计算机工程与应用 ›› 2018, Vol. 54 ›› Issue (24): 97-102.DOI: 10.3778/j.issn.1002-8331.1805-0241

• 网络、通信与安全 • 上一篇    下一篇

行为特征值序列匹配检测Android恶意应用

张  震,曹天杰   

  1. 中国矿业大学 计算机科学与技术学院,江苏 徐州 221116
  • 出版日期:2018-12-15 发布日期:2018-12-14

Detecting Android malware based on matching sequence of behavioral characteristic value

ZHANG Zhen, CAO Tianjie   

  1. School of Computer Science and Technology, China University of Mining and Technology, Xuzhou, Jiangsu 221116, China
  • Online:2018-12-15 Published:2018-12-14

摘要: 针对Android恶意代码的混淆、隐藏、加密情况以及现有方法的检测能力不足问题,提出了一种基于恶意应用行为特征值序列的动态检测方法。首先利用远程注入技术将动态检测的模块注入到Android系统的Zygote进程中,执行内联挂钩来监测应用中的重要函数。然后,通过函数监听得到Android应用的重要行为;进而,按照行为的特征将其量化为特征值,再按照时间顺序将行为特征值排为序列,得到行为特征值序列。通过利用支持向量机来训练5 560个恶意样本,得到恶意应用家族的行为特征值序列;最后利用此序列与被检测应用的序列进行相似度比较,判断应用是否为恶意应用。在恶意应用动态检测方面的正确率可达到95.1%,以及只增加被检测的应用21.9 KB内存。实验结果表明,所提方法能够正常检测经过代码混淆、代码加密、代码隐藏的恶意应用,提高了恶意应用检测的正确率,所占内存空间减少,有效提升检测效果。

关键词: Android恶意应用, 远程内联挂钩, 动态检测, 支持向量机, 特征值序列

Abstract: Aiming at the problem that the existing methods can not detect obfuscated, hidden, and encrypted Android malicious code effectively, a dynamic detection method based on a malicious application behavior feature value sequence is proposed. Firstly, the dynamic detection module is injected into the Zygote process of the Android system through the remote injection technology, and then an inline hooking technology is executed to monitor important functions in the application. The important behavior of the detected Android application is obtained through the function. Further, the behavior is quantized into characteristic values according to the characteristic, and then the behavior characteristic values are arrayed as the sequence of behavior characteristic values in chronological order. Using support vector machines to train 5, 560 malicious samples, a sequence of behavioral eigenvalues of a malicious application family is obtained. Finally, this sequence is compared with the sequence of the detected application to determine whether the application is a malicious application. The rate of correct detection in malicious applications can reach 95.1%, and only 21.9 kilobytes of memory can be used for detected applications. Experimental results show that the proposed method can detect the obfuscated, encrypted and hidden malicious code, improve the accuracy of malicious application detection, reduce the memory space, and effectively improve the detection results.

Key words: Android malware, remote inline hook, dynamic detection, support vector machine, feature sequence