图卷积网络的抗混淆安卓恶意软件检测  被引量：5

作　　者：吴月明 齐蒙 邹德清 金海[1,4] WU Yue-Ming;QI Meng;ZOU De-Qing;JIN Hai(National Engineering Research Center for Big Data Technology and System(Key Laboratory of Services Computing Technology and System,Ministry of Education,Huazhong University of Science and Technology),Wuhan 430074,China;Hubei Key Laboratory of Distributed System Security,Wuhan 430074,China;School of Cyber Science and Engineering,Huazhong University of Science and Technology,Wuhan 430074,China;School of Computer Science and Technology,Huazhong University of Science and Technology,Wuhan 430074,China)

机构地区：[1]大数据技术与系统国家地方联合工程研究中心(服务计算技术与系统教育部重点实验室华中科技大学),湖北武汉430074 [2]分布式系统安全湖北省重点实验室,湖北武汉430074 [3]华中科技大学网络空间安全学院,湖北武汉430074 [4]华中科技大学计算机科学与技术学院,湖北武汉430074

出　　处：《软件学报》2023年第6期2526-2542,共17页Journal of Software

基　　金：国家自然科学基金(62172168);湖北省重点研发计划(2021BAA032)。

摘　　要：自安卓系统发布以来,由于其开源、硬件丰富和应用市场多样等优势,该系统已成为全球使用最广泛的手机操作系统.同时,安卓设备和安卓应用的爆炸式增长也使其成为96%移动恶意软件的攻击目标.在现有的安卓恶意软件检测方法中,忽视程序语义而直接提取简单程序特征的方法,其检测速度快但精确度不够理想,将程序语义转换为图模型并采用图分析的方法,其精确度虽高但开销大且扩展性低.为了解决上述挑战,将应用的程序语义提取为函数调用图,在保留语义信息的同时,采用抽象API技术将调用图转换为抽象图,以减少运行开销并增强鲁棒性.基于得到的抽象图,以TripletLoss损失训练构建基于图卷积网络的抗混淆安卓恶意软件分类器SriDroid.对20246个安卓应用进行实验分析后发现:SriDroid可以达到99.17%的恶意软件检测精确度,并具有良好的鲁棒性.Since the release of Android,it has become the most widely used mobile phone operating system in the world due to its advantages such as open source,rich hardware,and diverse application markets.At the same time,the explosive growth of Android devices and Android applications(app for short)has made it a target of 96%of mobile malware.Among current detection methods,the direct extraction of simple program features,ignoring the program semantics is fast but less accurate,and the conversion of semantic information of programs into graph models for analysis improves accuracy but has high runtime overhead and is not very scalable.To address these challenges,the program semantics of an App is distilled into a function call graph and the API call is abstracted to convert the call graph into a simpler graph.Finally,these vectors are fed into a graph convolution network(GCN)model to train a classifier with triplet loss(i.e.,SriDroid).After conducting experimental analysis on 20246 Android apps,it is found that SriDroid can achieve 99.17%malware detection accuracy with sound robustness.

关 键 词：安卓恶意软件 抗混淆 函数调用图 抽象API 图卷积网络 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]