基于内核日志的移动终端恶意软件检测

doi:10.3969/j.issn.1671-1122.2015.07.009

信息网络安全 ›› 2015, Vol. 15 ›› Issue (7): 58-63.doi: 10.3969/j.issn.1671-1122.2015.07.009

基于内核日志的移动终端恶意软件检测

李建熠, 李晖(), 黄梦媛

北京邮电大学计算机学院,北京 100876

收稿日期:2015-05-29 出版日期:2015-07-01 发布日期:2015-07-28
作者简介:
作者简介：李建熠（1990-）,男,河南,硕士研究生,主要研究方向：Android动态分析;李晖（1970-）,女,吉林,副教授,博士,主要研究方向：密码学及其应用、信息安全、无线通信安全;黄梦媛（1991-）,女,广西,硕士研究生,主要研究方向：Android静态分析。
基金资助:
国家自然科学基金[61370195]

Detection of Mobile Terminal Malware Based on Kernel Log

Jian-yi LI, Hui LI(), Meng-yuan HUANG

School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China

Received:2015-05-29 Online:2015-07-01 Published:2015-07-28

摘要/Abstract

摘要：

随着移动终端的智能化,移动终端上存储了大量个人隐私信息,由于移动终端上日益增多的恶意应用以及对恶意应用缺乏有效的检测机制,导致个人隐私信息的泄露,造成个人财产、名誉的损害。为防止这种危害的发生,文章提出了基于系统内核调用日志信息来识别应用行为的方法。首先下载恶意应用与良性应用,运行并收集它们的系统内核调用日志信息,统计出系统调用的频数信息作为原始数据;然后将原始数据进行规格化处理,生成可供分析的输入数据并生成输入向量;最后使用K-Means聚类算法对输入向量进行聚类处理,生成两个聚类簇,分别为恶意与良性应用的聚类簇,再将一些未知应用类型的内核调用信息作为验证数据生成输入向量,判断出该应用属于哪个聚类簇,便可知道该应用是否存在恶意行为。文章通过机器学习工具WEKA对提出的方法进行实验,实验结果证明该方法能有效地区分恶意应用与良性应用。

关键词: 移动终端, 恶意软件检测, 内核日志, K-Means

Abstract:

With the intelligent mobile terminal, mobile terminal store a large amount of personal privacy information. Due to the growing number of malicious applications on mobile terminals and for detecting malicious applications lack of effective mechanism, the existence of malicious applications will result in the leakage of personal privacy information, personal property, and reputation damage. In order to prevent the happening of this kind of harm, kernel is proposed in this paper, based on system call log information to identify the behavior of the application. Detection method is as follows, first download malicious application with benign application, run and collect their system kernel call log information, the statistics system call frequency information as the original data. Then normalized processing the raw data, generated for the analysis of the input data and generate the input vector. Finally use the K-Means clustering algorithm to cluster the input vector, the generated two clustering cluster, malicious and benign application of clustering cluster respectively, and then apply some unknown types of kernel call information as the validation data generated input vector, determine the application belongs to which cluster, can know the application of the presence of malicious behavior. This paper test the method using WEKA, test results show that the method is effective to distinguish the malicious applications and benign applications.

Key words: mobile terminal, malware detection, kernel log, K-Means

中图分类号:

TP309

李建熠, 李晖, 黄梦媛. 基于内核日志的移动终端恶意软件检测[J]. 信息网络安全, 2015, 15(7): 58-63.

Jian-yi LI, Hui LI, Meng-yuan HUANG. Detection of Mobile Terminal Malware Based on Kernel Log[J]. Netinfo Security, 2015, 15(7): 58-63.

图/表 6

图1

表1

表2

图2

图3

图4

参考文献 12

[1]	LARRY T, BATYUK L, ACHMIDT A D.An Android application sandbox system for suspicious softwaredetection[C]//Proceedings of the 5th International Conference on Malicious and Unwanted Software, USA, 2010: 55-62.
[2]	SHABTAI A, MOSKOVITCH R, ELOVICI Y.Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey[J].Information Security Technical Report, 2009, 14(1): 16-29.
[3]	Barrera D, Kayacik H G.A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android[C]//Ccs Proceedings of Acm Conference on Computer & Communications Security, 2010: 73-84.
[4]	FINICKEL E, LAHMADI A, BECK F, et al.Empirical Analysis of Android Logs Using Self-Organizing Maps[C]//Communications (ICC), 2014 IEEE International Conference on, Sydney, 2014: 1802-1807.
[5]	Google Android[EB/OL]. , 2013-03-25.
[6]	LLOYD S.Least squares quantization in pcm[J]. IEEE Transactions on Information Theory, 1982, 28(2): 129-136.
[7]	DINI I, MARTINELLI F, SARACINO A.MADAM: A multi—level anomaly detector for android malware[C]//Proceedings of the 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security: Computer Network Security, Berlin Heidelberg, 2012: 240-253.
[8]	Isohara T, Takemori K, Kubota A.Kernel—based behavior analysis for Android malware detection[C]//Computational Intelligence and Security (CIS), 2011 Seventh International Conference on, IEEE, Sanya, 2011:1011-1015.
[9]	MUTZ D, VALEUR F, VIGNA G.Anomalous system call detection[J]. ACM Transactions on Information and System Security, 2006, 9(1): 61-93.
[10]	FEIZOLLAH A, ANUAR N B, SALLEH R, et al.Comparative study of k-means and mini batch k-means clustering algorithms in android malware detection using network traffic analysis[C]//Biometrics and Security Technologies (ISBAST), 2014 International Symposium on, Kuala Lumpur, 2014: 193-197.
[11]	UMRATKARM S, KARNEWAR J.K-Means Algorithm for Selective Filtration of Malicious Android Mobile Applications[J]. International Journal of Advent Research in Computer & Electronics, 2014, 1(3):5-12.
[12]	YALCIN B, TASDEMIR K. The use of K-means++ for approximate spectral clustering of large datasets[C]//Signal Processing and Communications Applications Conference (SIU), 2014: 220-223.

[1]	宋鑫, 赵楷, 张琳琳, 方文波. 基于随机森林的Android恶意软件检测方法研究[J]. 信息网络安全, 2019, 19(9): 1-5.
[2]	叶阿勇, 金俊林, 孟玲玉, 赵子文. 面向移动终端隐私保护的访问控制研究[J]. 信息网络安全, 2019, 19(8): 51-60.
[3]	傅彦铭, 李振铎. 基于拉普拉斯机制的差分隐私保护k-means++聚类算法研究[J]. 信息网络安全, 2019, 19(2): 43-52.
[4]	李涛, 时俊贤, 胡爱群. 基于签名查验的移动终端应用软件合法性判别技术[J]. 信息网络安全, 2019, 19(11): 56-62.
[5]	张健, 陈博翰, 宫良一, 顾兆军. 基于图像分析的恶意软件检测技术研究[J]. 信息网络安全, 2019, 19(10): 24-31.
[6]	陆勰, 罗守山, 张玉梅. 基于Hadoop的海量安全日志聚类算法研究[J]. 信息网络安全, 2018, 18(8): 56-63.
[7]	王晋, 喻潇, 刘畅, 赵波. 智能电网环境下一种基于SDKey的智能移动终端远程证明方案[J]. 信息网络安全, 2018, 18(7): 1-6.
[8]	胡卫, 吴邱涵, 刘胜利, 付伟. 基于国密算法和区块链的移动端安全eID及认证协议设计[J]. 信息网络安全, 2018, 18(7): 7-9.
[9]	刘志娟, 高隽, 丁启枫, 王跃武. 移动终端TEE技术进展研究[J]. 信息网络安全, 2018, 18(2): 84-91.
[10]	赵凯利, 李丹仪, 李强, 马存庆. 基于智能移动终端密码模块的身份认证方案实现[J]. 信息网络安全, 2017, 17(9): 107-110.
[11]	蔡霖翔. 网络诈骗案件涉案人群智能分析[J]. 信息网络安全, 2016, 16(9): 246-250.
[12]	方军, 王建权, 王连印, 王会方. 基于NFC和云计算技术的电梯维保管理系统设计与实现[J]. 信息网络安全, 2016, 16(12): 74-80.
[13]	胡洋瑞, 陈兴蜀, 王俊峰, 叶晓鸣. 基于流量行为特征的异常流量检测[J]. 信息网络安全, 2016, 16(11): 45-51.
[14]	树雅倩, 付安民, 黄振涛. 基于云平台的移动支付类恶意软件检测系统的设计与实现[J]. 信息网络安全, 2016, 16(1): 59-63.
[15]	黄世锋, 郭亚军, 崔建群, 曾庆江. 基于优化模糊C均值的手机恶意软件检测[J]. 信息网络安全, 2016, 16(1): 45-50.

基于内核日志的移动终端恶意软件检测

Detection of Mobile Terminal Malware Based on Kernel Log

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 12

相关文章 15

编辑推荐

Metrics

本文评价