• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

计算机工程与科学

• 论文 • 上一篇    下一篇

基于混合特征的恶意安卓程序检测方法

徐林溪,郭帆   

  1. (江西师范大学计算机信息工程学院,江西 南昌 330022)
  • 收稿日期:2016-01-06 修回日期:2016-05-04 出版日期:2017-10-25 发布日期:2017-10-25
  • 基金资助:

    WEB程序污点分析的形式化定义和验证研究(61562040)

A hybrid feature-based detection method on Android malware

XU Lin-xi,GUO Fan   

  1. (School of Computer and Science,Jiangxi Normal University,Nanchang 330022,China)
  • Received:2016-01-06 Revised:2016-05-04 Online:2017-10-25 Published:2017-10-25

摘要:

安卓系统的恶意程序数量多且危害大,研究相应的检测方法是当前研究热点。现有方法仅单独提取语法或语义特征,难以准确刻画恶意程序的攻击意图。提出一种混合提取语法和语义特征的检测方法,语义特征为基于类抽象的污点传播路径集合,并结合权限声明和Intent-Action等语法特征,对特征规范化后应用K-means算法训练样本集生成恶意程序家族的特征向量,应用欧氏距离检测未知程序与特征向量的相似度。基于FlowDroid实现原型系统,对400个真实程序的分析结果表明该方法有较高的精确度。

 

关键词: 恶意程序检测, 语义特征, 污点传播, 聚类

Abstract:

Currently, Android malware detection is one of the hotpots in the security research field. Since Android is open source and very popular, the Android platform becomes a target of most malwares. Current approaches only extract syntax features or semantic features respectively so that it is difficult for them to know the real intention of the malware exactly. We propose a hybrid feature extraction method, using the set of class-based taint propagation paths as semantic features and claiming permissions and Intent-Actions as syntax features. We normalize all the extracted features before training and clustering data sets by K-means, and then produce feature vectors of each malware family. Finally we adopt the Euclidean distance computation to measure the similarity between the unknown program and feature vectors. The prototype is implemented on top of FlowDroid to analyze 400 real programs, and the results demonstrate that the method has higher precision.
 

Key words: malware detection, semantic features, taint propagation, clustering