信息网络安全 ›› 2020, Vol. 20 ›› Issue (1): 67-74.doi: 10.3969/j.issn.1671-1122.2020.01.010

• 技术研究 • 上一篇    下一篇

融合多特征的Android恶意软件检测方法

侯留洋, 罗森林(), 潘丽敏, 张笈   

  1. 北京理工大学信息与电子学院,北京 100081
  • 收稿日期:2019-09-10 出版日期:2020-01-10 发布日期:2020-05-11
  • 作者简介:

    作者简介:侯留洋(1991—),男,河南,硕士研究生,主要研究方向为机器学习、网络安全;罗森林(1968—),男,河北,教授,博士,主要研究方向为信息安全;潘丽敏(1968—),女,黑龙江,高级工程师,硕士,主要研究方向为网络安全、文本安全;张笈(1968—),男,陕西,副教授,硕士,主要研究方向为网络安全、数据挖掘。

  • 基金资助:
    国家242信息安全专项[2019A021]

Multi-feature Android Malware Detection Method

HOU Liuyang, LUO Senlin(), PAN Limin, ZHANG Ji   

  1. School of Information and Electronics, Beijing Institute of Technology, Beijing 100081, China
  • Received:2019-09-10 Online:2020-01-10 Published:2020-05-11

摘要:

针对当前基于机器学习的Android恶意软件检测方法特征构建维度单一,难以全方位表征Android恶意软件行为特点的问题,文章提出一种融合软件行为特征、AndroidManifest.xml文件结构特征和Android恶意软件分析经验特征的恶意软件检测方法。该方法提取Android应用的Dalvik操作码N-gram语义信息、系统敏感API、系统Intent、系统Category、敏感权限和相关经验特征,多方位表征Android恶意软件的行为并构建特征向量,采用基于XGBoost的集成学习算法构建分类模型,实现对恶意软件的准确分类。在公开数据集DREBIN和AMD上进行实验,实验结果表明,该方法能够达到高于97%的检测准确率,有效提升了Android恶意软件的检测效果。

关键词: Android, 恶意软件, 融合多特征, XGBoost

Abstract:

Aiming at the current problem that the feature construction of Android malware detection method based on machine learning has a single dimension and it is difficult to comprehensively characterize the behavior characteristics of Android malware, this paper proposes a malicious software detection method that integrates the behavior characteristics of software, the structural characteristics of AndroidManifest.xml file and the characteristics of Android malware analysis experience. This method extracts the N-gram semantic information, system sensitive API, system Intent, system Category, sensitive authority and relevant experience characteristics of the Dalvik operand code of Android application, characterizes the behavior of Android malware in multiple directions, and constructs the feature vector. Then, the integrated learning algorithm based on XGBoost is used to construct the classification model, so as to realize the accurate classification of malware. Experiments were conducted on DREBIN and AMD in the open data set, and the experimental results showed that this method could achieve a detection accuracy of over 97%, which effectively improved the detection effect of Android malware.

Key words: Android, malware, multi-feature, XGBoost

中图分类号: