信息网络安全 ›› 2015, Vol. 15 ›› Issue (7): 58-63.doi: 10.3969/j.issn.1671-1122.2015.07.009

• • 上一篇    下一篇

基于内核日志的移动终端恶意软件检测

李建熠, 李晖(), 黄梦媛   

  1. 北京邮电大学计算机学院,北京 100876
  • 收稿日期:2015-05-29 出版日期:2015-07-01 发布日期:2015-07-28
  • 作者简介:

    作者简介: 李建熠(1990-),男,河南,硕士研究生,主要研究方向:Android动态分析;李晖(1970-),女,吉林,副教授,博士,主要研究方向:密码学及其应用、信息安全、无线通信安全;黄梦媛(1991-),女,广西,硕士研究生,主要研究方向:Android静态分析。

  • 基金资助:
    国家自然科学基金[61370195]

Detection of Mobile Terminal Malware Based on Kernel Log

LI Jian-yi, LI Hui(), HUANG Meng-yuan   

  1. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
  • Received:2015-05-29 Online:2015-07-01 Published:2015-07-28

摘要:

随着移动终端的智能化,移动终端上存储了大量个人隐私信息,由于移动终端上日益增多的恶意应用以及对恶意应用缺乏有效的检测机制,导致个人隐私信息的泄露,造成个人财产、名誉的损害。为防止这种危害的发生,文章提出了基于系统内核调用日志信息来识别应用行为的方法。首先下载恶意应用与良性应用,运行并收集它们的系统内核调用日志信息,统计出系统调用的频数信息作为原始数据;然后将原始数据进行规格化处理,生成可供分析的输入数据并生成输入向量;最后使用K-Means聚类算法对输入向量进行聚类处理,生成两个聚类簇,分别为恶意与良性应用的聚类簇,再将一些未知应用类型的内核调用信息作为验证数据生成输入向量,判断出该应用属于哪个聚类簇,便可知道该应用是否存在恶意行为。文章通过机器学习工具WEKA对提出的方法进行实验,实验结果证明该方法能有效地区分恶意应用与良性应用。

关键词: 移动终端, 恶意软件检测, 内核日志, K-Means

Abstract:

With the intelligent mobile terminal, mobile terminal store a large amount of personal privacy information. Due to the growing number of malicious applications on mobile terminals and for detecting malicious applications lack of effective mechanism, the existence of malicious applications will result in the leakage of personal privacy information, personal property, and reputation damage. In order to prevent the happening of this kind of harm, kernel is proposed in this paper, based on system call log information to identify the behavior of the application. Detection method is as follows, first download malicious application with benign application, run and collect their system kernel call log information, the statistics system call frequency information as the original data. Then normalized processing the raw data, generated for the analysis of the input data and generate the input vector. Finally use the K-Means clustering algorithm to cluster the input vector, the generated two clustering cluster, malicious and benign application of clustering cluster respectively, and then apply some unknown types of kernel call information as the validation data generated input vector, determine the application belongs to which cluster, can know the application of the presence of malicious behavior. This paper test the method using WEKA, test results show that the method is effective to distinguish the malicious applications and benign applications.

Key words: mobile terminal, malware detection, kernel log, K-Means

中图分类号: