摘要: |
随着移动终端恶意软件的种类和数量不断增大, 本文针对 Android 系统恶意软件单特征检测不全面、误报率高等技术问题, 提出一种基于动静混合特征的移动终端恶意软件检测方法, 以提高检测的覆盖率、准确率和效率。该方法首先采用基于改进的 CHI 方法和凝聚层次聚类算法优化的 K-Means方法构建高危权限和敏感 API 库, 然后分别从静态分析和动态分析两个方面提取移动终端系统混合特征。在静态分析中, 首先反编译 APK 文件, 分析得到权限申请特征和敏感 API 调用特征; 在动态分析中, 通过实时监控 APP 运行期间的动态行为特征, 分别提取其在运行过程中的敏感 API 调用频次特征和系统状态等特征信息;接着分别使用离差标准化、 TF-IDF 权重分析法和优序图法对混合特征进行归一化和特征权重赋值处理。最后, 通过构建测评指标对本文所提基于混合特征恶意软件检测方法进行对比测试验证和评价分析。 实验结果表明:本方法针对 Android 系统恶意软件的检测具有好的准确率和效率, 可有效提高移动终端恶意软件检测的精确度。 |
关键词: 移动终端 恶意软件检测 混合特征检测 机器学习 Android 系统 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.03.08 |
Received:January 25, 2021Revised:July 06, 2021 |
基金项目:国家重点研发计划项目(No.2020YFB1712201);国家工业互联网创新发展工程项目(No.TC190A3X8-16-1,No.TC200H038);陕西省重点研发(重点产业链)项目(No.2019ZDLGY12-07);太仓市大院大所创新项目(No.TC2019DYDS06);东莞市科技装备动员项目(No.KZ2018-14)以及陕西省重点研发计划项目(No.2021ZDLGY05-05)等资助。 |
|
A Malware Detection Method Based on Hybrid Feature for Mobile Terminals |
Yao Ye,Qian Liang,Zhu Yian,Zhang Lixiang,Jia Yao,Du Jiawei,Niu Juntao |
School of computer science, Northwestern polytechnical University, Xi’an 710064, China |
Abstract: |
At present, with the large-scale use of the Android system, the types of malware based on the Android system are emerging in endlessly, and the types of viruses are increasing. Aiming at the problems of incomplete detection of single feature of the Android system malware, low accuracy rate, and high false alarm rate, this article proposed a mobile terminal malware detection analysis method based on mixed dynamic and static features to improve the coverage, accuracy and efficiency of malware detection for Android systems. By combining the feature values extracted by the two detection methods, such as the static analysis and dynamic analysis method, the efficiency and accuracy of malware detection are further improved. First, the paper built high-risk permissions and sensitive API libraries based on the improved CHI method and the K-Means method optimized by the agglomerated hierarchical clustering method, and then extracted the mixed characteristics of the mobile terminal system from static analysis and dynamic analysis. In the static analysis, the APK file was decompiled firstly, and the permission application characteristics and sensitive API call characteristics were analyzed. In the dynamic analysis, the dynamic behavior characteristics during the running of the APP were monitored in real time, and the frequency of sensitive API calls during the running process was extracted. Characteristics and system status characteristics. Then the paper used dispersion standardization, TF-IDF weight analysis method and optimal sequence graph method to normalize the mixed features and assign feature weights. Finally, the data sets downloaded from VirusShare and Drebin was de-duplicated and other related processing will be carried out. Then, the malware detection methods based on the mixed features proposed in this article was compared and evaluated, Experiments results showed that this method in this paper had good accuracy and efficiency for the detection of Android system malware, and effectively improves the detection accuracy of malware. |
Key words: mobile terminal malware detection hybrid feature detection machine learning Android system |