基于改进随机森林算法的Android恶意软件检测

doi:10.11959/j.issn.1000-436x.2017073

通信学报 ›› 2017, Vol. 38 ›› Issue (4): 8-16.doi: 10.11959/j.issn.1000-436x.2017073

基于改进随机森林算法的Android恶意软件检测

杨宏宇,徐晋

中国民航大学计算机科学与技术学院，天津 300300

修回日期:2017-02-21 出版日期:2017-04-01 发布日期:2017-07-20
作者简介:杨宏宇（1969-），男，吉林长春人，博士，中国民航大学教授，主要研究方向为网络信息安全。|徐晋（1991-），男，安徽合肥人，中国民航大学硕士生，主要研究方向为移动安全。
基金资助:
国家科技重大专项基金资助项目(2012ZX03002002);中国民航科技基金资助项目(MHRD201009);中国民航科技基金资助项目(MHRD201205)

Android malware detection based on improved random forest

Hong-yu YANG,Jin XU

School of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China

Revised:2017-02-21 Online:2017-04-01 Published:2017-07-20
Supported by:
The National Science and Technology Major Project(2012ZX03002002);The Science ＆ Technology Project of CAAC(MHRD201009);The Science ＆ Technology Project of CAAC(MHRD201205)

摘要/Abstract

摘要：

针对随机森林（RF,random forest）算法的投票原则无法区分强分类器与弱分类器差异的缺陷，提出一种加权投票改进方法，在此基础上，提出一种检测 Android 恶意软件的改进随机森林分类模型（IRFCM,improved random forest classification model）。IRFCM选取AndroidManifest.xml文件中的Permission信息和Intent信息作为特征属性并进行优化选择，然后应用该模型对最终生成的特征向量进行检测分类。Weka 环境下的实验结果表明IRFCM具有较好的分类精度和分类效率。

关键词: 随机森林, 加权投票, 恶意软件, 分类检测

Abstract:

Aiming at the defect of vote principle in random forest algorithm which is incapable of distinguishing the differences between strong classifier and weak classifier,a weighted voting improved method was proposed,and an improved random forest classification (IRFCM) was proposed to detect Android malware on the basis of this method.The IRFCM chose Permission information and Intent information as attribute features from AndroidManifest.xml files and optimized them,then applied the model to classify the final feature vectors.The experimental results in Weka environment show that IRFCM has better classification accuracy and classification efficiency.

Key words: random forest, weighted vote, malware, classification detection

中图分类号:

TP309

杨宏宇,徐晋. 基于改进随机森林算法的Android恶意软件检测[J]. 通信学报, 2017, 38(4): 8-16.

Hong-yu YANG,Jin XU. Android malware detection based on improved random forest[J]. Journal on Communications, 2017, 38(4): 8-16.

图/表 11

图1

图2

图3

表1

图4

表2

表3

图5

图6

表4

表5

参考文献 16

[1]	张怡婷, 张扬, 张涛 ,等. 基于朴素贝叶斯的 Android 软件恶意行为智能识别[J]. 东南大学学报:自然科学版, 2015,45(2): 224-230.
	ZHANG Y T , ZHANG Y , ZHANG T ,et al. Intelligent identification of malicious behavior in Android applications based on naive Bayes[J]. Journal of Southeast University:Natural Science Edition, 2015,45(2): 224-230.
[2]	张锐, 杨吉云 . 基于权限相关性的 Android 恶意软件检测[J]. 计算机应用, 2014,34(5): 1322-1325.
	ZHANG R , YANG J Y . Android malware detection based on permission correlation[J]. Journal of Computer Applications, 2014,34(5): 1322-1325.
[3]	许艳萍, 伍淳华, 侯美佳 ,等. 基于改进朴素贝叶斯的 Android 恶意应用检测技术[J]. 北京邮电大学学报, 2016,39(2): 43-47.
	XU Y P , WU C H , HOU M J ,et al. Android malware detection technology based on improved naive Bayesian[J]. Journal of Beijing University of Posts and Telecommunications, 2016,39(2): 43-47.
[4]	LI W , GE J , DAI G . Detecting malware for Android platform:an svm-based approach[C]// IEEE,International Conference on Cyber Security and Cloud Computing. New Jersey,USA:IEEE, 2015: 464-469.
[5]	FEIZOLLAH A , ANUAR N B , SALLEH R ,et al. Comparative study of k-means and mini batch k-means clustering algorithms in Android malware detection using network traffic analysis[C]// International Symposium on Biometrics and Security Technologies. New Jersey,USA:IEEE, 2014: 193-197.
[6]	YUAN Z , LU Y , XUE Y . Droid detector:Android malware characterization and detection using deep learning[J]. Tsinghua Science ＆Technology, 2016,21(1): 114-123.
[7]	文伟平, 梅瑞, 宁戈 ,等. Android恶意软件检测技术分析和应用研究[J]. 通信学报, 2014,35(8): 78-85.
	WEN W P , MEI R , NING G ,et al. Malware detection technology analysis and applied research of Android platform[J]. Journal on Communications, 2014,35(8): 78-85.
[8]	杨欢, 张玉清, 胡予濮 ,等. 基于多类特征的 Android 应用恶意行为检测系统[J]. 计算机学报, 2014,37(1): 15-27.
	YANG H , ZHANG Y Q , HU Y P ,et al. A malware behavior detection system of Android applications based on multi-class features[J]. Chinese Journal of Computers, 2014,37(1): 15-27.
[9]	FEIZOLLAH A , ANUAR N B , SALLEH R ,et al. A review on feature selection in mobile malware detection[J]. Digital Investigation, 2015,6(13): 22-37.
[10]	SHARMA A , DASH S K . Mining API calls and permissions for android malware detection[M]. Cryptology and Network Security. Berlin,Germany: Springer International PublishingPress, 2014: 191-205.
[11]	YANG X L . Malicious detection based on ReliefF and boosting multidimensional features[J]. Journal of Communications, 2015,10(11): 910-917.
[12]	ROBNIK?IKONJA M , KONONENKO I . Theoretical and empirical analysis of ReliefF and RReliefF[J]. Machine Learning, 2003,53(1): 23-69.
[13]	BREIMAN L . Random forest[J]. Machine Learning, 2001,5(1): 5-32.
[14]	ALAM M S , VUONG S T . Random forest classification for detecting android malware[C]// Green Computing and Communications. 2013: 663-669.
[15]	丰生强 . Android软件安全与逆向分析[M]. 北京: 人民邮电出版社, 2013.
	FENG S Q . Android software security and reverse analysis[M]. Beijing: PTPRESSPress, 2013.
[16]	JIANG X , ZHOU Y . Dissecting Android malware:characterization and evolution[C]// IEEE Symposium on Security ＆ Privacy. New Jersey,USA:IEEE, 2012: 95-109.

硬件配置	软件环境
Intel Core i7-3770 CPU @ 3.40 GHz	Windows7 64位操作系统
4.0 GB RAM	Weka3.8

排名	特征属性	IG值
1	SYSTEM_ALERT_WINDOW	0.477
2	BROWSABLE	0.424
3	WRITE_SETTINGS	0.380
4	VIEW	0.336
5	GET_TASKS	0.291
6	DEFAULT	0.281
7	CAMERA	0.272
8	MOUNT_UNMOUNT_FILESYSTEMS	0.251
9	CHANGE_NETWORK_STATE	0.239
10	RECORD_AUDIO	0.199
11	WAKE_LOCK	0.168
12	VIBRATE	0.131
13	READ_EXTERNAL_STORAGE	0.130
14	CHANGE_WIFI_STATE	0.119
15	ACCESS_COARSE_LOCATION	0.117
16	WRITE_SMS	0.117
17	READ_LOGS	0.107
18	WRITE_EXTERNAL_STORAGE	0.105
19	ACCESS_WIFI_STATE	0.102
20	ACCESS_FINE_LOCATION	0.092
21	WRITE_APN_SETTINGS	0.069
22	ACCESS_NETWORK_STATE	0.063
23	READ_SMS	0.062
24	DISABLE_KAYGUARD	0.055
25	INSTALL_PACKAGES	0.046
26	SEND	0.046
27	CHINAMOBILE_OMS_GAME	0.035
28	CHINAMOBILE_GAMES	0.035
29	WRITE_CONTACTS	0.034
30	RECEIVE_BOOT_COMPLETED	0.027
31	SEND_MULTIPLE	0.024
32	LEANBACK_LAUNCHER	0.020
33	MULTIWINDOW_LAUNCHER	0.013
34	RECEIVE_SMS	0.011
35	CREATE_SHORTCUT	0.009

排名	特征属性	ReliefF值
1	WRITE_SMS	0.309
2	READ_SMS	0.301
3	MOUNT_UNMOUNT_FILESYSTEMS	0.298
4	CHANGE_WIFI_STATE	0.292
5	CALL_PHONE	0.250
6	SYSTEM_ALERT_WINDOW	0.246
7	WRITE_SETTINGS	0.246
8	GET_TASKS	0.223
9	SEND_SMS	0.217
10	BROWSABLE	0.217
11	RECEIVE_BOOT_COMPLETED	0.214
12	READ_LOGS	0.214
13	WRITE_APN_SETTINGS	0.204
14	DEFAULT	0.197
15	WRITE_CONTACTS	0.183
16	RECEIVE_SMS	0.181
17	DISABLE_KAYGUARD	0.178
18	VIEW	0.166
19	ACCESS_FINE_LOCATION	0.163
20	CAMERA	0.163
21	CHANGE_NETWORK_STATE	0.159
22	ACCESS_COARSE_LACATION	0.156
23	READ_CONTACTS	0.155
24	INSTALL_PACKAGES	0.154
25	ACCESS_WIFI_STATE	0.145
26	READ_EXTERNAL_STORAGE	0.139
27	VIBRATE	0.129
28	WRITE_EXTERNAL_STORAGE	0.129
29	RESTART_PACKAGES	0.124
30	WAKE_LOCK	0.099
31	SET_WALLPAPAER	0.084
32	ACCESS_NETWORK_STATE	0.083
33	RECORD_AUDIO	0.054
34	READ_PHONE_STATE	0.039
35	HOME	0.024

指标	NB	J48	RF	IRF
真正类TP	1 233	1 240	1 250	1 254
假正类FP	101	50	40	31
真负类TN	573	624	634	643
假负类FN	27	20	10	6
真正类TPR	0.979	0.984	0.992	0.995
假正类FPR	0.150	0.074	0.059	0.046
分类精度ACC	0.934	0.964	0.974	0.981

算法	建模时间/s
NB	0.01
J48	0.06
RF	0.22
IRF	0.24

基于改进随机森林算法的Android恶意软件检测

Android malware detection based on improved random forest

在线阅读

PDF下载

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 11

参考文献 16

相关文章 10

Metrics

推荐阅读 0

[1]	付晓东, 漆鑫鑫, 刘骊, 彭玮, 丁家满, 代飞. 基于权力指数的DPoS共谋攻击检测与预防[J]. 通信学报, 2022, 43(12): 123-133.
[2]	王惠琴, 侯文斌, 彭清斌, 曹明华, 黄瑞, 刘玲. 基于K均值聚类的SPPM分步分类检测算法[J]. 通信学报, 2022, 43(1): 161-171.
[3]	周翰逊,陈晨,冯润泽,熊俊坤,潘宏,郭薇. 基于值导数GRU的移动恶意软件流量检测方法[J]. 通信学报, 2020, 41(1): 102-113.
[4]	吴志军,周胜琰,雷缙. 基于态势感知的SWIM服务权限主动移交模型[J]. 通信学报, 2019, 40(8): 123-132.
[5]	胡建伟,车欣,周漫,崔艳鹏. 基于高斯混合模型的增量聚类方法识别恶意软件家族[J]. 通信学报, 2019, 40(6): 148-159.
[6]	刘琳岚,高声荣,舒坚. 基于随机森林的链路质量预测[J]. 通信学报, 2019, 40(4): 202-211.
[7]	徐渊,杨超,杨力. 基于移动端协助的远程用户单一口令认证方法[J]. 通信学报, 2019, 40(2): 174-187.
[8]	沈焱萍,郑康锋,伍淳华,杨义先. 智能启发算法在机器学习中的应用研究综述[J]. 通信学报, 2019, 40(12): 124-137.
[9]	周胜利,金苍宏,吴礼发,洪征. 基于评分卡—随机森林的云计算用户公共安全信誉模型研究[J]. 通信学报, 2018, 39(5): 143-152.
[10]	穆海蓉,丁丽萍,宋宇宁,卢国庆. DiffPRFs：一种面向随机森林的差分隐私保护算法[J]. 通信学报, 2016, 37(9): 175-182.