基于敏感API数据依赖的Android恶意软件检测研究

发布时间：2018-05-02 00:57

本文选题：Android + 恶意软件　；参考：《南京大学》2016年硕士论文

【摘要】：伴随着时代的发展,智能手机已经渗透进了人类生活的方方面面,成为日常生活必不可少的一部分。而相较于传统的PC设备,智能手机上安装了各式各样的传感器,手机上的应用软件根据这些传感器的信息可以提供丰富的功能。但是这些传感器以及其它功能的存在使得智能手机携带着使用者很多的隐私数据,如位置信息、通讯录信息、指纹信息、短信记录等。这导致对智能手机的攻击层出不穷,因此智能手机的安全防护已成为当前亟需解决的问题。在当前的智能手机市场中,Android平台的占有率已远远超过了iOS平台,同时Android平台有着很大的开放性,这就使得越来越多的攻击者将其作为攻击目标,导致Android平台的恶意软件数量急剧增加。因此研究针对Android平台的恶意软件检测技术对保护用户的隐私安全和维护Android生态系统具有十分现实的意义。针对Android平台面临恶意软件威胁的问题,我们设计并实现了一个以数据依赖为特征基于机器学习的Android平台恶意软件检测、分类和描述系统DroidADDMiner。DroidADDMiner利用了静态数据流分析和机器学习算法相结合的方式,利用数据流分析敏感API之间的数据依赖来作为特征信息,根据特征信息生成特征向量,然后通过机器学习算法利用特征向量来进行恶意软件的检测、分类和描述。DroidADDMiner首先通过对APK文件进行反编译,将app的代码转化为一种中间语言的表示形式,然后选取一些敏感的API,以它们为基础进行数据流分析,获取这些敏感API之间的数据依赖关系。在得到了敏感API之间的数据依赖关系后,利用数学方法将这些依赖关系转化为特征向量,这些特征向量被机器学习算法用来训练分类器。DroidADDMiner运用了朴素贝叶斯(Naive Bayes)、随机森林(Random Forest)、支持向量机(Support Vector Machine)等机器学习的分类算法来进行恶意软件的检测和分类,同时利用了关联规则分析(Association Rule Mining)Aprori算法来自动地描述一个恶意软件的恶意行为。我们还用实验评估了DroidADDMiner在进行恶意软件检测、分类和描述时的有效性,实验表明DroidADDMiner能够达到很高的准确率,并且不会产生太大的误报。
[Abstract]:With the development of the times, smart phones have penetrated into all aspects of human life and become an indispensable part of daily life. Compared with the traditional PC devices, smart phones are equipped with a variety of sensors, and the application software on the mobile phone can provide rich functions based on the information of these sensors. But the existence of these sensors and other functions makes the smartphone carry a lot of privacy data such as location information, address book information, fingerprint information, SMS record and so on. As a result of the endless attacks on smartphones, the security of smart phones has become a problem that needs to be solved. In the current smartphone market, the share of Android platform has far exceeded that of iOS platform. At the same time, Android platform is very open, which makes more and more attackers target it. As a result, the number of malware on the Android platform has increased dramatically. Therefore, it is very important to study the malware detection technology for Android platform to protect the privacy of users and maintain the Android ecosystem. Aiming at the problem that Android platform is facing the threat of malware, we design and implement a Android platform malware detection based on machine learning, which is based on data dependency. The classification and description system (DroidADDMiner.DroidADDMiner) combines static data stream analysis with machine learning algorithm, uses data dependency between data stream analysis sensitive API as feature information, and generates feature vector according to feature information. Then the machine learning algorithm uses the feature vector to detect the malware, classifies and describes. DroidADDMiner first decomposes the APK file to transform the code of app into a representation of an intermediate language. Then, some sensitive APIs are selected to analyze the data flow based on them, and the data dependencies between these sensitive APIs are obtained. After obtaining the data dependencies between sensitive API, these dependencies are transformed into feature vectors by mathematical method. These feature vectors are used by machine learning algorithms to train the classifier. Droid ADD Miner uses machine learning algorithms such as naive Bayes Bayes, Random Forest Random Forester, support Vector Machine to detect and classify malware. At the same time, Association Rule Mining)Aprori algorithm is used to describe the malicious behavior of a malware automatically. We also evaluate the effectiveness of DroidADDMiner in malware detection, classification and description by experiments. The experiments show that DroidADDMiner can achieve high accuracy and not produce too much false positives.
【学位授予单位】：南京大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP316;TP309

【相似文献】