基于操作码的安卓恶意代码多粒度快速检测方法

doi:10.11959/j.issn.2096-109x.2019064

Abstract

Abstract:

The detection method based on opcode is widely used in Android malware detection,but it still contains some problems such as complex feature extraction method and low efficiency.In order to solve these problems,a multi-granularity fast detection method based on opcode for Android malware was proposed.Multi-granularity refers to the feature based on the bag of words model,and with the function as basic unit to extract features.By step-by-level aggregation feature,the APK multi-level information is obtained.The log length characterizes the scale of the function.And feature can be compressed and mapped to improve the efficiency and construct the corresponding classification model based on the semantic similarity of the Dalvik instruction set.Tests show that the proposed method has obvious advantages in performance and efficiency.

Key words: opcode, compression map, multi-granularity, rapid detection, convolutional neural networks

CLC Number:

TP393

Xuetao ZHANG,Meng SUN,Jinshuang WANG. Multi-granularity Android malware fast detection based on opcode[J]. Chinese Journal of Network and Information Security, 2019, 5(6): 85-94.

Figures/Tables 13

References 17

[1]	360互联网安全中心. 2018中国手机安全生态报告[R]. 2018.
	360 Internet Security Center. 2018 China mobile phone security ecological Report[R]. 2018.
[2]	ZHOU W , ZHOU Y J , JIANG X X ,et al. Detecting repackaged smartphone applications in third-party Android marketplaces[C]// The Second ACM Conference on Data and Application Security and Privacy. 2012: 317-326.
[3]	汪润, 唐奔宵, 王丽娜 . DeepRD:基于 Siamese LSTM 网络的Android重打包应用检测方法[J]. 通信学报, 2018,39(8): 69-82.
	WANG R , TANG B X , WANG L N . Deeprd:Android repackaging application detection method based on Siamese LSTM network[J]. Journal on Communications, 2018,39(8): 69-82.
[4]	TIAN K , YAO D D , RYDER B G ,et al. Detection of repackaged android malware with code-heterogeneity features[J]. IEEE Transactions on Dependable and Secure Computing, 2017: 1-1.
[5]	SHABTAI A , MOSKOVITCH R , FEHER C ,et al. Detecting unknown malicious code by applying classification techniques on opcode patterns[J]. Security Informatics, 2012,1(1): 1-22
[6]	LINDORFER M , NEUGSCHWANDTNER M , PLATZER C . MARVIN:efficient and comprehensive mobile app classification through static and dynamic analysis[C]// IEEE Computer Software＆ Applications Conference.IEEE Computer Society. 2015.
[7]	YERIMA S Y , SEZER S , MUTTIK I . High accuracy android malware detection using ensemble learning[J]. Iet Information Security, 2016,9(6): 313-320.
[8]	JEROME Q , ALLIX K , STATE R ,et al. Using opcode-sequences to detect malicious Android applications[C]// 2014 IEEE International Conference on Communications (ICC). 2014: 914-919.
[9]	KANG B J , YERIMA S Y , MCLAUGHLIN K ,et al. N-opcode analysis for android malware classification and categorization[C]// 2016 International Conference on Cyber Security and Protection of Digital Services (Cyber Security). 2016: 1-7.
[10]	YEWALE A , SINGH M . Malware detection based on opcode frequency[C]// IEEE International Conference on Advanced Communication Control ＆ Computing Technologies. 2017.
[11]	CHEN T , MAO Q , YANG Y ,et al. TinyDroid:a lightweight and efficient model for android malware detection and classification[J]. Mobile Information Systems, 2018: 1-9.
[12]	BAKHSHINEJAD N , HAMZEH A . A new compression based method for android malware detection using opcodes[C]// IEEE Artificial Intelligence and Signal Processing Conference. 2018: 256-261.
[13]	DONG H , HE N Q , HU G ,et al. Malware detection method of android application based on simplification instructions[J]. The Journal of China Universities of Posts and Telecommunications, 2014,21: 94-100.
[14]	KIM Y , . Convolutional neural networks for sentence classification[C]// The 2014 Conference on Empirical Methods in Natural Language Processing. 2014.
[15]	KLAMBAUER G , UNTERTHINER T , MAYR A ,et al. Self- normalizing neural networks[C]// Advances in Neural Information Processing Systems 30 (NIPS 2017). 2017: 971-980.
[16]	ARP D , SPREITZENBARTH M , HUBNER M ,et al. Drebin:effective and explainable detection of android malware in your pocket[C]// NDSS. 2014: 23-26.
[17]	MCLAUGHLIN N , RINCON J M D , KANG B J ,et al. Deep android malware detection[C]// ACM on Conference on Data ＆ Application Security ＆ Privacy. 2017.

Metrics

Recommended 0

No Suggested Reading articles found!

opcode指令	编码
move,move/from16,move/16,move-wide,move-wide/from16,move-wide/16,move-object,move-object/from16,move-object/16,move-result,move-result-wide,move-result-object,move-exception	0x01
return-void,return,return-wide,return-object	0x02
const/4,const/16,const,const/high16,const-wide/16,const-wide/32,const-wide,const-wide/high16,const-string,const-string/jumbo const-class	0x03
if-eq,if-ne,if-lt,if-ge,if-gt,if-le,if-eqz,if-nez,if-ltz,if-gez,if-gtz,if-lez	0x12
add-int,add-long,add-float,add-double,add-int/2addr,add-long/2addr,add-float/2addr,add-double/2addr,add-int/lit16,add-int/lit8	0x20

n值	基础特征数量	precession	recall	FNR	F-Score
5	32	0.992 7	0.976 1	0.023 9	0.984 4
4	16	0.981 1	0.983 4	0.016 6	0.982 2
3	8	0.982 8	0.957 0	0.043 0	0.969 8
2	4	0.973 5	0.930 9	0.069 1	0.951 7
1	2	0.977 4	0.911 0	0.089 0	0.943 0
0	1	0.971 1	0.893 6	0.106 4	0.930 7

n值	基础特征数量	precession	recall	FNR	F-Score
5	32	0.975 0	0.958 2	0.041 8	0.966 5
4	16	0.964 8	0.962 5	0.037 5	0.963 7
3	8	0.959 4	0.974 8	0.025 2	0.967 0
2	4	0.954 5	0.938 8	0.061 2	0.946 6
1	2	0.949 4	0.931 4	0.068 6	0.940 3
0	1	0.943 1	0.927 0	0.073 0	0.935 0

检测方法	precession	recall	FNR	F-Score
文献[17]	0.99	0.95	0.05	0.97
本文方法	0.99	0.97	0.03	0.98

检测方法	T/s	precession
文献[16]	54	0.97
文献[17]	35	0.98
本文方法	17	0.98

Multi-granularity Android malware fast detection based on opcode

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 13

References 17

Related Articles 2

Metrics

Recommended 0

[1]	Xin ZHANG,Weizhong QIANG,Yueming WU,Deqing ZOU,Hai JIN. Mining behavior pattern of mobile malware with convolutional neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 35-44.
[2]	Xiaotao CHENG,Lixin JI,Ruiyang HUANG,Hongtao YU,Yizhuo YANG. User behavior pattern mining method based on multi-dimension and multi-granularity analysis in telecom networks [J]. Chinese Journal of Network and Information Security, 2018, 4(10): 39-51.