计算机工程与应用 ›› 2018, Vol. 54 ›› Issue (15): 67-73.DOI: 10.3778/j.issn.1002-8331.1703-0397

• 网络、通信与安全 • 上一篇    下一篇

结合资源特征的Android恶意应用检测方法

刘楚舒,王伟平,刘鹏飞   

  1. 中南大学 信息科学与工程学院,长沙 410083
  • 出版日期:2018-08-01 发布日期:2018-07-26

Detection of Android malware using resource features

LIU Chushu, WANG Weiping, LIU Pengfei   

  1. School of Information Science and Engineering, Central South University, Changsha 410083, China
  • Online:2018-08-01 Published:2018-07-26

摘要: 近年来Android平台遭到了黑客们的频繁攻击。随着安卓恶意应用的增多,信息泄露以及财产损失等问题也愈发严重。首先测试了恶意应用与正常应用在图片和界面元素两类资源特征上的差异,提出了一种结合资源特征的Android恶意应用检测方法——MalAssassin。该方法对APK进行静态分析,提取应用的8类共68个特征,包括综合了其他研究所提取的权限、组件、API、命令、硬编码IP地址、签名证书特征,并且结合了所发现的图片与界面元素两类资源特征。这些特征被映射到向量空间,训练成检测模型,并对应用的恶意性进行判定。通过对53 422个正常应用以及5 671个恶意应用的测试,MalAssassin达到了99.1%的精确度以及召回率。同时,资源特征的引入使得MalAssassin在不同数据集上具有较好的适应性。

关键词: 安卓, 恶意应用检测, 机器学习

Abstract: Android platform incurs mass attacks from hackers recently. The rapid increment of Android malwares results in the problems of privacy leakage and property loss. This paper firstly tests the difference between benign apps and malwares in two resource features, these features are pictures and widgets. Then MalAssassin, a method for detection of Android malware is proposed. It performs static analysis on Android APK files, gathering 68 features in 8 different categories which are permissions, components, API calls, commands, hard-coded IP address and certificates extracted from other approaches along with pictures and widgets proposed by this paper. These features are mapped to vector spaces to build the detection model which will classify an app as benign or malicious. In an evaluation with 53,422 benign apps and 5,671 malwares, MalAssassin achieves the performance of 99.1% precision and recall, while adapting well in different datasets.

Key words: Android, malware detection, machine learning