基于字节码图像的Android恶意代码家族分类方法

doi:10.11959/j.issn.2096-109x.2016.00066

Abstract

Abstract:

An Android malware family classification method based on the image of bytecode was proposed accord-ing to the exponential growth of Android malware.A bytecode file of Android malware was converted to a 256-level grayscale image and texture features was extracted from the image by GIST.The random forest algorithm was ap-plied to classify the extracted features.The method by the experimental data of 14 kinds of common Android mal-ware families was verified and was compared against the DREBIN on the same dataset.The experimental results show that the proposed method has high detection precision and low false positive rate.

Key words: Android, malware family, image texture, bytecode

CLC Number:

TP301

Yi-min YANG,Tie-ming CHEN. Android malware family classification method based on the image of bytecodeConstruction of MDS matrices[J]. Chinese Journal of Network and Information Security, 2016, 2(6): 38-43.

Figures/Tables 8

References 17

[1]	阿里聚安全[EB/OL]. . 2016.
	Ali poly security[EB/OL]. . 2016.
[2]	FOSSI M , EGAN G , HALEY K , et al. Symantec internet security threat report trends for 2010[R]. 2010.
[3]	CONTI G , DEAN E , SINDA M , et al. Visual reverse engineering of binary and data files[J]. Journal of General Physiology, 2008,115 (5):637.
[4]	ANDERSON B , STORLIE C , LANE T . Improving malware classi-fication:bridging the static/dynamic gap[C]// The 5th ACM Work-shop on Security and Artificial Intelligence.c 2012:3-14.
[5]	NATARAJ L , YEGNESWARAN V , PORRAS P , et al. A compara-tive assessment of malware classification using binary texture analysis and dynamic analysis[C]// The 4th ACM Workshop on Se-curity and Artificial Intelligence.c 2011:21-30.
[6]	NATARAJ L , KARTHIKEYAN S , JACOB G , et al. Malware im-ages:visualization and automatic classification[C]// The 8th Interna-tional Symposium on Visualization for Cyber Security,ACM.c 2011:4.
[7]	WU Y , YAP R . Experiments with malware visualization[M]// De-tection of Intrusions and Malware,and Vulnerability Assessment. Berlin Heidelberg: Springer, 2012:123-133.
[8]	HAN K , LIM J , IM E . Malware analysis method using visualization of binary files[C]// The 2013 Research in Adaptive and Convergent Systems,ACM.c 2013:317-321.
[9]	SHAID M , ZAINUDEEN S , MAAROF M . Malware behavior image for malware variant identification[C]// 2014 International Symposium on Biometrics and Security Technologies (ISBAST),IEEE.c 2014:238-243.
[10]	韩晓光，曲武，姚宣霞，等．基于纹理指纹的恶意代码变种检测方法研究[J]. 通信学报, 2014,35(8):125-136.
	HAN X G , QU W , YAO X X , et al. Malicious code variants detec-tion method based on texture fingerprint study[J]. Journal of Com-munications, 2014,35(8):125-136.
[11]	ZHOU Y , JIANG X . Dissecting android malware:characterization and evolution[C]// 2012 IEEE Symposium on Security and Privacy (SP),IEEE.c 2012:95-109.
[12]	ARP D , SPREITZENBARTH M , HUBNER M , et al. DREBIN:effective and explainable detection of android malware in your pocket[C]// Network and Distributed System Security Symposium (NDSS).c 2014.
[13]	ELENKOV N . Android security internals:an in-depth guide to android's security architecture[M]. No Starch Press, 2014.
[14]	OLIVA A , TORRALBA A . Modeling the shape of the scene:a holistic representation of the spatial envelope[J]. International Journal of Computer Vision, 2001,42 (3):145-175.
[15]	T-SNE[EB/OL]. . 2016.
[16]	HAN J , KAMBER M , PEI J , . Data mining[M] San Francisco: Morgan Kaufmann, 2011.
[17]	The drebin dataset[EB/OL]. . 2016.

Metrics

Recommended 0

No Suggested Reading articles found!

家族名称	样本数
BaseBridge	330
DroidDream	81
DroidKungFu	667
FakeDoc	132
FakeInstaller	925
FakeRun	61
Iconosys	152
Imlog	43
Kmin	147
MobileTx	69
Opfake	613
Plankton	625
SendPay	59
Gappusin	58

家族名称	TPR	FPR	Precision	Recall	F-Measure	AUC
BaseBridge	0.839	0.002	0.965	0.839	0.898	0.984
DroidDream	0.827	0.002	0.882	0.827	0.854	0.983
DroidKungFu	0.934	0.057	0.733	0.934	0.821	0.989
FakeDoc	0.962	0.001	0.977	0.962	0.969	0.995
FakeInstaller	0.969	0.011	0.956	0.969	0.962	0.999
FakeRun	0.951	0	1	0.951	0.975	1
Iconosys	0.961	0.004	0.885	0.961	0.921	0.999
Imlog	0.837	0	1	0.837	0.911	0.984
Kmin	0.98	0.001	0.973	0.98	0.976	1
MobileTx	1	0	0.986	1	0.993	1
Opfake	0.977	0.008	0.951	0.977	0.964	0.999
Plankton	0.974	0.005	0.965	0.974	0.97	0.998
SendPay	0.915	0.001	0.947	0.915	0.931	0.989
Gappusin	0.534	0	1	0.534	0.697	0.954

Android malware family classification method based on the image of bytecodeConstruction of MDS matrices

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 17

Related Articles 15

Metrics

Recommended 0

[1]	Dan LIN, Kaixin LIN, Jiajing WU, Zibin ZHENG. Bytecode-based approach for Ethereum smart contract classification [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 111-120.
[2]	Zhanhui YUAN, Zhi YANG, Hongqi ZHANG, Shuyuan JIN, Xuehui DU. Android complex information flow analysis method based on communicating sequential process [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 156-168.
[3]	Fan CHAO, Zhi YANG, Xuehui DU, Bing HAN. Classified risk assessment method of Android application based on multi-factor clustering selection [J]. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173.
[4]	Xin ZHANG,Weizhong QIANG,Yueming WU,Deqing ZOU,Hai JIN. Mining behavior pattern of mobile malware with convolutional neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 35-44.
[5]	Fan CHAO,Zhi YANG,Xuehui DU,Yan SUN. Android malware detection method based on deep neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 67-79.
[6]	Ning FANG,Weibing CAO,Donghe NI,Guandong DI. Accelerating cryptographic computation with parallel computing mechanisms in Android platform [J]. Chinese Journal of Network and Information Security, 2019, 5(1): 50-55.
[7]	Futian SHI,Jian MAO,Jianwei LIU. Review of side-channel privacy inference of Android mobile devices [J]. Chinese Journal of Network and Information Security, 2018, 4(4): 12-21.
[8]	Xiaoyan ZHU,Hui ZHANG,Jianfeng MA. Privacy protection system based on Hook for Android [J]. Chinese Journal of Network and Information Security, 2018, 4(4): 38-47.
[9]	Jieming GU,Bowen SUN,Peng WU,Qi LI,Yanhui GUO. Anti-obfuscation Android application similarity detection method based on API call [J]. Chinese Journal of Network and Information Security, 2018, 4(1): 63-68.
[10]	Hui-ying YAN,Zhen-ji ZHOU,Li-fa WU,Zheng HONG,He SUN. Symbolic execution based control flow graph extraction method for Android native codes [J]. Chinese Journal of Network and Information Security, 2017, 3(7): 33-46.
[11]	Yi-lin YE,Zhen-ji ZHOU,Zheng HONG,Hui-ying YAN,Li-fa WU. Static-analysis-based event input generation approach for Android application [J]. Chinese Journal of Network and Information Security, 2017, 3(6): 21-32.
[12]	Ya-wei WANG,Chang-gen PENG,Hong-fa DING,Kai ZHOU. Identity authentication scheme of Android client based on identifiers [J]. Chinese Journal of Network and Information Security, 2017, 3(4): 32-38.
[13]	Xiao-min ZHANG,Jing LUI,Jun-xi ZHUANG,Ying-xu LAI. Research on Android malware detection based on permission and behavior [J]. Chinese Journal of Network and Information Security, 2017, 3(3): 51-57.
[14]	Jia CHEN,Shan-qing1 GUO. Toward discovering and exploiting private server-side Web API [J]. Chinese Journal of Network and Information Security, 2016, 2(12): 27-38.
[15]	Jing-qiang LIU,Bin LI,Li-zhang CHEN,Bin CHEN. Research based on the method of Android system active defense without Root permission [J]. Chinese Journal of Network and Information Security, 2016, 2(1): 65-73.