection unit for diagnosing whether the pattern data contains the malicious code by inputting the pattern data generated by the conversion unit into the machine learning in which the conventional malicious code pattern is learned. According to claim 1,
Android malware detection classification system, characterized in that the pattern data generated by the converter is image format data. According to claim 2,
The conversion unit loads the main part in the form of binary code (binary code), and then divides it into a predetermined unit, and converts the divided binary code into a corresponding contrast or color. According to claim 2,
The conversion unit Android malware detection classification system, characterized in that for expanding or compressing the pattern data of the image format in response to the data format input to the machine learning algorithm of the malware inspection unit. According to claim 1,
Android malware detection classification system, characterized in that the pattern data generated by the conversion unit is data in a sound format. The method of claim 5,
The conversion unit converts the binary code of the main part into a MIDI format, and then converts the converted MIDI format data into a wav format or a Mel-Frequency Cepstral Coefficients (MFCC) format. The method of claim 6,
When converting the MIDI format of the main part, the main part is divided into 1 byte units, and then the 1 byte is composed of a first channel composed of 2 bits and a second channel composed of 6 bits. Classification system. The method of claim 7,
The conversion unit adds weights to at least one channel so that the sound of the first channel and the second channel do not overlap with each other, and then converts it into MIDI format. According to claim 1,
The main part is an Android malware detection classification system, characterized in that a code-item indicating an execution code is included in the DEX file of the Android application. The method of claim 9,
The inspection area extracting unit extracts the execution code portion of the Data section, and an additional area corresponding to the programming language of the Android application Android malware detection classification system. The method of claim 10, wherein the additional area
If the programming language is C or C++, it is a file with the so extension,
If the programming language is C#, it is a dll file containing Assembly-CSharp.dll or App.dll,
If the programming language is .NET libraries, it is a dll file containing System.dll and System.core.dll,
If the programming language is HTML, it is an index.html file.
Android malware detection classification system, characterized in that if the programming language is Javascript, it is a js file containing index.js. The method of claim 9,
The inspection area extraction unit extracts the execution code part of the Data section and an additional area corresponding to the Google Play category of the Android application,
The malware detection unit Android malware detection classification system, characterized in that to perform a diagnosis corresponding to the category of the application. The method of claim 9,
The inspection area extraction unit Android malware detection classification system, characterized in that the execution section of the data section, and the malicious code inspection unit extracts an additional area corresponding to the malware family of malware to be diagnosed. A step of extracting data of a main part in which the inspection area extracting unit may include malicious code in the Android application;
Generating a pattern data by patterning data of a main part extracted from the inspection area extraction unit by a conversion unit;
And a malicious code inspection unit diagnosing whether the pattern data generated by the conversion unit includes the malicious code of the pattern data in comparison with a conventional malicious code pattern.

Images