基于权限频繁模式挖掘算法的Android恶意应用检测方法

doi:10.3969/j.issn.1000-436x.2013.z1.014

摘要/Abstract

摘要：

Android应用所申请的各个权限可以有效反映出应用程序的行为模式，而一个恶意行为的产生需要多个权限的配合，所以通过挖掘权限之间的关联性可以有效检测未知的恶意应用。以往研究者大多关注单一权限的统计特性，很少研究权限之间关联性的统计特性。因此，为有效检测Android平台未知的恶意应用，提出了一种基于权限频繁模式挖掘算法的Android恶意应用检测方法，设计了能够挖掘权限之间关联性的权限频繁模式挖掘算法—PApriori。基于该算法对49个恶意应用家族进行权限频繁模式发现，得到极大频繁权限项集，从而构造出权限关系特征库来检测未知的恶意应用。最后，通过实验验证了该方法的有效性和正确性，实验结果表明所提出的方法与其他相关工作对比效果更优。

关键词: 频繁模式, 数据挖掘, 恶意应用检测, 权限特征, Android系统

Abstract:

The permissions requested by Android applications reflect the behavior sequence of the application. While a generation of malicious behavior usually requires the cooperation of multiple permissions, so mining the association be-tween permissions can effectively detect unknown malicious applications. Most researchers concerned the statistical properties of a single permission, and there was little researchers studying the statistical properties of the association be-tween permissions. In order to detect unknown Android malwares, an Android malware detection method based on per-mission sequential pattern mining algorithm was proposed. The proposed method design a permission sequential pattern mining algorithm PApriori to dig out permissions association. PApriori algorithm could discover permission sequential pattern from 49 malware families and build the permissions association dataset to detect malware. The experiment results prove that it performs better than other related work in efficiency and accuracy.

Key words: sequential pattern mining, data mining, malware detection, permission feature, Android OS

杨欢,张玉清,胡予濮,刘奇旭. 基于权限频繁模式挖掘算法的Android恶意应用检测方法[J]. 通信学报, 2013, 34(Z1): 106-115.

Huan YANG,Yu-qing ZHANG,Yu-pu HU,Qi-xu LIU. Android malware detection method based on permission sequential pattern mining algorithm[J]. Journal on Communications, 2013, 34(Z1): 106-115.

图/表 7

表1

表2

图1

图2

表4

表3

表5

参考文献 22

[1]	Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent[EB/OL]. , 2013.
[2]	中国互联网络信息中心[EB/OL]. , 2013.China internet network information center[EB/OL]. , 2013.
[3]	下载APP安装信息被盗主因：盲目授权致信息泄露[EB/OL]. , 2013.Information stolen during download and installation APP, main reason:information disclosure due to blind authorization[EB/OL]. , 2013.
[4]	WITTEN I H . Data Mining: Practical Machine Learning Tools and Techniques[M]. Beijing: China Machine Press, 2012.
[5]	李海峰，章宁，朱建明等．时间敏感数据流上的频繁项集挖掘算法[J]．计算机学报， 2012,35(11):2283-2293. LI H F , ZHANG N , ZHU J M , et al. Frequent itemset mining over time-sensitive streams[J]. Chinese Journal of Computers, 2012,35(11):2283-2293.
[6]	Androguard[EB/OL]. , 2013.
[7]	JIANG X X . An evaluation of the application (″app″) verification service in Android 4.2[EB/OL]. , 2013.
[8]	ZHOU Y J , WANG Z , ZHOU W , et al. 2012 Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets[A]. Proceedings of the 19th Annual Network ＆ Distributed System Security Symposium[C]. 2012.1-13.
[9]	ENCK W , ONGTANG M , MCDANIEL P . On lightweight mobile phone application certification[A]. Proceedings of the 16th ACM Con-ference on Computer and Communications Security CCS '09[C]. Chi-cago, IL, USA, 2009.235-245.
[10]	BARRER D , KAYACIK H G , VAN OORSCHOT P C , et al. A meth-odology for empirical analysis of permission-based security models and its application to Android[A]. Proceedings of the 17th ACM Con-ference on Computer and Communications Security CCS '10[C]. Chi-cago, IL, USA, 2010.73-84.
[11]	FELT A P , CHIN E , HANNA S , et al. Android permissions demysti-fied[A]. Proceedings of the 18th ACM Conference on Computer and Communications Security CCS '11[C]. Chicago, IL, USA, 2011.627-638.
[12]	WEI X T , GOMEZ L , NEAMTIU I , et al. Permission evolution in the Android ecosystem[A]. Proceedings of the 28th Annual Computer Se-curity Applications Conference ACSAC '12[C]. Orlando, Florida, USA, 2012.31-40.
[13]	WU D J , MAO C H , WEI T E , et al. DroidMat: Android malware detection through manifest and API calls tracing[A]. Proceedings of the Seventh Asia Joint Conference on Information Security Asia JCIS 2012[C]. Tokyo, Japan, 2012.62-69.
[14]	SHABTAI A , KANONOY U , ELOVICI Y , et al. Andromaly: a behav-ioral malware detection framework for Android devices[J]. Journal of Intelligent Information Systems, 2012,38 (1):161-190.
[15]	IKER B , URKO Z , SIMIN N T . Crowdroid: behavior-based malware detection system for Android[A]. Proceedings of the ACM CCS workshop on Security and Privacy in Smartphones and Mobile De-vices SPSM'11[C]. Chicago, Illinois, USA, 2011.15-26.
[16]	AGRAWAL R , IMIELINSKI T , SWAMI A N . Ming association rules between sets of items in large databases[A]. Proceedings of the 1993 ACM SIGMOD the International Conference on Management of Data[C]. Washington DC, USA, 1993.207-216.
[17]	WANG L N , TAN X B , PAN J F , et al. Application of prefixspan*algorithm in malware detection expert system[A]. Proceedings of the First International Workshop on Education Technology and Computer Science[C]. 2009.448-452.
[18]	HAN J W , KAMBER M . Data Mining Concepts and Techniques[M]. Elsevier Inc San Francisco, 2007.
[19]	KANTARDZIC M . Data mining: concepts, models, methods, and algorithms[A]. IEEE Computer Society, A John Wiley ＆ Sons[C]. Hoboken, NJ, 2003.143-151.
[20]	ZHOU Y J , JIANG X X . Dissecting Android malware: characteriza-tion and evolution[A]. Proceedings of the 33rd IEEE Symposium on Security and Privacy[C]. Oakland, USA, 2012.95-109.
[21]	Google-play-crawler[EB/OL]. , 2012.
[22]	The Android manifest.xml file[EB/OL]. , 2013.

TID	权限项集
1.apk	ACCESS_NETWORK_STATE, READ_PHONE_STATE, AC-CESS_FINE_LOCATION
2.apk	INTERNET, READ_PHONE_STATE, SEND_SMS
3.apk	ACCESS_NETWORK_STATE,INTERNET,READ_PHONE_STATE, SEND_SMS
4.apk	INTERNET, SEND_SMS

迭代次数	侯选权限项集	计数	S/%	选择
	{ ACCESS_NETWORK_STATE }	2	50	取
	{ READ_PHONE_STATE }	3	75	取
第一次	{ ACCESS_FINE_LOCATION }	1	25	舍
	{ INTERNET }	3	75	取
	{ SEND_SMS }	3	75	取
	{ ACCESS_NETWORK_STATE,INTERNET }	1	25	舍
	{ ACCESS_NETWORK_STATE，READ_PHONE_STATE }	2	50	取
第二次	{ ACCESS_NETWORK_STATE,SEND_SMS }	1	25	舍

	{ INTERNET，READ_PHONE_STATE }	2	50	取

	{ INTERNET，SEND_SMS }	3	75	取
	{ READ_PHONE_STATE,SEND_SMS }	2	50	取
第三次	{ INTERNET,READ_PHONE_STATE,SEND_SMS }	2	50	取

序号	权限规则
1	SET_DEBUG_APP
2	READ_PHONE_STATE, RECORD_AUDIO, INTERNET
3	PROCESS_OUTGOING_CALL, RECORD_AUDIO, INTER-NET
4	ACCESS_FINE_LOCATION, INTERNET, RECEIVE_BOOT_COMPLETE
5	ACCESS_COARSE_LOCATION, INTERNET, RECEIVE_BOOT_COMPLETE
6	RECEIVE_SMS, WRITE_SMS
7	SEND_SMS, WRITE_SMS
8	INSTALL_SHORTCUT, UNINSTALL_SHORTCUT
9	SET_PREFERRED_APPLICATION

恶意代码族	DroidRanger得出的敏感权限	本文方法得出的极大频繁权限项集
ADRD	INTERNET, ACCESS_NETWORK_STATE, RECEIVE_BOOT_COMPLETED	INTERNET, ACCESS_NETWORK_STATE, MODIFY_PHONE_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, WRITE_APN_SETTINGS, WRITE_EXTERNAL_STORAGE
Bgserv	INTERNET, RECEIVE_SMS, SEND_SMS	INTERNET, RECEIVE_SMS, ACCESS_WIFI_STATE, WAKE_LOCK, ACCESS_NETWORK_STATE, SEND_SMS, RECEIVE_BOOT_COMPLETED, READ_ PHONE_STATE, BROADCAST_SMS, CHANGE_NETWORK_STATE, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, WRITE_EXTERNAL_STORAGE,
DroidDream	CHANGE_WIFI_STATE	INTERNET, CHANGE_WIFI_STATE, ACCESS_WIFI_STATE, READ_PHONE_STATE
DroidDreamLight	INTERNET, READ_PHONE_STATE	INTERNET, READ_CONTACTS, ACCESS_NETWORK_STATE, RECEIVE_BOOT_COMPLETED, READ_PHONE_STATE , GET_ACCOUNTS, READ_SMS
Geinimi	INTERNET, SEND_SMS	INTERNET, ACCESS_FINE_LOCATION, CALL_PHONE, MOUNT_UNMOUNT_FILESYSTEMS, READ_CONTACTS, READ_PHONE_STATE, SEND_SMS, SET_WALLPAPER, WRITE_CONTACTS, WRITE_EXTERNAL_STORAGE
jSMSHider	INSTALL_PACKAGES	INTERNET, ACCESS_NETWORK_STATE, DELETE_PACKAGES, READ_PHONE_STATE , ACCESS_COARSE_LOCATION, INSTALL_PACKAGES,
Pjapps	INTERNET, RECEIVE_SMS	INTERNET, RECEIVE_SMS, SEND_SMS, READ_PHONE_STATE, WRITE_ EX-TERNAL_ STORAGE
Zsone	RECEIVE_SMS, SEND_SMS	INTERNET, RECEIVE_SMS, SEND_SMS, RESTART_PACKAGES, ACCESS_COARSE_LOCATION
zHash	CHANGE_WIFI_STATE	INTERNET, READ_CONTACTS, ADD_SYSTEM_SERVICE, CHANGE_WIFI_STATE, RECEIVE_SMS, MODIFY_PHONE_STATE, ACCESS_WIFI_STATE, ACCESS_NETWORK_STATE, MODIFY_AUDIO_SETTINGS, PROCESS_ OUTGOING_CALLS, SEND_SMS, WRITE_SMS, CALL_PHONE, READ_PHONE_STATE, CHANGE_NETWORK_STATE, READ_SMS

恶意代码族	样本个数	Androguard	Google	Kirin	本文方法	恶意代码族	样本个数	Androguard	Google	Kirin	本文方法
ADRD	22	19	8	1	19	AnserverBot	187	0	2	2	187
Asroot*	8	0	5	0	0	BaseBridge	122	100	7	3	82
BeanBot	8	0	0	0	7	Bgserv	9	0	0	0	8
CoinPirate	1	0	0	0	1	CruseWin	2	0	0	0	2
DogWars	1	0	1	0	1	DroidCoupon*	1	0	0	0	0
DroidDeluxe*	1	1	0	0	0	DroidDream*	16	16	6	0	0
DroidDreamLight	46	0	18	0	31	DroidKungFu1	34	33	8	1	22
DroidKungFu2	30	30	9	0	13	DroidKungFu3	309	285	21	14	228
DroidKungFu4	96	96	18	0	89	DroidKungFuSapp	3	0	0	3	3
DroidKungFuUpdate*	1	0	0	0	0	Endofday	1	0	0	0	1
FakeNetflix	1	0	0	0	1	FakePlayer*	6	0	5	0	0
GamblerSMS	1	0	0	1	1	Geinimi	69	67	11	3	53
GGTracker	1	0	1	0	1	GingerMaster	4	4	2	0	4
GoldDream	47	32	6	0	46	Gone60	9	0	0	0	9
GPSSMSSpy	6	0	1	0	6	HippoSMS	4	3	1	0	4
Jifake	1	0	0	0	1	jSMSHider	16	16	4	0	9
KMin	52	52	39	0	52	LoveTrap	1	1	0	0	1
NickyBot	1	0	0	1	1	NickySpy	2	2	0	2	2
Pjapps	58	40	8	3	55	Plankton*	11	11	2	1	0
RogueLemon	2	0	0	0	2	RogueSPPush	9	9	0	0	3
SMSReplicator	1	0	0	0	1	SndApps	10	10	0	0	10
Spitmo	1	0	0	0	1	Tapsnake*	2	1	1	0	0
Walkinwat	1	1	1	0	1	YZHC	22	22	3	1	22
zHash	11	0	1	0	11	Zitmo	1	0	0	0	1
Zsone	12	12	4	0	11
总共	1 260	863	193	36	1 003
注：标注*的是本文方法忽略的恶意应用家族，检测率为0。