一种基于支持向量机的安卓恶意软件新型检测方法  被引量：6

作　　者：张超钦 胡光武[3,4] 王振龙[4] 刘新宇[5] Zhang Chaoqin;Hu.Guangwu;Wang Zhenlong;Liu Xinyu(National Digital Switches System Engineering and Technological Researeher Center,Zhengzhou 450002,Henan,Chin;School of Computer and Communication Engineering,Zhengzhou University of Light Industry,Zhengzhou 450002,Henan,China;School of Computer Science,Shenzhen Institute of Information Technology,Shenzhen 518172,Guangdong,China;Graduate School at Shenzhen,Tsinghua University,Shenzhen 518055,Guangdong,China;Shenzhen Jinzhou Seiko Technology Co.,Ltd.,Shenzhen 518055,Guangdong,China)

机构地区：[1]国家数字交换系统工程技术研究中心,河南郑州450002 [2]郑州轻工业学院计算机与通信工程学院,河南郑州450002 [3]深圳信息职业技术学院计算机学院,广东深圳518172 [4]清华大学深圳研究生院,广东深圳518055 [5]深圳市金洲精工科技股份有限公司,广东深圳518055

出　　处：《计算机应用与软件》2018年第10期292-298,共7页Computer Applications and Software

基　　金：国家自然科学基金项目(61202358);广东省自然科学基金项目(2015A030310492);深圳市基础研究项目(JCYJ20160301152145171)

摘　　要：针对安卓操作系统(Android)恶意软件检测问题,在总结现有检测方法的基础上,提出一种基于马尔可夫(Markov)链及支持向量机SVM的检测方法。该方法把应用程序(App)对安卓操作系统功能的调用序列当作离散时间Markov链,通过统计相邻系统调用对的出现频率来计算状态转移概率矩阵。把转移概率矩阵转化为特征向量,作为SVM的输入进行训练和检测,从而判定App的性质。因Markov链考虑了系统调用之间的关联关系,因此较传统检测方案,该方案利用系统调用序列能更好地刻画了App的动态行为。实验结果表明,与现有的检测方法相比,该方法显著提高了检测准确度。In order to solve the issue of malware detection for Android, we summarized existing detection methods and then proposed a novel detection approach based on Markov chain and SVM in this paper. We treated the call sequence of application to Android as a discrete-time Markov chain. The the occurrence frequencies of the adjacent system call pairs state transition probability matrix was calculated by counting Then the matrix was transformed into the feature vector,which was trained and detected as the input of SVM, correlations between the system calls into account, our so as to detemfine the natureof App. As Markov chains took the proposal could describe the dynamic behaviors of application more accurately than the traditional detection methods by using the system call sequence. Experimental results prove that this method significantly improves the detection accuracy compared with the existing detection methods.

关 键 词：安卓操作系统 恶意软件检测 系统调用 支持向量机 马尔可夫链 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]