【打印本页】      【下载PDF全文】   查看/发表评论  下载PDF阅读器  关闭
←前一篇|后一篇→ 过刊浏览    高级检索
本文已被:浏览 1586次   下载 941 本文二维码信息
码上扫一扫!
基于敏感特征深度域关联的Android恶意应用检测方法
姜建国,李松,喻民,李罡,刘超,李梅梅,黄伟庆
分享到: 微信 更多
(中国科学院信息工程研究所 北京 中国 100093;中国科学院大学 网络空间安全学院 北京 中国 100093;迪肯大学 信息技术学院 吉朗 澳大利亚)
摘要:
利用机器学习或深度学习算法进行 Android 恶意应用的检测是当前主流方法, 取得了一定的效果。然而, 多数方法仅关注应用的权限和敏感行为等信息, 缺乏对敏感行为协同的深度分析, 导致恶意应用检测准确率低。对敏感行为协同深度分析的挑战主要有两个: 表征敏感特征域关联和基于敏感特征域关联的深层分析与检测。本文提出了一种新的 Android 恶意应用检测模型 GCNDroid, 基于敏感特征域关联关系图描述的应用程序主要敏感行为以及敏感行为之间的域关联关系来有效地检测Android 恶意应用。首先, 为了筛选出对分类更加敏感的特征, 同时减少图节点的数量, 加速分析, 本文构建了敏感特征字典。接着, 定义类或者包为域, 在同一个域中的敏感特征具有域关联关系。通过敏感特征所在域的相对范围, 构造敏感特征之间不同的域关联权重, 生成敏感特征域关联关系图, 敏感特征域关联关系图可以准确表征特定功能模块中的敏感行为, 以及敏感行为之间的完整关系。然后, 基于敏感特征域关联关系图, 设计基于图卷积神经网络的深度表征, 构建 Android 恶意应用检测模型GCNDroid。在实践中, GCNDroid 还可以利用新的敏感特征不断更新, 以适应移动应用程序新的敏感行为。最后, 本文对GCDNroid 进行了系统评估, 召回率、调和平均数、 AUC 等重要指标均超过 96%。与传统的机器学习算法(支持向量机和决策树)和深度学习算法(深度神经网络和卷积神经网络)相比, GCNDroid 取得了预期的效果。
关键词:  Android恶意应用  域关联  图卷积神经网络  敏感特征
DOI:10.19363/J.cnki.cn10-1380/tn.2023.01.01
投稿时间:2020-08-19修订日期:2020-11-09
基金项目:本课题得到中国科学院青年创新促进会(No. 2021155)资助。
Android Malware Detection Approach Based on Deep Domain Correlation of Sensitive Features
JIANG Jianguo,LI Song,YU Min,LI Gang,LIU Chao,LI Meimei,HUANG Weiqing
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100093, China;School of Information Technology, Deakin University, Geelong, VIC 3216, Australia
Abstract:
The approaches based on traditional machine learning or deep learning algorithms are popular for Android malware detection, however, the majority of existing approaches focus only on the permissions of applications and sensitive APIs, and still lack in-depth analysis of the coordination of sensitive behaviors, resulting in low accuracy. There are two main challenges to study Android applications based on domain correlation: characterizing sensitive feature domain correlation and deep analysis and detection based on sensitive feature domain correlations. In this paper, we propose a new Android malware detection model called GCNDroid, which is based on the main sensitive behaviors of the application described by the sensitive feature domain correlation graph, and the domain correlation between sensitive behaviors to effectively detect Android malware. First, in order to filter out the features that are more sensitive to classification, and reduce the number of graph nodes to make the analysis faster, a dictionary of sensitive features is constructed in this paper. Then, we define a class or package as a domain, and sensitive features in the same domain have a domain correlation. Through the relative range of the sensitive feature’s domain, we construct various domain correlation weights between the sensitive features, and generate the sensitive feature domain correlation graph, which can accurately characterize the sensitive behaviors in a specific functional module and the complete relationship between sensitive behaviors. Then, based on the graph, we design a deep representation with graph convolutional neural network to construct the Android malware detection model GCNDroid. In practice, GCNDroid can also be constantly updated using new features, which can adapt to the new sensitive behaviors of mobile apps. Finally, extensive evaluations of GCNDroid have been done, compared with traditional machine learning algorithms(SVM and Decision Tree) and deep learning algorithms(DNN and CNN) and the results show that GCNDroid achieves high agreement on Android malware detection, in which the recall, f1-score, AUC, etc. all exceed 96%.
Key words:  android malware  domain correlation  GCN  sensitive features