基于机器学习的安卓恶意应用检测方法研究
发布时间:2018-10-18 18:42
【摘要】:随着智能手机的出现以及移动互联网的快速发展,用户连接网络的方式也在逐渐发生变化,由PC端向移动端转移。现如今智能手机与传统PC相比,已不仅仅是简单的通信工具,PC端的很多功能都在移动端实现。Android手机系统是目前市场上用户最多的手机操作系统,因此大量的用户和开发人员关注安卓应用市场。同时,恶意代码的开发者也将目光转入这一市场,用户的手机安全受到极大威胁。面对Android应用市场存在的大量恶意应用,如何高效的检测恶意应用是个亟待解决的问题。针对以上问题,本论文旨在研究基于机器学习的安卓恶意应用检测方法,主要研究重点包括:(1)对安卓恶意应用检测的研究现状和成果以及安卓系统架构进行了深入的研究,分析了安卓系统基于Linux内核的安全机制以及安卓系统特有的安全机制,如沙盒机制和权限机制等。(2)分析了恶意应用的攻击方式以及恶意代码植入方式,在此基础上对Android应用的反编译文件进行了深入解析,并对论文中所使用的机器学习分类算法的原理进行了分析。(3)设计了基于机器学习的安卓恶意应用检测的方案,针对恶意应用特征提出使用N-gram Opcode特征进行机器学习的恶意应用检测方案,实验结果表明使用Dalvik指令分为24类的规则和3-gram生成的3-gram Opcode特征具有最好的性能。随后依据3-gram Opcode特征结合API特征和Permission特征,对特征集合和分类算法对分类器的性能影响进行了多次实验,大量的实验表明使用API特征、Permission特征与3-gram Opcode特征的组合特征集合与随机森林算法训练得到的分类器有着较好的性能,在误判率为5.3%的情况下达到了 94%的检测准确率,平均预测时间为10.06s。若是使用API特征与Permission特征的组合特征集合和随机森林算法训练的分类器,在检测准确率94.1%和误判率6.5%的情况下,平均预测时间为7.5s。
[Abstract]:With the emergence of smart phones and the rapid development of mobile Internet, the way users connect to the network is gradually changing from PC to mobile. Nowadays, compared with the traditional PC, the smartphone is not only a simple communication tool, but also many functions of the PC end are implemented on the mobile side. Android mobile phone system is the most popular mobile operating system in the market. So a lot of users and developers focus on the Android app market. At the same time, malicious code developers turn to this market, users' mobile phone security is greatly threatened. In the face of a large number of malicious applications in Android application market, how to detect malicious applications efficiently is an urgent problem to be solved. Aiming at the above problems, this thesis aims to study the malware detection methods of Android based on machine learning. The main research focuses are as follows: (1) the research status and achievements of Android malicious application detection and the Android system architecture are studied deeply. This paper analyzes the security mechanism of Android system based on Linux kernel and the special security mechanism of Android system, such as sandboxie mechanism and permission mechanism. (2) the attack mode of malicious application and the way of malicious code implantation are analyzed. On this basis, the decompilation file of Android application is deeply analyzed, and the principle of machine learning classification algorithm used in this paper is analyzed. (3) the scheme of malware application detection based on machine learning is designed. A malicious application detection scheme using N-gram Opcode features for machine learning is proposed for malicious application features. The experimental results show that the Dalvik instruction is divided into 24 kinds of rules and the 3-gram Opcode features generated by 3-gram have the best performance. Then, according to the 3-gram Opcode features combined with API features and Permission features, the effects of feature sets and classification algorithms on the performance of the classifier are tested many times. A large number of experiments show that the classifier trained by API feature, Permission feature and 3-gram Opcode feature combined with random forest algorithm has good performance, and the detection accuracy is 94% when the error rate is 5.3%. The average predicted time was 10.06 s. If the combined feature set of API feature and Permission feature and the classifier trained by stochastic forest algorithm are used, the average prediction time is 7.5 s when the detection accuracy is 94.1% and the error rate is 6.5%.
【学位授予单位】:北京交通大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP181;TP309
[Abstract]:With the emergence of smart phones and the rapid development of mobile Internet, the way users connect to the network is gradually changing from PC to mobile. Nowadays, compared with the traditional PC, the smartphone is not only a simple communication tool, but also many functions of the PC end are implemented on the mobile side. Android mobile phone system is the most popular mobile operating system in the market. So a lot of users and developers focus on the Android app market. At the same time, malicious code developers turn to this market, users' mobile phone security is greatly threatened. In the face of a large number of malicious applications in Android application market, how to detect malicious applications efficiently is an urgent problem to be solved. Aiming at the above problems, this thesis aims to study the malware detection methods of Android based on machine learning. The main research focuses are as follows: (1) the research status and achievements of Android malicious application detection and the Android system architecture are studied deeply. This paper analyzes the security mechanism of Android system based on Linux kernel and the special security mechanism of Android system, such as sandboxie mechanism and permission mechanism. (2) the attack mode of malicious application and the way of malicious code implantation are analyzed. On this basis, the decompilation file of Android application is deeply analyzed, and the principle of machine learning classification algorithm used in this paper is analyzed. (3) the scheme of malware application detection based on machine learning is designed. A malicious application detection scheme using N-gram Opcode features for machine learning is proposed for malicious application features. The experimental results show that the Dalvik instruction is divided into 24 kinds of rules and the 3-gram Opcode features generated by 3-gram have the best performance. Then, according to the 3-gram Opcode features combined with API features and Permission features, the effects of feature sets and classification algorithms on the performance of the classifier are tested many times. A large number of experiments show that the classifier trained by API feature, Permission feature and 3-gram Opcode feature combined with random forest algorithm has good performance, and the detection accuracy is 94% when the error rate is 5.3%. The average predicted time was 10.06 s. If the combined feature set of API feature and Permission feature and the classifier trained by stochastic forest algorithm are used, the average prediction time is 7.5 s when the detection accuracy is 94.1% and the error rate is 6.5%.
【学位授予单位】:北京交通大学
【学位级别】:硕士
【学位授予年份】:2017
【分类号】:TP181;TP309
【参考文献】
相关期刊论文 前10条
1 桓自强;倪宏;胡琳琳;郭志川;;基于Android权限机制的应用安全检测方法[J];计算机工程与设计;2016年01期
2 谢妞妞;;决策树算法综述[J];软件导刊;2015年11期
3 王鹏;;安卓平台下恶意软件的检测研究[J];中国新通信;2015年08期
4 李挺;董航;袁春阳;杜跃进;徐国爱;;基于Dalvik指令的Android恶意代码特征描述及验证[J];计算机研究与发展;2014年07期
5 张玉清;王凯;杨欢;方U喚,
本文编号:2280035
本文链接:https://www.wllwen.com/kejilunwen/zidonghuakongzhilunwen/2280035.html
