融合行为模式的Android恶意代码检测方法

doi:10.3778/j.issn.1673-9418.2102048

计算机科学与探索 ›› 2022, Vol. 16 ›› Issue (8): 1792-1799.DOI: 10.3778/j.issn.1673-9418.2102048

融合行为模式的Android恶意代码检测方法

杨吉云⁺(), 范佳文¹, 周洁¹, 高凌云²

1. 重庆大学计算机学院，重庆 400044
2. 中国石油集团测井有限公司西南分公司，重庆 400030

收稿日期:2021-02-22 修回日期:2021-06-16 出版日期:2022-08-01 发布日期:2021-06-23
通讯作者: +E-mail: yangjy@cqu.edu.cn。
作者简介:杨吉云（1975—），男，重庆人，博士，副教授，主要研究方向为恶意代码检测、隐私保护等。
范佳文（1998—），男，四川广元人，硕士研究生，主要研究方向为信息安全、隐私保护等。
周洁（1995—），女，重庆垫江人，硕士研究生，主要研究方向为Android恶意代码检测、机器学习等。
高凌云（1984—），男，四川泸州人，硕士研究生，工程师，主要研究方向为钻井仪器仪表、井场信息化等。
基金资助:
重庆市技术创新与应用发展专项(cstc2019jscx-msxmX0077)

Android Malware Detection Method Based on Behavior Pattern

YANG Jiyun⁺(), FAN Jiawen¹, ZHOU Jie¹, GAO Lingyun²

1. School of Computer, Chongqing University, Chongqing 400044, China
2. China National Petroleum Corporation Logging Company Limited Southwest Branch, Chongqing 400030, China

Received:2021-02-22 Revised:2021-06-16 Online:2022-08-01 Published:2021-06-23
About author:YANG Jiyun, born in 1975, Ph.D., associate professor. His research interests include malware detection, privacy protection, etc.
FAN Jiawen, born in 1998, M.S. candidate. His research interests include information security, privacy protection, etc.
ZHOU Jie, born in 1995, M.S. candidate. Her research interests include Android malware detection, machine learning, etc.
GAO Lingyun, born in 1984, M.S. candidate, engineer. His research interests include oil well instruments, informatization in oil well, etc.
Supported by:
the Technological Innovation and Application Projects of Chongqing(cstc2019jscx-msxmX0077)

摘要/Abstract

摘要：

基于API调用序列的Android恶意代码检测方法大多使用N-gram和Markov Chain来构建行为特征实现恶意代码检测，但这类方法构造的特征序列长度受限且包含不相关的调用序列，检测精度不高。提出了一种基于行为模式的Android恶意代码检测方法。首先，通过调用序列约简和调用序列合并，提取了最长敏感API调用序列;然后，定义了加权支持度，在此基础上提出了改进的序列模式挖掘算法，挖掘不同类别样本中具有高区分度的序列模式作为分类特征;最后，使用不同的机器学习算法构建分类器实现恶意代码检测。实验结果表明，提出的方法在Android恶意代码检测中的精确度达到了96.11%，比基于API调用数据的两种同类恶意代码检测方法分别提高了4.60个百分点和2.11个百分点。因此，提出的方法能有效检测Android恶意代码。

关键词: 恶意代码检测, API调用序列, 行为模式, 序列模式挖掘

Abstract:

Most Android malware detection methods based on API (application programming interface) call sequences use N-gram and Markov chain to construct application behavior features. However, the feature sequences constructed by such approaches are of limited length and contain the call sequences unrelated to the malicious behavior, resulting in low detection accuracy. This paper proposes a method of detecting Android malware based on behavior pattern. Firstly, the longest sensitive API call sequence is extracted by call sequence reduction and call sequence merging. Then, the weighted support is defined, and an improved sequence pattern mining algorithm is proposed to mine sequence patterns with high discrimination from different categories of samples as classification features. Finally, different machine learning algorithms are used to construct classifier to detect malware. Experimental results show that the precision of the proposed method in Android malicious code detection reaches 96.11%, which is higher than the other two malicious code detection methods based on API call data, improved by 4.60 percentage points and 2.11 percentage points respectively. Therefore, the proposed method can effectively detect Android malicious code.

Key words: malware detection, API call sequences, behavior pattern, sequence pattern mining

中图分类号:

TP319

杨吉云, 范佳文, 周洁, 高凌云. 融合行为模式的Android恶意代码检测方法[J]. 计算机科学与探索, 2022, 16(8): 1792-1799.

YANG Jiyun, FAN Jiawen, ZHOU Jie, GAO Lingyun. Android Malware Detection Method Based on Behavior Pattern[J]. Journal of Frontiers of Computer Science and Technology, 2022, 16(8): 1792-1799.

图/表 7

图1 检测系统架构

Fig.1 Architecture of detection system

图2 函数调用图

Fig.2 Function call graph

图3 提取最长有效敏感API调用序列过程示例

Fig.3 Example of extracting the longest valid sensitive API call sequences

表1 混淆矩阵

Table 1 Confusion matrix

样本类别	预测为恶意	预测为良性
实际为恶意	TP	FN
实际为良性	FP	TN

表3 敏感API与频繁序列模式的结果对比

Table 3 Comparison of detection results of sensitive API and frequent sequence patterns

方法	Accuracy/%	Precision/%	F-measure/%	Time/s
敏感API	92.59	98.35	92.53	0.290
频繁序列模式	94.45	96.11	94.64	0.012

表2 不同分类算法检测结果

Table 2 Detection results of different classification algorithms %

分类算法	Accuracy	Precision	F-measure
3-NN	91.44	98.55	91.42
RF	93.04	96.20	93.25
MLP	94.45	96.11	94.64

表4 本文方法与其他方法的结果对比

Table 4 Comparison between proposed method and other methods %

方法	F-measure	Precision	Accuracy
本文方法	94.64	96.11	94.45
文献[21]	94.00	94.00	93.60
文献[12]	93.40	91.50	91.43

参考文献 21

[1]	GARTNER. Gartner says worldwide sales of smartphones grew 9 percent in first quarter of 2017[EB/OL]. [2021-01-12]. .
[2]	WANG W, LI Y, WANG X, et al. Detecting android malicious apps and categorizing benign apps with ensemble of classifiers[J]. Future Generation Computer Systems, 2018, 78: 987-994.
[3]	WANG X, WANG W, HE Y, et al. Characterizing Android apps’ behavior for effective detection of malapps at large scale[J]. Future Generation Computer Systems, 2017, 75: 30-45.
[4]	SARACINO A, SGANDURRA D, DINI G, et al. MADAM: effective and efficient behavior-based Android malware detection and prevention[J]. IEEE Transactions on Dependable & Secure Computing, 2018, 15(1): 83-97.
[5]	BADHANI S, MUTTOO S. CENDROID—a cluster-ensemble classifier for detecting malicious Android applications[J]. Computers & Security, 2019, 85: 25-40.
[6]	WANG W, WANG X, FENG D, et al. Exploring permission-induced risk in Android applications for malicious application detection[J]. IEEE Transactions on Information Forensics & Security, 2017, 9(11): 1869-1882.
[7]	SCALAS M, MAIORCA D, MERCALDO F, et al. On the effectiveness of system API-related information for Android ransomware detection[J]. Computers & Security, 2019, 86.
[8]	FAN M, LUO X, LIU J, et al. CTDroid: leveraging a corpus of technical blogs for Android malware analysis[J]. IEEE Transactions on Reliability, 2020, 69(1): 124-138.
[9]	XU K, LI Y, DENG R. ICCDetector: ICC-based malware detection on Android[J]. IEEE Transactions on Information Forensics and Security, 2016, 11(6): 1252-1264.
[10]	陈铁明, 杨益敏, 陈波. Maldetect:基于Dalvik指令抽象的Android恶意代码检测系统[J]. 计算机研究与发展, 2016, 53(10): 2298-2305.
	CHEN T M, YANG Y M, CHEN B. Maldetect: an Android malware detection system based on abstraction of Dalvik instructions[J]. Journal of Computer Research and Development, 2016, 53(10): 2298-2305.
[11]	LEI T, QIN Z, WANG Z, et al. EveDroid: event-aware Android malware detection against model degrading for IoT devices[J]. IEEE Internet of Things Journal, 2019, 6(4): 6668-6680.
[12]	陈铁明, 徐志威. 基于API调用序列的Android恶意代码检测方法研究[J]. 浙江工业大学学报, 2018, 46(2): 147-154.
	CHEN T M, XU Z W. Research on detection of Android malicious code based on API call sequence[J]. Journal of Zhejiang University of Technology, 2018, 46(2): 147-154.
[13]	ONWUZURIKE L, MARICONTI E, ANDRIOTIS P, et al. MaMaDroid: detecting Android malware by building Markov chains of behavioral models (extended version)[J]. ACM Transactions on Privacy & Security, 2019, 22(2): 14.
[14]	ZHANG H, LUO S, ZAHNG Y, et al. An efficient Android malware detection system based on method-level behavioral semantic analysis[J]. IEEE Access, 2019, 7: 69246-69256.
[15]	ZHU J W, WU Z G, GUAN Z, et al. API sequences based malware detection for Android[C]// Proceedings of the 2015 IEEE 12th International Conference on Ubiquitous Intelligence and Computing and 2015 IEEE 12th International Conference on Autonomic and Trusted Computing and 2015 IEEE 15th International Conference on Scalable Computing and Com-munications and Its Associated Workshops, Beijing, Aug 10-14, 2015. Washington: IEEE Computer Society, 2015: 673-676.
[16]	AU K W Y, ZHOU Y F, HUANG Z, et al. PScout: analyzing the Android permission specification[C]// Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, Oct 16-18, 2012. New York: ACM, 2012: 217-228.
[17]	ARZT S, RASTHOFER S, FRITZ C, et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android Apps[C]// Proceedings of the 2014 ACM SIGPLAN Conference on Programming Language Design and Implementation, Edinburgh, Jun 9-11, 2014. New York: ACM, 2014: 259-269.
[18]	刘星, 唐勇. 恶意代码的函数调用图相似性分析[J]. 计算机工程与科学, 2014, 36(3): 481-486.
	LIU X, TANG Y. Similarity analysis of malware’s function-call graphs[J]. Computer Engineering & Science, 2014, 36(3): 481-486.
[19]	FAN M, LIU J, WANG W, et al. DAPASA: detecting An- droid piggybacked APPs through sensitive subgraph analysis[J]. IEEE Transactions on Information Forensics and Security, 2017, 12(8): 1772-1785.
[20]	AGRAWAL R, SRIKANT R. Mining sequential patterns[C]// Proceedings of the 11th International Conference on Data Engineering, Taipei, China, Mar 6, 1995. New York:ACM, 2015: 3-14.
[21]	张家旺, 李燕伟. 基于N-gram算法的恶意程序检测系统研究与设计[J]. 信息网络安全, 2016(8): 74-80.
	ZHANG J W, LI Y W. Research and design on malware detection system based on N-gram algorithm[J]. Netinfo Security, 2016(8): 74-80.

融合行为模式的Android恶意代码检测方法

Android Malware Detection Method Based on Behavior Pattern

RichHTML

PDF

可视化

摘要/Abstract

引用本文

使用本文

图/表 7

参考文献 21

相关文章 2

编辑推荐

Metrics

[1]	马丹, 万良, 程琪芩, 孙志强. Attention-CNN在恶意代码检测中的应用研究[J]. 计算机科学与探索, 2021, 15(4): 670-681.
[2]	王传安，张天会，赵海燕，周广新. SCADA系统通信网中的高级持续性攻击检测方法[J]. 计算机科学与探索, 2015, 9(3): 352-359.