基于应用行为划分的Android恶意应用检测技术  被引量：2

作　　者：林中霖 时金桥 王美琪 王学宾[2,3] 王雨燕 LIN Zhonglin;SHI Jinqiao;WANG Meiqi;WANG Xuebin;WANG Yuyan(School of Cyberspace Security,Beijing University of Posts and Telecommunications,Beijing 100876,China;Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Cyberspace Security,University of Chinese Academy of Sciences,Beijing 100049,China)

机构地区：[1]北京邮电大学网络空间安全学院,北京100876 [2]中国科学院信息工程研究所,北京100093 [3]中国科学院大学网络空间安全学院,北京100049

出　　处：《计算机工程》2023年第9期125-136,共12页Computer Engineering

基　　金：广东省重点研发计划(2019B010137003)。

摘　　要：在目前Android恶意应用检测技术研究中,单维度应用特征检测技术容易被黑客针对该特征的缺点设计恶意代码,而多维度应用特征检测技术存在对新样本检测准确率低的问题。同时,基于用户交互信息的应用行为特征划分方法被广泛运用在多维度应用特征检测技术上,显著提升对新恶意样本的检测准确率。但是,已有的研究工作都是通过在UI控件上的文本信息识别用户有意识行为与应用隐匿行为,而该方法在面对简短文本信息时存在识别困难的问题。为此,设计一种基于用户交互信息的应用行为划分算法。通过捕获应用中发生的用户与应用交互行为,获取交互行为发生的时间信息并进行应用行为划分,得到用户有意识行为特征集与应用隐匿行为特征集。设计并构建一种双通道应用分类模型2ch-LSTM-TCN,同时对用户有意识行为特征集和应用隐匿行为特征集进行学习,并对两者的计算输出统合后进行分类判别。实验结果表明,该算法的准确率和召回率分别达到94.8%和93.3%,能够有效区分Android良性应用和恶意应用,实现一个Android恶意应用自动化检测原型系统。In the current research on Android malware application detection technology,single-dimensional application feature detection technology is prone to hackers designing malicious code based on the shortcomings of this feature,whereas the problem with multi-dimensional applications is low feature detection accuracy for new samples.Methods for classifying application behavior features based on user interaction information are widely used in multi-dimensional feature detection applications,significantly improving the detection accuracy of new malicious samples.However,most of the existing research identifies conscious user and hidden application behaviors based on the text information entered through User Interface(UI)controls.However,this method has difficulty in identifying short segments of text information.In this study,an application behavior division algorithm is designed based on user interaction information.By capturing the interaction between user and application,the time information on interaction behavior is obtained,whereby the application behavior is divided to obtain the user's conscious behavior and application's hidden behavior.A two-channel Long Short-Term Memory Temporal Convolution Network(2ch-LSTM-TCN)application classification model is designed,to simultaneously learn the feature sets associated with user's conscious and application's hidden behaviors,to discriminate the classification of the two feature sets after integrating the outputs from both calculations.The experimental results show that the accuracy and recall of the proposed algorithm reach 94.8%and 93.3%,respectively,and can effectively distinguish between Android benign applications and malware applications,achieving an Android malware application automation detection prototype system.

关 键 词：ANDROID应用 动态分析 自动化检测 恶意行为 深度学习 

分 类 号：TP391[自动化与计算机技术—计算机应用技术]