作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2023, Vol. 49 ›› Issue (9): 125-136. doi: 10.19678/j.issn.1000-3428.0066864

• 网络空间安全 • 上一篇    下一篇

基于应用行为划分的Android恶意应用检测技术

林中霖1, 时金桥1, 王美琪2,3, 王学宾2,3, 王雨燕1   

  1. 1. 北京邮电大学 网络空间安全学院, 北京 100876
    2. 中国科学院信息工程研究所, 北京 100093
    3. 中国科学院大学 网络空间安全学院, 北京 100049
  • 收稿日期:2023-02-06 出版日期:2023-09-15 发布日期:2023-09-14
  • 作者简介:

    林中霖(1998—),男,硕士研究生,主研方向为软件安全

    时金桥,教授、博士

    王美琪,博士研究生

    王学宾,讲师、博士

    王雨燕,硕士研究生

  • 基金资助:
    广东省重点研发计划(2019B010137003)

Android Malware Application Detection Technology Based on the Application Behavior Division

Zhonglin LIN1, Jinqiao SHI1, Meiqi WANG2,3, Xuebin WANG2,3, Yuyan WANG1   

  1. 1. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
    2. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China
    3. School of Cyberspace Security, University of Chinese Academy of Sciences, Beijing 100049, China
  • Received:2023-02-06 Online:2023-09-15 Published:2023-09-14

摘要:

在目前Android恶意应用检测技术研究中,单维度应用特征检测技术容易被黑客针对该特征的缺点设计恶意代码,而多维度应用特征检测技术存在对新样本检测准确率低的问题。同时,基于用户交互信息的应用行为特征划分方法被广泛运用在多维度应用特征检测技术上,显著提升对新恶意样本的检测准确率。但是,已有的研究工作都是通过在UI控件上的文本信息识别用户有意识行为与应用隐匿行为,而该方法在面对简短文本信息时存在识别困难的问题。为此,设计一种基于用户交互信息的应用行为划分算法。通过捕获应用中发生的用户与应用交互行为,获取交互行为发生的时间信息并进行应用行为划分,得到用户有意识行为特征集与应用隐匿行为特征集。设计并构建一种双通道应用分类模型2ch-LSTM-TCN,同时对用户有意识行为特征集和应用隐匿行为特征集进行学习,并对两者的计算输出统合后进行分类判别。实验结果表明,该算法的准确率和召回率分别达到94.8%和93.3%,能够有效区分Android良性应用和恶意应用,实现一个Android恶意应用自动化检测原型系统。

关键词: Android应用, 动态分析, 自动化检测, 恶意行为, 深度学习

Abstract:

In the current research on Android malware application detection technology, single-dimensional application feature detection technology is prone to hackers designing malicious code based on the shortcomings of this feature, whereas the problem with multi-dimensional applications is low feature detection accuracy for new samples.Methods for classifying application behavior features based on user interaction information are widely used in multi-dimensional feature detection applications, significantly improving the detection accuracy of new malicious samples.However, most of the existing research identifies conscious user and hidden application behaviors based on the text information entered through User Interface(UI) controls.However, this method has difficulty in identifying short segments of text information.In this study, an application behavior division algorithm is designed based on user interaction information. By capturing the interaction between user and application, the time information on interaction behavior is obtained, whereby the application behavior is divided to obtain the user's conscious behavior and application's hidden behavior.A two-channel Long Short-Term Memory Temporal Convolution Network(2ch-LSTM-TCN) application classification model is designed, to simultaneously learn the feature sets associated with user's conscious and application's hidden behaviors, to discriminate the classification of the two feature sets after integrating the outputs from both calculations.The experimental results show that the accuracy and recall of the proposed algorithm reach 94.8% and 93.3%, respectively, and can effectively distinguish between Android benign applications and malware applications, achieving an Android malware application automation detection prototype system.

Key words: Android application, dynamic analysis, automation detection, malicious behavior, deep learning