基于权限与行为的Android恶意软件检测研究

doi:10.11959/j.issn.2096-109x.2017.00159

网络与信息安全学报 ›› 2017, Vol. 3 ›› Issue (3): 51-57.doi: 10.11959/j.issn.2096-109x.2017.00159

基于权限与行为的Android恶意软件检测研究

张骁敏¹,刘静^1,^2,³,庄俊玺^1,^2,³,赖英旭^1,^2,³

¹ 北京工业大学信息学部，北京 100124
² 北京工业大学可信计算北京市重点实验室，北京 100124
³ 北京工业大学信息安全等级保护关键技术国家工程实验室，北京 100124

修回日期:2017-03-02 出版日期:2017-03-01 发布日期:2017-03-25
作者简介:张骁敏（1990-），男，山西洪洞人，北京工业大学硕士生，主要研究方向为Android软件安全。|刘静（1978-），女，北京人，硕士，北京工业大学讲师，主要研究方向为网络安全、可信计算。|庄俊玺（1981-），女，河南新乡人，北京工业大学讲师，主要研究方向为网络安全、可信计算等。|赖英旭（1973-），女，辽宁抚顺人，博士，北京工业大学教授，主要研究方向为网络接入控制、病毒防御技术、网络安全工程、可信计算理论及其应用。
基金资助:
北京市自然科学基金资助项目(4162006)

Research on Android malware detection based on permission and behavior

Xiao-min ZHANG¹,Jing LUI^1,^2,³,Jun-xi ZHUANG^1,^2,³,Ying-xu LAI^1,^2,³

¹ Faculty of Information Technology,Beijing University of Technology,Beijing 100124,China
² Beijing Key Laboratory of Trusted Computing,Beijing University of Technology,Beijing 100124,China
³ National Engineering Laboratory for Critical Technologies of Information Security Classified Protection,Beijing University of Technology,Beijing 100124,China

Revised:2017-03-02 Online:2017-03-01 Published:2017-03-25
Supported by:
The Natural Science Foundation of Beijing(4162006)

摘要/Abstract

摘要：

针对Android平台恶意应用，从Android自身权限机制入手，提出了一种静态权限特征分析和动态行为分析相结合、将行为映射为权限特征的方法，并采用关联分析算法挖掘出权限特征之间的关联规则，把权限特征和行为特征作为朴素贝叶斯分类算法的输入，建立了一个恶意应用检测模型，最后通过实验验证了该方法的有效性和准确性。

关键词: Android系统, 安全机制, 权限特征, 分类器

Abstract:

For the Android platform malicious application,a method of mapping behavior to privilege characteristics by combining static privilege feature analysis and dynamic behavior analysis was proposed,and association analysis algorithm was used to dig out the association rules between privilege features.Feature as a naive Bayesian classification algorithm input,a malicious application detection model was established.Finally,the experiment verify the effectiveness and accuracy of the method.

Key words: Android system, security mechanism, permissions feature, classifier

中图分类号:

TP309

张骁敏,刘静,庄俊玺,赖英旭. 基于权限与行为的Android恶意软件检测研究[J]. 网络与信息安全学报, 2017, 3(3): 51-57.

Xiao-min ZHANG,Jing LUI,Jun-xi ZHUANG,Ying-xu LAI. Research on Android malware detection based on permission and behavior[J]. Chinese Journal of Network and Information Security, 2017, 3(3): 51-57.

图/表 11

图1

图2

表1

图3

表2

表3

表4

表5

表6

表7

表8

参考文献 14

[1]	Strategy analytics:Android captures record 88 percent share of global smartphone shipments in Q3 2016[EB/OL]. .
[2]	2016年第三季度中国互联网安全报告[EB/OL]. .
	The Chinese Internet security reportin the third quarter of 2016[EB/OL]. .
[3]	张怡婷, 张扬, 张涛 ,等. 基于朴素贝叶斯的 Android 软件恶意行为智能识别[J]. 东南大学学报, 2015,45(2): 224-230.
	ZHANG Y T , ZHANG Y , ZHANG T ,et al. Based on naive bayesian Android software malicious behavior intelligent identification[J]. Journal of Southeast University, 2015,45(2): 224-230.
[4]	陈宏伟 . 基于关联分析的 Android 权限滥用攻击检测系统研究[D]. 合肥：中国科学技术大学, 2016.
	CHEN H W . Research on Android rights abuse attack detection system based on correlation analysis[D]. Hefei:China University of Science and Technology, 2016.
[5]	张锐, 杨吉云 . 基于权限相关性的 Android 恶意软件检测[J]. 计算机应用, 2014,34(5): 1322-1325.
	ZHANG R , YANG J Y . Android malware detection based on permission relevance[J]. Journal of Computer Applications, 2014,34(5): 1322-1325.
[6]	黄梅根, 曾云科 . 基于权限组合的Android窃取隐私恶意应用检测方法[J]. 计算机应用与软件, 2016,33(9): 320-333.
	HUANG M G , ZENG Y K . Based on the combination of authority Android steal privacy application detection method[J]. Computer Applications and Software, 2016,33(9): 320-333.
[7]	ENCK W , GILBERT P , CHUN B G ,et al. TaintDroid:an information flow tracking system for real-time privacy monitoring on smartphones[C]// Usenix Symposium on Operating Systems Design and Implementation(OSDI 2010). 2010: 393-407.
[8]	ZHANG Y , YANG M , XU B ,et al. Vetting undesirable behaviors in Android apps with permission use analysis[C]// The 20th ACM Conference on Computer and Communications Security. 2013: 611-622.
[9]	The developer’s guide[EB/OL]. .
[10]	杨欢, 张玉清, 胡予濮 ,等. 基于权限频繁模式挖掘算法的Android恶意应用检测方法[J]. 通信学报, 2013,34(Z1): 106-115.
	YANG H , ZHANG Y Q , HU Y P ,et al. Android malicious application detection method based on privilege frequent pattern mining algorithm[J]. Journal on Communications, 2013,34(Z1): 106-115.
[11]	HUANG J J , ZHANG X Y TAN L . Detecting sensitive data disclosure via bi-directional text correlation analysis[C]// The 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 2016: 169-180.
[12]	AKSHAY N , PRATEEK S . The curse of 140 characters:evaluating the efficacy of SMS spam detection on Android[C]// The 3rd ACM workshop on Security and Privacy in Smartphones ＆ Mobile Devices. 2013: 33-42.
[13]	蔡泽廷, 姜梅 . 基于权限的朴素贝叶斯Android恶意软件检测研究[J]. 电脑知识与技术, 2013,9(14): 3288-3291.
	CAI Z T , JIANG M . Research on naive bayesian Android malware detection based on permission[J]. Computer Knowledge and Technology, 2013,9(14): 3288-3291.
[14]	VirusShare.com.Beacause sharing is caring[EB/OL]. .

行为	权限特征
crypto	GET_ACCOUNTS
net_write	WRITE_CONTACTS
net_read	READ_PHONE_STATE、READ_CONTACTS
net_open	INTERNET、ACCESS_COARSE_LOCATION
file_write	WRITE_EXTERNAL_STORAGE、WRITE_CALENDAR
file_read	READ_EXTERNAL_STORAGE、READ_CALENDAR
leak	ACCESS_FINE_LOCATION、CAMERA
sms	READ_SMS、RECEIVE_SMS、SEND_SMS、RECEIVE_WAP_PUSH、RECEIVE_MMS
call	CALL_PHONE、READ_CALL_LOG、WRITE_CALL_LOG、ADD_VOICEMAIL、PROCESS_OUTGOING_CALLS
service	RECORD_AUDIO、USE_SIP
dexload	BODY_SENSORS

应用类型	训练集数目	测试集数目	来源
恶意应用	2 770	2 771	VirusShare^[14]
正常应用	2 718	2 719	Google Play

衡量指标			组号			平均值
衡量指标	1	2	3	4	5	平均值
TPR	79.42%	84.66%	78.52%	81.23%	81.44%	81.05%
FPR	11.05%	10.29%	14.15%	12.87%	11.40%	11.95%
ACC	84.14%	87.16%	82.15%	84.15%	84.99%	84.52%

衡量指标			组号			平均值
衡量指标	1	2	3	4	5	平均值
TPR	86.64%	85.74%	87.55%	82.12%	83.94%	85.10%
FPR	9.21%	8.27%	11.03%	11.95%	7.17%	9.53%
ACC	88.70%	88.71%	88.25%	85.06%	88.26%	87.80%

权限组合	支持度	置信度
READ_PHONE_STATE+INTERNET+SEND_SMS	0.21	0.86
INTERNET+WRITE_EXTERNAL_STORAGE+WRITE_CALENDAR	0.29	0.85
INTERNET+READ_EXTERNAL_STORAGE	0.25	0.85
ACCESS_FINE_LOCATION+INTERNET+GET_ACCOUNTS	0.40	0.82
INTERNET+READ_PHONE_STATE+RECORD_AUDIO	0.33	0.81

基于权限与行为的Android恶意软件检测研究

Research on Android malware detection based on permission and behavior

在线阅读

pdf下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 14

相关文章 3

Metrics

推荐阅读 0

[1]	张宇, 李海良. 基于RSA的图像可识别对抗攻击方法[J]. 网络与信息安全学报, 2021, 7(5): 40-48.
[2]	张斌,刘自豪,董书琴,李立勋. 基于偏二叉树SVM多分类算法的应用层DDoS检测方法[J]. 网络与信息安全学报, 2018, 4(3): 24-34.
[3]	刘井强,李斌,陈立章,陈彬. 基于Android系统免Root主防方法的研究[J]. 网络与信息安全学报, 2016, 2(1): 65-73.

权限组合	支持度	置信度
INTERNET+FLASHLIGHT+CHANGE_CONFIGURATION	0.23	0.88
RECEIVE_SMS+INTERNET+VIBRATE	0.30	0.86
INTERNET+SET_WALLPAPER+ACCESS_COARSE_LOCATION	0.21	0.84
INTERNET+ACCESS_WIFI_STATE+RESTART_PACKAGES	0.34	0.83
INTERNET+GET_TASKS+WRITE_SETTINGS	0.28	0.80

衡量指标			组号			平均值
衡量指标	1	2	3	4	5	平均值
TPR	87.73%	87.36%	88.23%	85.74%	86.13%	87.04%
FPR	8.66%	7.72%	10.48%	10.85%	7.00%	8.94%
ACC	89.52%	89.80%	88.89%	87.43%	89.54%	89.03%

衡量指标			组号			平均值
衡量指标	1	2	3	4	5	平均值
TPR	90.25%	90.61%	91.16%	89.35%	89.78%	90.22%
FPR	6.62%	6.43%	6.99%	7.35%	6.45%	6.78%
ACC	91.70%	92.17%	92.08%	90.98%	91.63%	91.71%