安卓恶意软件检测的研究

发布时间：2018-03-15 19:57

本文选题：Android操作系统　切入点：恶意软件检测　出处：《北京交通大学》2017年硕士论文　论文类型：学位论文

【摘要】：Android系统由于免费、开源、可移植等优点,在移动市场发展迅猛,成为占有率最高的操作系统。Android流行的同时,伴随着层出不穷的恶意软件。恶意软件可以窃听通话、窃取信息、推送广告或诈骗信息,最严重的是误导用户使用支付业务,给用户带来经济损失。它的存在不仅损害了用户的切身利益,而且影响了 Android市场的良性发展。因此,如何准确且高效地检测出恶意软件成为该领域的研究热点。现有的恶意软件检测方法大多从不同角度收集数据,然后将这些数据作为研究对象,但是这些数据存在冗余和很多不确定性。另外,常用的二分类方法依赖现有样本,检测变异的软件或者未知恶意软件的效果还有待改进。针对上述问题本文提出了两种特征优化算法和改进的SVDD算法。本文采用了三层架构的检测模型,即"数据采集-数据处理-样本检测",并对该模型进行分析、优化和验证。本论文的工作主要包括以下几点:(1)优化特征库。首先搜集了大量的良性软件和恶意软件,调用相关工具批量反编译Android软件,再以自动化的方式获取每个应用程序原始代码中的系统调用、权限等特征,构建静态行为特征库。在数据处理时,通过概率统计和数据分层的方法找到信息量高的特征,降低信息的不确定性,实验结果表明使用优化后的特征对检测率和误判率几乎没有影响,但提高了未知恶意软件的检测率,减少了训练检测模型的时间。(2)改进异常检测算法。安卓恶意软件在不断发展和变化中,利用现有的软件构建的检测模型去检测未知的软件未必适用。由于收集恶意软件困难导致正负样本比例不均衡,因此引入异常检测算法,只利用正常样本建立检测模型,解决恶意软件收集困难的问题。不同的安卓软件有其自身的活动特点,软件行为越多、表现越活跃,提取到的静态行为特征就越多,那么可以用特征频率表现软件的行为特点。本文将特征频率与SVDD相结合进而改进SVDD算法,实验表明该方法具有增强区分恶意软件与良性软件的能力。
[Abstract]:Due to the advantages of free, open source, portable and so on, Android system has developed rapidly in the mobile market and become the most popular operating system. Android has become the most popular operating system. At the same time, it is accompanied by an endless stream of malware. Malware can eavesdrop on calls and steal information. The most serious problem in pushing advertising or fraud information is to mislead users into using payment business and bring economic losses to users. Its existence not only damages the vital interests of users, but also affects the benign development of the Android market. How to detect malware accurately and efficiently becomes a research hotspot in this field. Most of the existing malware detection methods collect data from different angles and take these data as the research object. But there is redundancy and a lot of uncertainty in these data. In addition, the commonly used two-classification method relies on existing samples. The effect of detecting mutation software or unknown malware still needs to be improved. In view of the above problems, this paper proposes two feature optimization algorithms and an improved SVDD algorithm. That is, "data acquisition, data processing and sample detection", and analyzes, optimizes and verifies the model. The work of this paper mainly includes the following points: 1) optimizing the signature library. Firstly, a large number of benign software and malware are collected. Call the related tools batch decompiling Android software, then automatically obtain the system calls, permissions and other characteristics in the original code of each application, build the static behavior signature library. The method of probability statistics and data stratification is used to find the features with high information content and reduce the uncertainty of information. The experimental results show that the optimized features have little effect on the detection rate and misjudgment rate. But it improves the detection rate of unknown malware, reduces the time to train the detection model, and improves the anomaly detection algorithm. The detection model constructed by the existing software may not be suitable for detecting unknown software. Due to the difficulty of collecting malware, the proportion of positive and negative samples is not balanced, so the anomaly detection algorithm is introduced, and only normal samples are used to establish the detection model. Solve the problem of malware collection. Different Android software has its own characteristics of activity, the more software behavior, the more active, the more static behavior features extracted, In this paper, the feature frequency is combined with SVDD to improve the SVDD algorithm. Experiments show that this method can enhance the ability to distinguish malware from benign software.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP309;TP316

【相似文献】