基于SM3与多特征值的Android恶意软件检测

doi:10.3969/j.issn.1671-1122.2020.06.003

信息网络安全 ›› 2020, Vol. 20 ›› Issue (6): 17-25.doi: 10.3969/j.issn.1671-1122.2020.06.003

基于SM3与多特征值的Android恶意软件检测

郑东, 赵月()

西安邮电大学无线网络安全技术国家工程实验室,西安 710121

收稿日期:2019-10-15 出版日期:2020-06-10 发布日期:2020-10-21
通讯作者: 赵月 E-mail:1354381563@qq.com
作者简介:郑东（1964—）,男,山西,教授,博士,主要研究方向为密码学、云存储安全|赵月（1994—）,女,山东,硕士研究生,主要研究方向为移动设备安全
基金资助:
国家自然科学基金(61772418)

Android Malware Detection Based on SM3 and Multi-feature

ZHENG Dong, ZHAO Yue()

National Engineering Laboratory for Wireless Security, Xi’an University of Posts and Telecommunications, Xi’an 710121, China

Received:2019-10-15 Online:2020-06-10 Published:2020-10-21
Contact: ZHAO Yue E-mail:1354381563@qq.com

摘要/Abstract

摘要：

通过Android系统提供的MessageDigest工具类使用 SM3杂凑算法对APK进行完整性计算,得到其Hash值;将得到的Hash值与服务器中正确的Hash值进行比较,若两个Hash值不一致,说明此APK程序已被篡改,可以卸载。同时,文章设计了一种权限静态分析和多特征恶意软件检测模型,通过反编译应用程序,得到AndroidManifest.xml和smali文件,获取权限特征和API方法调用特征。权限静态分析是根据权限比重分数,计算危险权限分数,判断应用程序危险程度。多特征恶意软件检测使用Jaccard距离计算权限特征相似度和API 方法调用特征相似度,识别良性软件和恶意软件。实验结果显示,该方案SM3完整性计算速度是MD5、SHA-1算法速度的3倍左右,检测模型能有效识别恶意软件,并对恶意软件分类,从而保护用户的隐私资料,防止恶意软件窃取用户隐私。

关键词: Android, SM3, 恶意软件, 权限检测

Abstract:

The MessageDigest tool class provided by the Android system uses the SM3 hash algorithm to calculate the integrity of the APK, obtains its hash value, compares the obtained hash value with the correct hash value in the server. IF two Hash values are inconsistent,, indicating that the APK has been tampered and can be uninstalled. The permission static analysis and multi-feature malware detection model are designed. By decompiling the application, the AndroidManifest.xml and smali files are obtained, and the permission feature and API method call feature are obtained. Permission static analysis is to calculate the dangerous permission score according to the permission weight score and judge the application danger degree. Multi-feature malware detection uses Jaccard distance calculation permission feature similarity and API method call feature similarity to identify benign software and malware. The experimental results show that the SM3 integrity calculation speed is about 3 times faster than the MD5 and SHA-1 algorithms. The detection model can effectively identify malicious applications and classify malicious applications, thus protecting users' private data and preventing malware theft. User privacy.

Key words: Android, SM3, malware, permission detection

中图分类号:

TP309

郑东, 赵月. 基于SM3与多特征值的Android恶意软件检测[J]. 信息网络安全, 2020, 20(6): 17-25.

ZHENG Dong, ZHAO Yue. Android Malware Detection Based on SM3 and Multi-feature[J]. Netinfo Security, 2020, 20(6): 17-25.

图/表 6

图1

图2

表1

图3

表2

表3

参考文献 16

[1]	XIE Jiayun, FU Xiao, LUO Bin. Progress in Android Protection Technology[J]. Computer Engineering, 2018,44(2):163-170.
	谢佳筠, 伏晓, 骆斌. Android防护技术研究进展[J]. 计算机工程, 2018,44(2):163-170.
[2]	PARVEZ F, AMMAR B, VIJAY L. Android Security: A Survey of Issues, Malware Penetration, and Defenses[J]. IEEE Communications Surveys & Tutorials, 2019,17(2):998-1022.
[3]	CHO J, KIM D, KIM H. User Credential Cloning Attacks in Android Applications: Exploiting Automatic Login on Android Apps and Mitigating Strategies[J]. IEEE Consumer Electronics Magazine, 2018,7(3):48-55.
[4]	OMAR M, MOHAMMED D, NGUYEN V, et al. Android Application Security[M]. Applying Methods of Scientific Inquiry Into Intelligence, Security, and Counterterrorism. NY: IGI Global, 2019.
[5]	G DATA: Q3 Global Android Malicious Samples in 2018 increased by 40% over the same period of last year[EB/OL]. http://www.199it.com/archives/793849.html, 2019-1-15.
	G DATA:2018年Q3全球Android新恶意样本数量达320万个同比增加40%[EB/OL]. http://www.199it.com/archives/793849.html,2019-1-15.
[6]	PENG Lin. ISC2017 Tide Viewing Network Space Forum: International Consensus on Network Space Governance[J]. China Information Security, 2017 ( 10):90-94.
	彭琳. ISC2017观潮网络空间论坛:汇聚网络空间治理的国际共识[J].中国信息安全, 2017(10):90-94.
[7]	ZHOU W, JIA Y, PENG A, et al. The Effect of Iot New Features on Security and Privacy: New Threats, Ex-Isting Solutions, and Challenges yet to be Solved[J]. IEEE Internet of Things Journal, 2018,30(6):1606-1616.
[8]	National Cryptographic Administration Department. SM3 Cryptographic Hash Algorithm[EB/OL]. http://www.oscca.gov.cn/UpFile/20101222141857786.pdf, 2019-1-15.
	国家密码管理系. SM3密码杂凑算法[EB/OL]. http://www.oscca.gov.cn/UpFile/20101222141857786.pdf,2019-1-15.
[9]	MA Junli. Research on Malicious Behavior Detection and Classification Method of Android Applications[D]. Beijing:Beijing Jiaotong University, 2016.
	马君丽. 安卓应用的恶意行为检测与归类方法研究[D]. 北京:北京交通大学, 2016.
[10]	KUMAR R, ZHANG X, KHAN R U, et al. Resea-Earch on Data Mining of Permission-Induced Risk for Android IoT Devices[J]. Applied Sciences, 2019,9(2):277.
[11]	ZHANG Zhenquan, LUO Xinmin, QI Chun. Comparison of Digital Signature Algorithms MD5 and SHA-1 and Optimization Implementation of AVR[J]. Network Security Technology and Application, 2005,5(7):64-67.
	张振权, 罗新民, 齐春. 数字签名算法MD5和SHA-1的比较及其AVR优化实现[J]. 网络安全技术与应用, 2005,5(7):64-67.
[12]	YANG Zhonghuang, LIANG Shanqiang, ZHAN Weixiao. Remote Management of Mobile Devices Based on SEAndroid[J]. Journal of Xi’an University of Posts and Telecommunications, 2018,23(3):17-24.
	杨中皇, 梁善强, 詹维骁. 基于SEAndroid的移动设备远程管理[J]. 西安邮电大学学报, 2018,23(3):17-24.
[13]	BAGHERI H, KANG E, MALEK S, et al. A Formal Approach for Detection of Security Flaws in the A-ndroid Permission System[J]. Formal Aspects of ComPuting, 2018,30(5):525-544.
[14]	MIN Luocxu, CAO Qinghua. Runtime-Based Behavior Dynamic Analysis System for Android Malware Detection[EB/OL]. https://www.researchgate.net/publication/266646301_Runtime-Based_Behavior_Dynamic_Analysis_System_for_Android_Malware_Detection, 2019 -1-15.
[15]	MAMMONE N, IERACITANO C, Adeli H, et al. Permutation Jaccard Distance-Based Hierarchical Clustering to Estimate EEG Network Density Modifications in MCI Subjects[J]. IEEE Transactions on Neural Networks and Learning Systems, 2018,9(9):1-14.
[16]	HUANG Meigen, ZENG Yunke. Detection Method of Android Stealing Privacy Malicious Applications Based on Permission Combination[J]. Computer Applications and Software, 2016,33(9):320-323, 333.
	黄梅根, 曾云科. 基于权限组合的Android窃取隐私恶意应用检测方法[J]. 计算机应用与软件, 2016,33(9):320-323,333.

权限	风险等级	权重分数
READ_CONTACTS	较高	4
ACCESS_COARSE_LOCATION	中等	3
INSTALL_PACKAGES	非常高	6
READ_SMS	较高	4
SEND_SMS	高	5
WRITE_SMS	高	5
READ_CALL_LOG	中等	3
PROCESS_OUTGOING_CALLS	非常高	6
MOUNT_UNMOUNT_FILESYSTEMS	一般	2
WRITE_EXTERNAL_STORAGE	非常高	6
READ_EXTERNAL_STORAGE	高	5
READ_PHONE_STATE	中等	3
READ_LOGS	非常高	6
RECORD_AUDIO	中等	3
CALL_PHONE	较高	4

	MD5	SHA-1	SM3
Pixel 3	0.984	0.712	0.286
Pixel 2	1.067	0.848	0.315
Nexus 6p	1.109	0.988	0.369

基于SM3与多特征值的Android恶意软件检测

Android Malware Detection Based on SM3 and Multi-feature

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 16

相关文章 15

编辑推荐

Metrics

本文评价

[1]	袁晓筱, 罗森林, 杨鹏. Android系统应用程序DEX文件保护方法研究[J]. 信息网络安全, 2020, 20(7): 60-69.
[2]	侯留洋, 罗森林, 潘丽敏, 张笈. 融合多特征的Android恶意软件检测方法[J]. 信息网络安全, 2020, 20(1): 67-74.
[3]	宋鑫, 赵楷, 张琳琳, 方文波. 基于随机森林的Android恶意软件检测方法研究[J]. 信息网络安全, 2019, 19(9): 1-5.
[4]	丁丽萍, 刘雪花, 陈光宣, 李引. Android智能手机动态内存取证技术综述[J]. 信息网络安全, 2019, 19(2): 10-17.
[5]	冯胥睿瑞, 刘嘉勇, 程芃森. 基于特征提取的恶意软件行为及能力分析方法研究[J]. 信息网络安全, 2019, 19(12): 72-78.
[6]	张健, 陈博翰, 宫良一, 顾兆军. 基于图像分析的恶意软件检测技术研究[J]. 信息网络安全, 2019, 19(10): 24-31.
[7]	宋新龙, 郑东, 杨中皇. 基于AOSP与SELinux的移动设备管理系统[J]. 信息网络安全, 2017, 17(9): 103-106.
[8]	陆德冰, 崔浩亮, 张文, 牛少彰. 基于Intent过滤的应用安全加固方案[J]. 信息网络安全, 2017, 17(11): 67-73.
[9]	刘佳佳, 俞研, 胡恒伟, 吴家顺. 一种基于虚拟机定制的应用保护方法研究[J]. 信息网络安全, 2017, 17(1): 63-67.
[10]	张健, 王文旭, 牛鹏飞, 顾兆军. 恶意软件防治产品与服务评测体系研究[J]. 信息网络安全, 2016, 16(9): 113-117.
[11]	文伟平, 汤炀, 谌力. 一种基于Android内核的APP敏感行为检测方法及实现[J]. 信息网络安全, 2016, 16(8): 18-23.
[12]	余丽芳, 杨天长, 牛少彰. 一种增强型Android组件间安全访问控制方案[J]. 信息网络安全, 2016, 16(8): 54-60.
[13]	曲乐炜, 罗森林, 孙志鹏, 朱帅. Android系统数据完整性检测方法研究[J]. 信息网络安全, 2016, 16(8): 61-67.
[14]	张家旺, 李燕伟. 基于N-gram算法的恶意程序检测系统研究与设计[J]. 信息网络安全, 2016, 16(8): 74-80.
[15]	杨静雅, 罗森林, 朱帅, 曲乐炜. 基于多层次交叉视图分析的Android系统恶意行为监控方法研究[J]. 信息网络安全, 2016, 16(7): 40-46.