基于BPSO-NB算法的Android恶意应用检测方法

为了提高Android恶意应用检测效率,将二值粒子群算法(BPSO,Binary Particle Swarm Optimization)用于原始特征全集的优化选择,并结合朴素贝叶斯(NB,Nave Bayesian)分类算法,提出一种基于BPSO-NB的Android恶意应用检测方法。该方法首先对未知应用进行静态分析,提取AndroidManifest.xml文件中的权限信息作为特征。然后,采用BPSO算法优化选择分类特征,并使用NB算法的分类精度作为评价函数。最后采用NB分类算法构建Android恶意应用分类器。实验结果表明,通过二值粒子群优化选择分类特征可以有效提高分类精度,缩短检测时间。      

基于Bagging-SVM的Android恶意软件检测模型

针对Android恶意软件检测中数据不平衡导致检出率低的问题,提出一种基于Bagging-SVM（支持向量机）集成算法的Android恶意软件检测模型。首先,提取AndroidManifest.xml文件中的权限信息、意图信息和组件信息作为特征;然后,提出IG-ReliefF混合筛选算法用于数据集降维,采用bootstrap抽样构造多个平衡数据集;最后,采用平衡数据集训练基于Bagging算法的SVM集成分类器,通过该分类器完成Android恶意软件检测。在分类检测实验中,当良性样本和恶意样本数量平衡时,Bagging-SVM和随机森林算法检出率均高达99.4%;当良性样本和恶意样本的数量比为4：1时,相比随机森林和AdaBoost算法,Bagging-SVM算法在检测精度不降低的条件下,检出率提高了6.6%。实验结果表明所提模型在数据不平衡时仍具有较高的检出率和分类精度,可检测出绝大多数恶意软件。     

Android malware detection based on system call sequences and LSTM

As Android-based mobile devices become increasingly popular, malware detection on Android is very crucial nowadays. In this paper, a novel detection method based on deep learning is proposed to distinguish malware from trusted applications. Considering there is some semantic information in system call sequences as the natural language, we treat one system call sequence as a sentence in the language and construct a classifier based on the Long Short-Term Memory (LSTM) language model. In the classifier, at first two LSTM models are trained respectively by the system call sequences from malware and those from benign applications. Then according to these models, two similarity scores are computed. Finally, the classifier determines whether the application under analysis is malicious or trusted by the greater score. Thorough experiments show that our approach can achieve high efficiency and reach high recall of 96.6% with low false positive rate of 9.3%, which is better than the other methods.

     

基于最小距离分类器的Android恶意软件检测方案

针对Android手机应用商店对大规模软件的安全性检测问题,提出了一套轻量级恶意软件检测方案。该方案首先分析大量恶意软件和正常软件样本的权限信息,再对权限频率特征去冗余,最后利用最小距离分类器进行软件分类。实验结果表明该方案的可行性,通过与其他方案对比,在方案复杂度和检测效果上表现出优越性,可以应用于大规模恶意软件的初步检测。     

FSDroid:- A feature selection technique to detect malware from Android using Machine Learning Techniques

With the recognition of free apps, Android has become the most widely used smartphone operating system these days and it naturally invited cyber-criminals to build malware-infected apps that can steal vital information from these devices. The most critical problem is to detect malware-infected apps and keep them out of Google play store. The vulnerability lies in the underlying permission model of Android apps. Consequently, it has become the responsibility of the app developers to precisely specify the permissions which are going to be demanded by the apps during their installation and execution time. In this study, we examine the permission-induced risk which begins by giving unnecessary permissions to these Android apps. The experimental work done in this research paper includes the development of an effective malware detection system which helps to determine and investigate the detective influence of numerous well-known and broadly used set of features for malware detection. To select best features from our collected features data set we implement ten distinct feature selection approaches. Further, we developed the malware detection model by utilizing LSSVM (Least Square Support Vector Machine) learning approach connected through three distinct kernel functions i.e., linear, radial basis and polynomial. Experiments were performed by using 2,00,000 distinct Android apps. Empirical result reveals that the model build by utilizing LSSVM with RBF (i.e., radial basis kernel function) named as FSdroid is able to detect 98.8% of malware when compared to distinct anti-virus scanners and also achieved 3% higher detection rate when compared to different frameworks or approaches proposed in the literature.

     

Android malware detection through hybrid features fusion and ensemble classifiers: The AndroPyTool framework and the OmniDroid dataset

Cybersecurity has become a major concern for society, mainly motivated by the increasing number of cyber attacks and the wide range of targeted objectives. Due to the popularity of smartphones and tablets, Android devices are considered an entry point in many attack vectors. Malware applications are among the most used tactics and tools to perpetrate a cyber attack, so it is critical to study new ways of detecting them. In these detection mechanisms, machine learning has been used to build classifiers that are effective in discerning if an application is malware or benignware. However, training such classifiers require big amounts of labelled data which, in this context, consist of categorised malware and benignware Android applications represented by a set of features able to describe their behaviour. For that purpose, in this paper we present OmniDroid, a large and comprehensive dataset of features extracted from 22,000 real malware and goodware samples, aiming to help anti-malware tools creators and researchers when improving, or developing, new mechanisms and tools for Android malware detection. Furthermore, the characteristics of the dataset make it suitable to be used as a benchmark dataset to test classification and clustering algorithms or new representation techniques, among others. The dataset has been released under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License and was built using AndroPyTool, our automated framework for dynamic and static analysis of Android applications. Finally, we test a set of ensemble classifiers over this dataset and propose a malware detection approach based on the fusion of static and dynamic features through the combination of ensemble classifiers. The experimental results show the feasibility and potential usability (for the machine learning, soft computing and cyber security communities) of our automated framework and the publicly available dataset.     

Android恶意软件的多特征协作决策检测方法

由于智能手机使用率持续上升促使移动恶意软件在规模和复杂性方面发展更加迅速。作为免费和开源的系统,目前Android已经超越其他移动平台成为最流行的操作系统,使得针对Android平台的恶意软件数量也显著增加。针对Android平台应用软件安全问题,提出了一种基于多特征协作决策的Android恶意软件检测方法,该方法主要通过对Android 应用程序进行分析、提取特征属性以及根据机器学习模型和分类算法判断其是否为恶意软件。通过实验表明,使用该方法对Android应用软件数据集进行分类后,相比其他分类器或算法分类的结果,其各项评估指标均大幅提高。因此,提出的基于多特征协作决策的方式来对Android恶意软件进行检测的方法可以有效地用于对未知应用的恶意性进行检测,避免恶意应用对用户所造成的损害等。     

基于应用分类和系统调用的Android恶意程序检测

针对Android平台恶意程序泛滥的问题,提出一种基于应用分类和系统调用的恶意程序检测方法。以Google Play为依据进行应用程序分类,利用运行时产生的系统调用频数计算每个类别的系统调用使用阈值。当应用程序安装运行时,手机端收集应用程序权限信息和产生的系统调用信息发给远程服务器,远程服务器根据权限信息采用序列最小优化算法给应用程序进行分类,分类后利用系统调用频数计算出系统调用使用值,与该类别的阈值进行比较判断是否恶意程序,将分类结果及判定结果反馈给用户,由用户判断是否需要更改分类重新检测。实验结果表明了该方法的可行性和有效性,不仅减少了手机的资源消耗,又能对产生恶意行为的应用程序及时做出反应。     

MAPAS: a practical deep learning-based android malware detection system

A lot of malicious applications appears every day, threatening numerous users. Therefore, a surge of studies have been conducted to protect users from newly emerging malware by using machine learning algorithms. Albeit existing machine or deep learning-based Android malware detection approaches achieve high accuracy by using a combination of multiple features, it is not possible to employ them on our mobile devices due to the high cost for using them. In this paper, we propose MAPAS, a malware detection system, that achieves high accuracy and adaptable usages of computing resources. MAPAS analyzes behaviors of malicious applications based on API call graphs of them by using convolution neural networks (CNN). However, MAPAS does not use a classifier model generated by CNN, it only utilizes CNN for discovering common features of API call graphs of malware. For efficiently detecting malware, MAPAS employs a lightweight classifier that calculates a similarity between API call graphs used for malicious activities and API call graphs of applications that are going to be classified. To demonstrate the effectiveness and efficiency of MAPAS, we implement a prototype and thoroughly evaluate it. And, we compare MAPAS with a state-of-the-art Android malware detection approach, MaMaDroid. Our evaluation results demonstrate that MAPAS can classify applications 145.8% faster and uses memory around ten times lower than MaMaDroid. Also, MAPAS achieves higher accuracy (91.27%) than MaMaDroid (84.99%) for detecting unknown malware. In addition, MAPAS can generally detect any type of malware with high accuracy.

     

基于移动软件行为大数据挖掘的恶意软件检测技术

目前移动恶意软件数量呈爆炸式增长,变种层出不穷,日益庞大的特征库增加了安全厂商在恶意软件样本处理方面的难度,传统的检测方式已经不能及时有效地处理软件行为样本大数据。基于机器学习的移动恶意软件检测方法存在特征数量多、检测准确率低和不平衡数据的问题。针对现存的问题,文章提出了基于均值和方差的特征选择方法,以减少对分类无效的特征;实现了基于不同特征提取技术的集合分类方法,包括主成分分析、Kaehunen-Loeve 变换和独立成分分析,以提高检测的准确性。针对软件样本的不平衡数据,文章提出了基于决策树的多级分类集成模型。实验结果表明,文章提出的三种检测方法都可以有效地检测 Android平台中的恶意软件样本,准确率分别提高了6.41%、3.96%和3.36%。     

图卷积网络的抗混淆安卓恶意软件检测

自安卓发布以来,由于其开源、硬件丰富和应用市场多样等优势,安卓系统已经成为全球使用最广泛的手机操作系统。同时,安卓设备和安卓应用的爆炸式增长也使其成为96%移动恶意软件的攻击目标。现存的安卓恶意软件检测方法中,忽视程序语义而直接提取简单程序特征的方法检测速度快但精确度不理想,将程序语义转换为图模型并采用图分析的方法精确度高但开销大且扩展性低。为了解决上述挑战,本文将应用的程序语义提取为函数调用图,保留语义信息的同时采用抽象API技术将调用图转换为抽象图以减少运行开销并增强鲁棒性。基于得到的抽象图,以Triplet Loss损失训练构建基于图卷积神经网络的抗混淆安卓恶意软件分类器SriDroid。对20246个安卓应用进行实验分析之后,发现SriDroid可以达到99.17%的恶意软件检测精确度,并具有良好的鲁棒性。     

基于权限相关性的Android恶意软件检测

针对Android平台恶意软件检测需求和Android权限特征冗余的问题,提出一套从权限相关性角度快速检测恶意软件的方案。采用卡方检验计算各权限属性对于分类结果的影响大小,去除冗余权限特征,再对权限属性聚类,提取代表性权限特征,进一步减少冗余。最后利用基于不同权限特征权重的改进朴素贝叶斯算法进行软件分类。在收集的2000个软件样本上进行了实验,恶意软件漏检率为10.33%,总体预测准确率达到88.98%。实验结果表明,该方案利用少量权限特征,能够初步检测Android应用软件是否有恶意倾向,为深入判断分析提供参考依据。     

SBMDS: an interpretable string based malware detection system using SVM ensemble with bagging

Malicious executables are programs designed to infiltrate or damage a computer system without the owner’s consent, which have become a serious threat to the security of computer systems. There is an urgent need for effective techniques to detect polymorphic, metamorphic and previously unseen malicious executables of which detection fails in most of the commercial anti-virus software. In this paper, we develop interpretable string based malware detection system (SBMDS), which is based on interpretable string analysis and uses support vector machine (SVM) ensemble with Bagging to classify the file samples and predict the exact types of the malware. Interpretable strings contain both application programming interface (API) execution calls and important semantic strings reflecting an attacker’s intent and goal. Our SBMDS is carried out with four major steps: (1) first constructing the interpretable strings by developing a feature parser; (2) performing feature selection to select informative strings related to different types of malware; (3) followed by using SVM ensemble with bagging to construct the classifier; (4) and finally conducting the malware detector, which not only can detect whether a program is malicious or not, but also can predict the exact type of the malware. Our case study on the large collection of file samples collected by Kingsoft Anti-virus lab illustrate that: (1) The accuracy and efficiency of our SBMDS outperform several popular anti-virus software; (2) Based on the signatures of interpretable strings, our SBMDS outperforms data mining based detection systems which employ single SVM, Naive Bayes with bagging, Decision Trees with bagging; (3) Compared with the IMDS which utilizes the objective-oriented association (OOA) based classification on API calls, our SBMDS achieves better performance. Our SBMDS system has already been incorporated into the scanning tool of a commercial anti-virus software.     

基于机器学习算法的Android恶意程序检测系统

对于传统的恶意程序检测方法存在的缺点,针对将数据挖掘和机器学习算法被应用在未知恶意程序的检测方法进行研究。当前使用单一特征的机器学习算法无法充分发挥其数据处理能力,检测效果不佳。文中将语音识别模型与随机森林算法相结合,首次提出了综和APK文件多类特征统一建立N-gram模型,并应用随机森林算法用于未知恶意程序检测。首先,采用多种方式提取可以反映Android恶意程序行为的3类特征,包括敏感权限、DVM函数调用序列以及OpCodes特征;然后,针对每类特征建立N-gram模型,每个模型可以独立评判恶意程序行为;最后,3类特征模型统一加入随机森林算法进行学习,从而对Android程序进行检测。基于该方法实现了Android恶意程序检测系统,并对811个非恶意程序及826个恶意程序进行检测,准确率较高。综合各个评价指标,与其他相关工作对比,实验结果表明该系统在恶意程序检测准确率和有效性上表现更优。     

A Dynamic Online Protection Framework for Android Applications

At present, Android is the most popular Operating System (OS) which is widespreadly installed on mobile phones, smart TVs and other wearable devices. Due to its overwhelming market share, Android attracts the attentions from many attackers. Reverse Engineering technology plays an important role in the field of Android security, such as cracking applications, malware analysis, software protection, etc. In order to prevent others from obtaining the real codes and tampering them, this paper designs and implements a online dynamic protection framework by deploying dynamic anti-debugging technology for Android application with comprehensive utilization of encryption, dynamic loading and shell technologies. Evaluated the performance on different aspects, the proposed framework can work effectively for Android application protection. Comparing with the static protection scheme, the proposed online dynamic protection framework can prevent the android applications from cracking and malicious analysis to the utmost.     

改进随机森林在Android恶意软件检测中的应用

为解决Android恶意软件检测问题,提出一种利用多特征基于改进随机森林算法的Android恶意软件静态检测模型。模型采用了基于行为的静态检测技术,选取Android应用的权限、四大组件、API调用以及程序的关键信息如动态代码、反射代码、本机代码、密码代码和应用程序数据库等属性特征,对特征属性进行优化选择,并生成对应的特征向量集合。最后对随机森林算法进行改进,并将其应用到本模型的Android应用检测中。实验选取了6?000个正常样本和6?000个恶意样本进行分类检测,结果表明该方法具有较好的检测效果。     

A Dynamic Online Protection Framework for Android Applications

At present, Android is the most popular Operating System (OS) which is widespreadly installed on mobile phones, smart TVs and other wearable devices. Due to its overwhelming market share, Android attracts the attentions from many attackers. Reverse Engineering technology plays an important role in the field of Android security, such as cracking applications, malware analysis, software protection, etc. In order to prevent others from obtaining the real codes and tampering them, this paper designs and implements a online dynamic protection framework by deploying dynamic anti-debugging technology for Android application with comprehensive utilization of encryption, dynamic loading and shell technologies. Evaluated the performance on different aspects, the proposed framework can work effectively for Android application protection. Comparing with the static protection scheme, the proposed online dynamic protection framework can prevent the android applications from cracking and malicious analysis to the utmost.     

基于深度神经网络的Android恶意软件检测方法

Android 系统正日益面临着恶意软件的攻击威胁。针对支持向量机等传统机器学习方法难以有效进行大样本多分类的恶意软件检测,提出一种基于深度神经网络的Android恶意软件检测与家族分类方法。该方法在全面提取应用组件、Intent Filter、权限、数据流等特征基础上,进行有效的特征选择以降低维度,基于深度神经网络进行面向恶意软件的大样本多分类检测。实验结果表明,该方法能够进行有效检测和分类,良性、恶意二分类精度为 97.73%,家族多分类精度可达到 93.54%,比其他机器学习算法有更好的分类效果。     

基于FWKN-SVM的Android异常入侵检测的研究

针对Android手机平台提出了基于特征加权K最近邻支持向量机(FWKN-SVM)的异常入侵检测方法.首先,分析了传统SVM在实际应用中的局限性,提出了一种基于特征类内类间距离的特征加权K最近邻的训练集约减策略.随后,根据手机恶意软件对系统造成的影响定义了系统行为,并通过在Android手机上编写的数据采集模块构建测试集和训练集.最后,利用特征加权K最近邻方法进行SVM训练集的精简和分类器的构建,并进行测试集预测.仿真结果表明,FWKN-SVM分类方法在Android异常入侵检测中应用效果良好.     

基于多特征和Stacking算法的Android恶意软件检测方法

Android由于其广泛的普及率使得其平台上的恶意软件数量不断增加,针对目前大部分方法采用单一特征和单一算法进行检验,准确率不高的不足,提出了一种基于多特征与Stacking算法的静态检测方法,该方法能够弥补这两方面的不足. 首先使用多种特征信息组成特征向量,并且使用Stacking集成学习算法组合Logistic,SVM,k近邻和CART决策树多个基本算法,再通过训练样本进行学习形成分类器. 实验结果表明,相对于使用单一特征和单一算法其识别准确率得到提高,可达94.05%,该分类器对测试样本拥有较好的识别性能.