基于机器学习的Android恶意软件静态检测系统的设计与实现

发布时间：2018-05-01 14:32

本文选题：静态分析 + 机器学习　；参考：《电子科技大学》2016年硕士论文

【摘要】：随着移动互联网时代的到来,Android智能手机获得了大量的普及。Android智能手机的功能也有了质的提升,从最开始的打电话发短信,变成现在集通讯、娱乐、社交、移动支付等功能于一身。手机在成为人们生活不可或缺的一部分的同时,也涉及到人们的各种隐私安全,手机一旦出现安全问题将造成不可挽回的后果。Android平台由于它自身的开源,开放等特性,使得它成为了恶意软件滋生的温床,恶意软件在当前已经对用户手机的安全问题构成了极大的威胁。面对恶意软件迅猛发展的趋势,传统的恶意软件检测方式已经不再适应。基于这样的背景,本文对Android恶意软件静态检测技术进行研究,设计和实现一个Android恶意软件静态检测系统,使得恶意软件的检测流程变得更加规范化、自动化、标准化,主要研究成果如下:1提出一种基于多种特征组合的静态检测方案。基于对Android安全机制的深入分析及对静态检测技术的研究,选取权限和API这两种最具有代表性的恶意软件静态特征组成混合特征向量。Android系统的每一种行为都有相应的权限与之对应,因此每一种权限组合都能反应出软件的特定行为模式,而API是软件行为代码级别的体现。2更加细粒度的特征选取和特征预处理。根据静态特征属性与应用软件恶意性的相关程度去除冗余特征,主要应用卡方校验、信息增益、TF-IDF这三种算法对相关性进行量化。在选取特征属性之后,再应用聚类的算法去除特征之间的相关性。3对机器学习算法进行改进。在训练阶段,利用奇异值分解和距离度量方案对K-Means算法稳定性进行改进。在检测阶段,通过在朴素贝叶斯算法和K近邻算法中加入权重因子来体现不同特征属性之间的差异性。在测试阶段通过横向测试和纵向测试对系统的各个方面进行测试。测试结果表明,将机器学习算法与传统的静态扫描技术结合起来,可以达到更好的检测效果同时对于新出现的恶意软件也能保持较高的识别率。其中整体识别准确率达到90%以上,误报率低于10%,达到预期目标。
[Abstract]:With the advent of the era of mobile Internet, Android smartphones have gained a lot of popularity. The function of Android smartphones has also improved qualitatively, from the beginning of making phone calls and texting, to the collection of communication, entertainment, social networking, Mobile payment and other functions in one. Mobile phone has become an indispensable part of people's life, but also involves people's various privacy security, once the mobile phone security problems will cause irreparable consequences. Android platform due to its own open source, open and other features, It has become the breeding ground of malware, which has posed a great threat to the security of mobile phone. In the face of the rapid development of malware, the traditional malware detection method is no longer suitable. Based on this background, this paper studies the Android malware static detection technology, designs and implements a Android malware static detection system, which makes the detection process of malware more standardized, automated and standardized. The main research results are as follows: 1. A static detection scheme based on multiple feature combinations is proposed. Based on the deep analysis of Android security mechanism and the research of static detection technology, The two most representative static features of malware, namely, permission and API, constitute the mixed eigenvector. Each behavior of Android system has corresponding permissions, so each combination of permissions can reflect the specific behavior pattern of software. API is a more fine-grained feature selection and feature preprocessing. According to the correlation degree between static feature attribute and malice of application software, the redundancy feature is removed, and the correlation is quantified by the three algorithms of chi-square check and information gain TF-IDF. After the feature attributes are selected, the machine learning algorithm is improved by using clustering algorithm to remove the correlation between features. In the training stage, the stability of K-Means algorithm is improved by using singular value decomposition and distance measurement scheme. In the detection phase, the difference between different feature attributes is reflected by adding weight factor into naive Bayes algorithm and K-nearest neighbor algorithm. All aspects of the system are tested through horizontal and longitudinal tests during the test phase. The test results show that the combination of machine learning algorithm and traditional static scanning technology can achieve better detection results and maintain a high recognition rate for emerging malware. The overall recognition accuracy is over 90%, and the false positive rate is lower than 10%.
【学位授予单位】：电子科技大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP316;TP309

【参考文献】