基于字节码图像的Android恶意代码家族分类方法

doi:10.11959/j.issn.2096-109x.2016.00066

网络与信息安全学报 ›› 2016, Vol. 2 ›› Issue (6): 38-43.doi: 10.11959/j.issn.2096-109x.2016.00066

基于字节码图像的Android恶意代码家族分类方法

杨益敏,陈铁明()

浙江工业大学计算机科学与技术学院，浙江杭州 310023

修回日期:2016-05-23 出版日期:2016-06-15 发布日期:2020-03-26
作者简介:杨益敏（1985-），男，浙江宁波人，浙江工业大学硕士生，主要研究方向为网络与信息安全。|陈铁明（1978-），男，博士，浙江工业大学教授，主要研究方向为网络与信息安全。
基金资助:
国家自然科学基金资助项目(U1509214);浙江省自然科学基金资助项目(LY16F020035)

Android malware family classification method based on the image of bytecodeConstruction of MDS matrices

Yi-min YANG,Tie-ming CHEN()

College of Computer Science and Technology,Zhejiang University of Technology,Hangzhou 310023,China

Revised:2016-05-23 Online:2016-06-15 Published:2020-03-26
Supported by:
The National Natural Science Foundation of China(U1509214);The Natural Science Foundation of Zhe jiang Province(LY16F020035)

摘要/Abstract

摘要：

面对Android恶意代码高速增长的趋势，提出基于字节码图像的Android恶意代码家族分类方法，通过将Android恶意应用的字节码转化为256阶灰度图形式的字节码图像，利用GIST算法提取图像的纹理特征，并结合随机森林算法对特征进行分类。对常见的14种Android恶意代码家族的样本进行了实验验证，并与DREBIN方法进行比较，实验结果表明，该方法可有效进行Android恶意代码家族分类，具有检测精度高且误报率低的优点。

关键词: 安卓, 恶意代码家族, 图像纹理, 字节码

Abstract:

An Android malware family classification method based on the image of bytecode was proposed accord-ing to the exponential growth of Android malware.A bytecode file of Android malware was converted to a 256-level grayscale image and texture features was extracted from the image by GIST.The random forest algorithm was ap-plied to classify the extracted features.The method by the experimental data of 14 kinds of common Android mal-ware families was verified and was compared against the DREBIN on the same dataset.The experimental results show that the proposed method has high detection precision and low false positive rate.

Key words: Android, malware family, image texture, bytecode

中图分类号:

TP301

杨益敏,陈铁明. 基于字节码图像的Android恶意代码家族分类方法[J]. 网络与信息安全学报, 2016, 2(6): 38-43.

Yi-min YANG,Tie-ming CHEN. Android malware family classification method based on the image of bytecodeConstruction of MDS matrices[J]. Chinese Journal of Network and Information Security, 2016, 2(6): 38-43.

图/表 8

图1

图2

图3

图4

图5

表1

表2

图6

参考文献 17

[1]	阿里聚安全[EB/OL]. . 2016.
	Ali poly security[EB/OL]. . 2016.
[2]	FOSSI M , EGAN G , HALEY K , et al. Symantec internet security threat report trends for 2010[R]. 2010.
[3]	CONTI G , DEAN E , SINDA M , et al. Visual reverse engineering of binary and data files[J]. Journal of General Physiology, 2008,115 (5):637.
[4]	ANDERSON B , STORLIE C , LANE T . Improving malware classi-fication:bridging the static/dynamic gap[C]// The 5th ACM Work-shop on Security and Artificial Intelligence.c 2012:3-14.
[5]	NATARAJ L , YEGNESWARAN V , PORRAS P , et al. A compara-tive assessment of malware classification using binary texture analysis and dynamic analysis[C]// The 4th ACM Workshop on Se-curity and Artificial Intelligence.c 2011:21-30.
[6]	NATARAJ L , KARTHIKEYAN S , JACOB G , et al. Malware im-ages:visualization and automatic classification[C]// The 8th Interna-tional Symposium on Visualization for Cyber Security,ACM.c 2011:4.
[7]	WU Y , YAP R . Experiments with malware visualization[M]// De-tection of Intrusions and Malware,and Vulnerability Assessment. Berlin Heidelberg: Springer, 2012:123-133.
[8]	HAN K , LIM J , IM E . Malware analysis method using visualization of binary files[C]// The 2013 Research in Adaptive and Convergent Systems,ACM.c 2013:317-321.
[9]	SHAID M , ZAINUDEEN S , MAAROF M . Malware behavior image for malware variant identification[C]// 2014 International Symposium on Biometrics and Security Technologies (ISBAST),IEEE.c 2014:238-243.
[10]	韩晓光，曲武，姚宣霞，等．基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136.
	HAN X G , QU W , YAO X X , et al. Malicious code variants detec-tion method based on texture fingerprint study[J]. Journal of Com-munications, 2014,35(8):125-136.
[11]	ZHOU Y , JIANG X . Dissecting android malware:characterization and evolution[C]// 2012 IEEE Symposium on Security and Privacy (SP),IEEE.c 2012:95-109.
[12]	ARP D , SPREITZENBARTH M , HUBNER M , et al. DREBIN:effective and explainable detection of android malware in your pocket[C]// Network and Distributed System Security Symposium (NDSS).c 2014.
[13]	ELENKOV N . Android security internals:an in-depth guide to android's security architecture[M]. No Starch Press, 2014.
[14]	OLIVA A , TORRALBA A . Modeling the shape of the scene:a holistic representation of the spatial envelope[J]. International Journal of Computer Vision, 2001,42 (3):145-175.
[15]	T-SNE[EB/OL]. . 2016.
[16]	HAN J , KAMBER M , PEI J , . Data mining[M] San Francisco: Morgan Kaufmann, 2011.
[17]	The drebin dataset[EB/OL]. . 2016.

家族名称	样本数
BaseBridge	330
DroidDream	81
DroidKungFu	667
FakeDoc	132
FakeInstaller	925
FakeRun	61
Iconosys	152
Imlog	43
Kmin	147
MobileTx	69
Opfake	613
Plankton	625
SendPay	59
Gappusin	58

家族名称	TPR	FPR	Precision	Recall	F-Measure	AUC
BaseBridge	0.839	0.002	0.965	0.839	0.898	0.984
DroidDream	0.827	0.002	0.882	0.827	0.854	0.983
DroidKungFu	0.934	0.057	0.733	0.934	0.821	0.989
FakeDoc	0.962	0.001	0.977	0.962	0.969	0.995
FakeInstaller	0.969	0.011	0.956	0.969	0.962	0.999
FakeRun	0.951	0	1	0.951	0.975	1
Iconosys	0.961	0.004	0.885	0.961	0.921	0.999
Imlog	0.837	0	1	0.837	0.911	0.984
Kmin	0.98	0.001	0.973	0.98	0.976	1
MobileTx	1	0	0.986	1	0.993	1
Opfake	0.977	0.008	0.951	0.977	0.964	0.999
Plankton	0.974	0.005	0.965	0.974	0.97	0.998
SendPay	0.915	0.001	0.947	0.915	0.931	0.989
Gappusin	0.534	0	1	0.534	0.697	0.954

基于字节码图像的Android恶意代码家族分类方法

Android malware family classification method based on the image of bytecodeConstruction of MDS matrices

在线阅读

pdf下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 17

相关文章 6

Metrics

推荐阅读 0

[1]	林丹, 林凯欣, 吴嘉婧, 郑子彬. 基于字节码的以太坊智能合约分类方法[J]. 网络与信息安全学报, 2022, 8(5): 111-120.
[2]	袁占慧, 杨智, 张红旗, 金舒原, 杜学绘. 基于通信顺序进程的Android程序复杂信息流分析方法[J]. 网络与信息安全学报, 2021, 7(5): 156-168.
[3]	超凡, 杨智, 杜学绘, 韩冰. 基于多因素聚类选择的Android应用程序分类风险评估方法[J]. 网络与信息安全学报, 2021, 7(2): 161-173.
[4]	张鑫,羌卫中,吴月明,邹德清,金海. 基于卷积神经网络恶意安卓应用行为模式挖掘[J]. 网络与信息安全学报, 2020, 6(6): 35-44.
[5]	超凡,杨智,杜学绘,孙彦. 基于深度神经网络的Android恶意软件检测方法[J]. 网络与信息安全学报, 2020, 6(5): 67-79.
[6]	陈佳,郭山清. 面向服务端私有Web API的自动发现技术研究[J]. 网络与信息安全学报, 2016, 2(12): 27-38.