一种基于混合特征的移动终端恶意软件检测方法  被引量：5

作　　者：姚烨[1] 钱亮 朱怡安[1] 张黎翔 贾耀 杜家伟 牛军涛 Yao Ye;Qian Liang;Zhu Yian;Zhang Lixiang;Jia Yao;Du Jiawei;Niu Juntao(School of computer science,Northwestern polytechnical University,Xi’an 710064,China)

机构地区：[1]西北工业大学计算机学院,西安710064

出　　处：《信息安全学报》2022年第2期120-138,共19页Journal of Cyber Security

基　　金：国家重点研发计划项目(No.2020YFB1712201);国家工业互联网创新发展工程项目(No.TC190A3X8-16-1,No.TC200H038);陕西省重点研发(重点产业链)项目(No.2019ZDLGY12-07);太仓市大院大所创新项目(No.TC2019DYDS06);东莞市科技装备动员项目(No.KZ2018-14);陕西省重点研发计划项目(No.2021ZDLGY05-05)等资助

摘　　要：随着移动终端恶意软件的种类和数量不断增大,本文针对Android系统恶意软件单特征检测不全面、误报率高等技术问题,提出一种基于动静混合特征的移动终端恶意软件检测方法,以提高检测的覆盖率、准确率和效率。该方法首先采用基于改进的CHI方法和凝聚层次聚类算法优化的K-Means方法构建高危权限和敏感API库,然后分别从静态分析和动态分析两个方面提取移动终端系统混合特征。在静态分析中,首先反编译APK文件,分析得到权限申请特征和敏感API调用特征;在动态分析中,通过实时监控APP运行期间的动态行为特征,分别提取其在运行过程中的敏感API调用频次特征和系统状态等特征信息;接着分别使用离差标准化、TF-IDF权重分析法和优序图法对混合特征进行归一化和特征权重赋值处理。最后,通过构建测评指标对本文所提基于混合特征恶意软件检测方法进行对比测试验证和评价分析。实验结果表明:本方法针对Android系统恶意软件的检测具有好的准确率和效率,可有效提高移动终端恶意软件检测的精确度。At present,with the large-scale use of the Android system,the types of malware based on the Android system are emerging in endlessly,and the types of viruses are increasing.Aiming at the problems of incomplete de-tection of single feature of the Android system malware,low accuracy rate,and high false alarm rate,this article proposed a mobile terminal malware detection analysis method based on mixed dynamic and static features to im-prove the coverage,accuracy and efficiency of malware detection for Android systems.By combining the feature values extracted by the two detection methods,such as the static analysis and dynamic analysis method,the effi-ciency and accuracy of malware detection are further improved.First,the paper built high-risk permissions and sen-sitive API libraries based on the improved CHI method and the K-Means method optimized by the agglomerated hierarchical clustering method,and then extracted the mixed characteristics of the mobile terminal system from static analysis and dynamic analysis.In the static analysis,the APK file was decompiled firstly,and the permission appli-cation characteristics and sensitive API call characteristics were analyzed.In the dynamic analysis,the dynamic be-havior characteristics during the running of the APP were monitored in real time,and the frequency of sensitive API calls during the running process was extracted.Characteristics and system status characteristics.Then the paper used dispersion standardization,TF-IDF weight analysis method and optimal sequence graph method to normalize the mixed features and assign feature weights.Finally,the data sets downloaded from VirusShare and Drebin was de-duplicated and other related processing will be carried out.Then,the malware detection methods based on the mixed features proposed in this article was compared and evaluated,Experiments results showed that this method in this paper had good accuracy and efficiency for the detection of Android system malware,and effectively improves the detection accuracy of malware.

关 键 词：移动终端 恶意软件检测 混合特征检测 机器学习 ANDROID系统 

分 类 号：TP391.9[自动化与计算机技术—计算机应用技术]