基于改进随机森林算法的Android恶意软件检测

doi:10.11959/j.issn.1000-436x.2017073

Abstract

Abstract:

Aiming at the defect of vote principle in random forest algorithm which is incapable of distinguishing the differences between strong classifier and weak classifier,a weighted voting improved method was proposed,and an improved random forest classification (IRFCM) was proposed to detect Android malware on the basis of this method.The IRFCM chose Permission information and Intent information as attribute features from AndroidManifest.xml files and optimized them,then applied the model to classify the final feature vectors.The experimental results in Weka environment show that IRFCM has better classification accuracy and classification efficiency.

Key words: random forest, weighted vote, malware, classification detection

CLC Number:

TP309

Hong-yu YANG,Jin XU. Android malware detection based on improved random forest[J]. Journal on Communications, 2017, 38(4): 8-16.

Figures/Tables 11

References 16

[1]	张怡婷, 张扬, 张涛 ,等. 基于朴素贝叶斯的 Android 软件恶意行为智能识别[J]. 东南大学学报:自然科学版, 2015,45(2): 224-230.
	ZHANG Y T , ZHANG Y , ZHANG T ,et al. Intelligent identification of malicious behavior in Android applications based on naive Bayes[J]. Journal of Southeast University:Natural Science Edition, 2015,45(2): 224-230.
[2]	张锐, 杨吉云 . 基于权限相关性的 Android 恶意软件检测[J]. 计算机应用, 2014,34(5): 1322-1325.
	ZHANG R , YANG J Y . Android malware detection based on permission correlation[J]. Journal of Computer Applications, 2014,34(5): 1322-1325.
[3]	许艳萍, 伍淳华, 侯美佳 ,等. 基于改进朴素贝叶斯的 Android 恶意应用检测技术[J]. 北京邮电大学学报, 2016,39(2): 43-47.
	XU Y P , WU C H , HOU M J ,et al. Android malware detection technology based on improved naive Bayesian[J]. Journal of Beijing University of Posts and Telecommunications, 2016,39(2): 43-47.
[4]	LI W , GE J , DAI G . Detecting malware for Android platform:an svm-based approach[C]// IEEE,International Conference on Cyber Security and Cloud Computing. New Jersey,USA:IEEE, 2015: 464-469.
[5]	FEIZOLLAH A , ANUAR N B , SALLEH R ,et al. Comparative study of k-means and mini batch k-means clustering algorithms in Android malware detection using network traffic analysis[C]// International Symposium on Biometrics and Security Technologies. New Jersey,USA:IEEE, 2014: 193-197.
[6]	YUAN Z , LU Y , XUE Y . Droid detector:Android malware characterization and detection using deep learning[J]. Tsinghua Science ＆Technology, 2016,21(1): 114-123.
[7]	文伟平, 梅瑞, 宁戈 ,等. Android恶意软件检测技术分析和应用研究[J]. 通信学报, 2014,35(8): 78-85.
	WEN W P , MEI R , NING G ,et al. Malware detection technology analysis and applied research of Android platform[J]. Journal on Communications, 2014,35(8): 78-85.
[8]	杨欢, 张玉清, 胡予濮 ,等. 基于多类特征的 Android 应用恶意行为检测系统[J]. 计算机学报, 2014,37(1): 15-27.
	YANG H , ZHANG Y Q , HU Y P ,et al. A malware behavior detection system of Android applications based on multi-class features[J]. Chinese Journal of Computers, 2014,37(1): 15-27.
[9]	FEIZOLLAH A , ANUAR N B , SALLEH R ,et al. A review on feature selection in mobile malware detection[J]. Digital Investigation, 2015,6(13): 22-37.
[10]	SHARMA A , DASH S K . Mining API calls and permissions for android malware detection[M]. Cryptology and Network Security. Berlin,Germany: Springer International PublishingPress, 2014: 191-205.
[11]	YANG X L . Malicious detection based on ReliefF and boosting multidimensional features[J]. Journal of Communications, 2015,10(11): 910-917.
[12]	ROBNIK?IKONJA M , KONONENKO I . Theoretical and empirical analysis of ReliefF and RReliefF[J]. Machine Learning, 2003,53(1): 23-69.
[13]	BREIMAN L . Random forest[J]. Machine Learning, 2001,5(1): 5-32.
[14]	ALAM M S , VUONG S T . Random forest classification for detecting android malware[C]// Green Computing and Communications. 2013: 663-669.
[15]	丰生强 . Android软件安全与逆向分析[M]. 北京: 人民邮电出版社, 2013.
	FENG S Q . Android software security and reverse analysis[M]. Beijing: PTPRESSPress, 2013.
[16]	JIANG X , ZHOU Y . Dissecting Android malware:characterization and evolution[C]// IEEE Symposium on Security ＆ Privacy. New Jersey,USA:IEEE, 2012: 95-109.

Metrics

Recommended 0

No Suggested Reading articles found!

硬件配置	软件环境
Intel Core i7-3770 CPU @ 3.40 GHz	Windows7 64位操作系统
4.0 GB RAM	Weka3.8

排名	特征属性	IG值
1	SYSTEM_ALERT_WINDOW	0.477
2	BROWSABLE	0.424
3	WRITE_SETTINGS	0.380
4	VIEW	0.336
5	GET_TASKS	0.291
6	DEFAULT	0.281
7	CAMERA	0.272
8	MOUNT_UNMOUNT_FILESYSTEMS	0.251
9	CHANGE_NETWORK_STATE	0.239
10	RECORD_AUDIO	0.199
11	WAKE_LOCK	0.168
12	VIBRATE	0.131
13	READ_EXTERNAL_STORAGE	0.130
14	CHANGE_WIFI_STATE	0.119
15	ACCESS_COARSE_LOCATION	0.117
16	WRITE_SMS	0.117
17	READ_LOGS	0.107
18	WRITE_EXTERNAL_STORAGE	0.105
19	ACCESS_WIFI_STATE	0.102
20	ACCESS_FINE_LOCATION	0.092
21	WRITE_APN_SETTINGS	0.069
22	ACCESS_NETWORK_STATE	0.063
23	READ_SMS	0.062
24	DISABLE_KAYGUARD	0.055
25	INSTALL_PACKAGES	0.046
26	SEND	0.046
27	CHINAMOBILE_OMS_GAME	0.035
28	CHINAMOBILE_GAMES	0.035
29	WRITE_CONTACTS	0.034
30	RECEIVE_BOOT_COMPLETED	0.027
31	SEND_MULTIPLE	0.024
32	LEANBACK_LAUNCHER	0.020
33	MULTIWINDOW_LAUNCHER	0.013
34	RECEIVE_SMS	0.011
35	CREATE_SHORTCUT	0.009

排名	特征属性	ReliefF值
1	WRITE_SMS	0.309
2	READ_SMS	0.301
3	MOUNT_UNMOUNT_FILESYSTEMS	0.298
4	CHANGE_WIFI_STATE	0.292
5	CALL_PHONE	0.250
6	SYSTEM_ALERT_WINDOW	0.246
7	WRITE_SETTINGS	0.246
8	GET_TASKS	0.223
9	SEND_SMS	0.217
10	BROWSABLE	0.217
11	RECEIVE_BOOT_COMPLETED	0.214
12	READ_LOGS	0.214
13	WRITE_APN_SETTINGS	0.204
14	DEFAULT	0.197
15	WRITE_CONTACTS	0.183
16	RECEIVE_SMS	0.181
17	DISABLE_KAYGUARD	0.178
18	VIEW	0.166
19	ACCESS_FINE_LOCATION	0.163
20	CAMERA	0.163
21	CHANGE_NETWORK_STATE	0.159
22	ACCESS_COARSE_LACATION	0.156
23	READ_CONTACTS	0.155
24	INSTALL_PACKAGES	0.154
25	ACCESS_WIFI_STATE	0.145
26	READ_EXTERNAL_STORAGE	0.139
27	VIBRATE	0.129
28	WRITE_EXTERNAL_STORAGE	0.129
29	RESTART_PACKAGES	0.124
30	WAKE_LOCK	0.099
31	SET_WALLPAPAER	0.084
32	ACCESS_NETWORK_STATE	0.083
33	RECORD_AUDIO	0.054
34	READ_PHONE_STATE	0.039
35	HOME	0.024

指标	NB	J48	RF	IRF
真正类TP	1 233	1 240	1 250	1 254
假正类FP	101	50	40	31
真负类TN	573	624	634	643
假负类FN	27	20	10	6
真正类TPR	0.979	0.984	0.992	0.995
假正类FPR	0.150	0.074	0.059	0.046
分类精度ACC	0.934	0.964	0.974	0.981

算法	建模时间/s
NB	0.01
J48	0.06
RF	0.22
IRF	0.24

Android malware detection based on improved random forest

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 11

References 16

Related Articles 15

Metrics

Recommended 0

[1]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[2]	Zhijun WU,Shengyan ZHOU,Jin LEI. Proactive migration model of SWIM service based on situation awareness [J]. Journal on Communications, 2019, 40(8): 123-132.
[3]	HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family [J]. Journal on Communications, 2019, 40(6): 148-159.
[4]	Linlan LIU,Shengrong GAO,Jian SHU. Link quality prediction based on random forest [J]. Journal on Communications, 2019, 40(4): 202-211.
[5]	Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance [J]. Journal on Communications, 2019, 40(2): 174-187.
[6]	Shengli ZHOU,Canghong JIN,Lifa WU,Zheng HONG. Research on cloud computing users’ public safety trust model based on scorecard-random forest [J]. Journal on Communications, 2018, 39(5): 143-152.
[7]	Yashu LIU,Zhihai WANG,Hanbing YAN,Yueran HOU,Yukun LAI. Method of anti-confusion texture feature descriptor for malware images [J]. Journal on Communications, 2018, 39(11): 44-53.
[8]	Bo CHEN,Yong-tao PAN,Tie-ming CHEN. Android malware detection method based on SimHash [J]. Journal on Communications, 2017, 38(Z2): 30-36.
[9]	Bing-lin ZHAO,Xi MENG,Jin HAN,Jing WANG,Fu-dong LIU. Homology analysis of malware based on graph [J]. Journal on Communications, 2017, 38(Z2): 86-93.
[10]	Hai-rong MU,Li-ping DING,Yu-ning SONG,Guo-qing LU. DiffPRFs:random forest under differential privacy [J]. Journal on Communications, 2016, 37(9): 175-182.
[11]	Yan-chen QIAO,Xiao-chun YUN,Yu-peng TUO,Yong-zheng ZHANG. Fast reused code tracing method based on simhash and inverted index [J]. Journal on Communications, 2016, 37(11): 104-113.
[12]	Yi ZHAO,Jian GONG,Wang YANG. Study on modern malware analysis system [J]. Journal on Communications, 2014, 35(Z1): 52-57.
[13]	. Study on modern malware analysis system [J]. Journal on Communications, 2014, 35(Z1): 11-57.
[14]	Xiao-guang HAN,UWu Q,AOXuan-xia Y,UOChang-you G,Fang ZHOU. Research on malicious code variants detection based on texture fingerprint [J]. Journal on Communications, 2014, 35(8): 125-136.
[15]	. Research on malicious code variants detection based on texture fingerprint [J]. Journal on Communications, 2014, 35(8): 16-136.