基于应用行为划分的Android恶意应用检测技术

doi:10.19678/j.issn.1000-3428.0066864

摘要/Abstract

摘要：

在目前Android恶意应用检测技术研究中，单维度应用特征检测技术容易被黑客针对该特征的缺点设计恶意代码，而多维度应用特征检测技术存在对新样本检测准确率低的问题。同时，基于用户交互信息的应用行为特征划分方法被广泛运用在多维度应用特征检测技术上，显著提升对新恶意样本的检测准确率。但是，已有的研究工作都是通过在UI控件上的文本信息识别用户有意识行为与应用隐匿行为，而该方法在面对简短文本信息时存在识别困难的问题。为此，设计一种基于用户交互信息的应用行为划分算法。通过捕获应用中发生的用户与应用交互行为，获取交互行为发生的时间信息并进行应用行为划分，得到用户有意识行为特征集与应用隐匿行为特征集。设计并构建一种双通道应用分类模型2ch-LSTM-TCN，同时对用户有意识行为特征集和应用隐匿行为特征集进行学习，并对两者的计算输出统合后进行分类判别。实验结果表明，该算法的准确率和召回率分别达到94.8%和93.3%，能够有效区分Android良性应用和恶意应用，实现一个Android恶意应用自动化检测原型系统。

关键词: Android应用, 动态分析, 自动化检测, 恶意行为, 深度学习

Abstract:

In the current research on Android malware application detection technology, single-dimensional application feature detection technology is prone to hackers designing malicious code based on the shortcomings of this feature, whereas the problem with multi-dimensional applications is low feature detection accuracy for new samples.Methods for classifying application behavior features based on user interaction information are widely used in multi-dimensional feature detection applications, significantly improving the detection accuracy of new malicious samples.However, most of the existing research identifies conscious user and hidden application behaviors based on the text information entered through User Interface(UI) controls.However, this method has difficulty in identifying short segments of text information.In this study, an application behavior division algorithm is designed based on user interaction information. By capturing the interaction between user and application, the time information on interaction behavior is obtained, whereby the application behavior is divided to obtain the user's conscious behavior and application's hidden behavior.A two-channel Long Short-Term Memory Temporal Convolution Network(2ch-LSTM-TCN) application classification model is designed, to simultaneously learn the feature sets associated with user's conscious and application's hidden behaviors, to discriminate the classification of the two feature sets after integrating the outputs from both calculations.The experimental results show that the accuracy and recall of the proposed algorithm reach 94.8% and 93.3%, respectively, and can effectively distinguish between Android benign applications and malware applications, achieving an Android malware application automation detection prototype system.

Key words: Android application, dynamic analysis, automation detection, malicious behavior, deep learning

林中霖, 时金桥, 王美琪, 王学宾, 王雨燕. 基于应用行为划分的Android恶意应用检测技术[J]. 计算机工程, 2023, 49(9): 125-136.

Zhonglin LIN, Jinqiao SHI, Meiqi WANG, Xuebin WANG, Yuyan WANG. Android Malware Application Detection Technology Based on the Application Behavior Division[J]. Computer Engineering, 2023, 49(9): 125-136.

http://www.ecice06.com/CN/Y2023/V49/I9/125

图/表 12

图1 实验平台架构

Fig.1 The architecture of experimental platform

图2 Android恶意应用自动检测框架

Fig.2 Automation detection framework of Android malware application

图3 不同维度应用行为间的关系

Fig.3 The relationship of application behavior in different dimensions

图4 在Java层中应用行为频率统计

Fig.4 Application behavior frequency statistics in Java layer

图5 在native层中应用行为频率统计

Fig.5 Application behavior frequency statistics in native layer

图6 Android应用UI布局的层次结构

Fig.6 Hierarchy structure of Android application UI layout

图7 2ch-LSTM-TCN模型结构

Fig.7 Structure of 2ch-LSTM-TCN model

参考文献 27

1	A V-Test. 2021. A V-Test malware statistics[EB/OL]. [2023-01-03]. https://www.av-test.org/en/statistics/malware/.
2	HE Y L, LI Y P, WU L, et al. MsDroid: identifying malicious snippets for Android malware detection. IEEE Transactions on Dependable and Secure Computing, 2023, 20(3): 2025- 2039. doi: 10.1109/TDSC.2022.3168285
3	JERBI M, DAGDIA Z C, BECHIKH S, et al. On the use of artificial malicious patterns for Android malware detection. Computers & Security, 2020, 92, 101743.
4	褚堃, 万良, 马丹, 等. 深度可分离卷积在Android恶意软件分类的应用研究. 计算机应用研究, 2022, 39(5): 1534- 1540. doi: 10.19734/j.issn.1001-3695.2021.10.0435
	CHU K, WAN L, MA D, et al. Research on application of depthwise separable convolution in Android malware classification. Application Research of Computers, 2022, 39(5): 1534- 1540. doi: 10.19734/j.issn.1001-3695.2021.10.0435
5	GORDON M I, KIM D, PERKINS J, et al. Information-flow analysis of Android applications in DroidSafe[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2015: 110-115.
6	TANG A, SETHUMADHAVAN S, STOLFO S J. Unsupervised anomaly-based malware detection using hardware features[C]//Proceedings of International Workshop on Recent Advances in Intrusion Detection. Berlin, Germany: Springer, 2014: 109-129.
7	TAM K, KHAN S J, FATTORI A, et al. CopperDroid: automatic reconstruction of Android malware behaviors[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2015: 1-15.
8	李舟军, 吴春明, 王啸. 基于沙盒的Android应用风险行业分析与评估. 清华大学学报(自然科学版), 2016, 56(5): 453- 460.
	LI Z J, WU C M, WANG X. Assessment of Android application's risk behavior based on a sandbox system. Journal of Tsinghua University(Science and Technology), 2016, 56(5): 453- 460.
9	KIM T G, KANG B J, RHO M, et al. A multimodal deep learning method for Android malware detection using various features. IEEE Transactions on Information Forensics and Security, 2019, 14(3): 773- 788. doi: 10.1109/TIFS.2018.2866319
10	QIU J, HAN Q L, LUO W, et al. Cyber code intelligence for Android malware detection. IEEE Transactions on Cybernetics, 2023, 53(1): 617- 627. doi: 10.1109/TCYB.2022.3164625
11	ARP D, SPREITZENBARTH M, HÜBNER M, et al. Drebin: effective and explainable detection of Android malware in your pocket[C]//Proceedings of Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2014: 1-10.
12	BAI H P, XIE N N, DI X Q, et al. FAMD: a fast multifeature Android mal-ware detection framework, design, and implementation. IEEE Access, 2020, 8, 194729- 194740. doi: 10.1109/ACCESS.2020.3033026
13	ZHANG G F, LI Y, BAO X D, et al. TSDroid: a novel Android malware detection framework based on temporal & spatial metrics in IoMT. ACM Transactions on Sensor Networks, 2023, 19(3): 1- 23.
14	ZHANG L, THING V L L, CHENG Y. A scalable and extensible frame-work for Android malware detection and family attribution. Computers & Security, 2019, 80, 120- 133.
15	苏志达, 祝跃飞, 刘龙. 基于深度学习的安卓恶意应用检测. 计算机应用, 2017, 37(6): 1650- 1656. doi: 10.3969/j.issn.1001-3695.2017.06.011
	SU Z D, ZHU Y F, LIU L. Android malware application detection using deep learning. Journal of Computer Applications, 2017, 37(6): 1650- 1656. doi: 10.3969/j.issn.1001-3695.2017.06.011
16	黄浩华, 崔展齐, 潘敏学, 等. 静动态结合的恶意Android应用自动检测技术. 信息安全学报, 2017, 2(4): 27- 40. URL
	HUANG H H, CUI Z Q, PAN M X, et al. Automatic malicious Android application detection approach by combining static analysis and dynamic testing. Journal of Cyber Security, 2017, 2(4): 27- 40. URL
17	XI S Q, YANG S, XIAO X S, et al. Deepintent: deep icon-behavior learning for detecting intention-behavior discrepancy in mobile apps[C]//Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2019: 2421-2436.
18	DAS P K, JOSHI A, FININ T. App behavioral analysis using system calls[C]//Proceedings of Conference on Computer Communications Workshops. Washington D. C., USA: IEEE Press, 2017: 487-492.
19	YERIMA S Y, SEZER S, MCWILLIAMS G. Analysis of Bayesian classification-based approaches for Android malware detection. IET Information Security, 2014, 8(1): 25- 36.
20	BURGUERA I, ZURUTUZA U, NADJM-TEHRANI S. Crowdroid: behavior-based malware detection system for Android[C]//Proceedings of the 1st Workshop on Security and Privacy in Smartphones and Mobile Devices. New York, USA: ACM Press, 2011: 15-26.
21	HOCHREITER S, SCHMIDHUBER J. Long short-term memory. Neural computation, 1997, 9(8): 1735- 1780.
22	BAI S J, KOLTER J Z, KOLTUN V. An empirical evaluation of generic convolutional and recurrent networks for sequence modeling[EB/OL]. [2023-01-03]. http://arXiv preprint arXiv: 1803.01271, 2018.
23	SRIVASTAVA N, HINTON G, KRIZHEVSKY A, et al. Dropout: a simple way to prevent neural networks from overfitting. The Journal of Machine Learning Research, 2014, 15(1): 1929- 1958.
24	KINGMA D P, BA L J. Adam: a method for stochastic optimization[EB/OL]. [2023-01-03]. https://arxiv.org/pdf/1412.6980.pdf.
25	MAHDAVIFAR S, KADIR A F D, FATEMI R, et al. Dynamic Android malware category classification using semi-supervised deep learning[C]//Proceedings of the 18th International Conference on Dependable, Auto-nomic, and Secure Computing. Washington D. C., USA: IEEE Press, 2020: 17-24.
26	YU K, ZHOU Y F, XU H, et al. DiagDroid: Android performance diagnosis via anatomizing asynchronous executions[C]//Proceedings of the 24th International Symposium on Foundations of Software Engineering. New York, USA: ACM Press, 2016: 410-421.
27	YUAN B G, WANG J F, LIU D, et al. Byte-level malware classification based on markov images and deep learning. Computers & Security, 2020, 92, 101740.

[1]	池亚平, 岳梓岩, 林雨衡. 基于Transformer的SM4算法工作模式识别[J]. 计算机工程, 2023, 49(9): 109-117.
[2]	江雨燕, 陶承凤, 李平. 数据增强和自适应自步学习的深度子空间聚类算法[J]. 计算机工程, 2023, 49(8): 96-103, 110.
[3]	李泽水, 冀俊忠, 杨翠翠. 基于边权重信息深度网络嵌入的PPIN功能模块检测[J]. 计算机工程, 2023, 49(8): 69-76.
[4]	王可铮, 徐玉芬, 周尚波. 结合对比感知损失和融合注意力的图像去雾模型[J]. 计算机工程, 2023, 49(8): 207-214.
[5]	刘俊豪, 王美林, 谢兴, 宋烨兴, 许莉花. 基于改进YOLOv5的皮革瑕疵检测算法[J]. 计算机工程, 2023, 49(8): 240-249.
[6]	闫兴亚, 匡娅茜, 白光睿, 李月. 基于深度学习的学生课堂行为识别方法[J]. 计算机工程, 2023, 49(7): 251-258.
[7]	李军侠, 王星驰, 殷梓, 石德硕. 边缘深度挖掘的弱监督显著性目标检测[J]. 计算机工程, 2023, 49(7): 169-178.
[8]	吴珊, 周凤. 基于改进SSD算法的小目标检测[J]. 计算机工程, 2023, 49(7): 179-188.
[9]	席建锐, 唐红梅, 梁春阳, 刘鑫. 基于改进隐函数的点云物体重建[J]. 计算机工程, 2023, 49(7): 214-222.
[10]	齐咏生, 杜晓旭, 朱俊峰, 高胜利, 刘利强. 基于增强型轻量深度网络的牧区牲畜高效检测[J]. 计算机工程, 2023, 49(7): 278-287.
[11]	谌雨章, 黄逸姿, 张钧涵. 基于多速率空洞卷积的多尺度水下小目标检测[J]. 计算机工程, 2023, 49(6): 257-264.
[12]	张博旭, 蒲智, 程曦. 基于提示学习的维吾尔语文本分类研究[J]. 计算机工程, 2023, 49(6): 292-299,313.
[13]	于海洋, 景鹏, 张文涛, 谢赛飞, 滑志华, 宋草原. 基于残差与注意力机制的道路裂缝检测U-Net改进模型[J]. 计算机工程, 2023, 49(6): 265-273.
[14]	王爱玲, 马文臻, 邹自明, 钟佳. 基于领域自适应的卫星工程参数异常检测[J]. 计算机工程, 2023, 49(5): 29-37,47.
[15]	宋羽凯, 谢江. 基于多任务学习的轻量级语音情感识别模型[J]. 计算机工程, 2023, 49(5): 122-128.

选择文件类型/文献管理软件名称

选择包含的内容