基于权限频繁模式挖掘算法的Android恶意应用检测方法

doi:10.3969/j.issn.1000-436x.2013.z1.014

Abstract

Abstract:

The permissions requested by Android applications reflect the behavior sequence of the application. While a generation of malicious behavior usually requires the cooperation of multiple permissions, so mining the association be-tween permissions can effectively detect unknown malicious applications. Most researchers concerned the statistical properties of a single permission, and there was little researchers studying the statistical properties of the association be-tween permissions. In order to detect unknown Android malwares, an Android malware detection method based on per-mission sequential pattern mining algorithm was proposed. The proposed method design a permission sequential pattern mining algorithm PApriori to dig out permissions association. PApriori algorithm could discover permission sequential pattern from 49 malware families and build the permissions association dataset to detect malware. The experiment results prove that it performs better than other related work in efficiency and accuracy.

Key words: sequential pattern mining, data mining, malware detection, permission feature, Android OS

Huan YANG,Yu-qing ZHANG,Yu-pu HU,Qi-xu LIU. Android malware detection method based on permission sequential pattern mining algorithm[J]. Journal on Communications, 2013, 34(Z1): 106-115.

Figures/Tables 7

References 22

[1]	Gartner says worldwide sales of mobile phones declined 3 percent in third quarter of 2012; smartphone sales increased 47 percent[EB/OL]. , 2013.
[2]	中国互联网络信息中心[EB/OL]. , 2013.China internet network information center[EB/OL]. , 2013.
[3]	下载APP安装信息被盗主因：盲目授权致信息泄露[EB/OL]. , 2013.Information stolen during download and installation APP, main reason:information disclosure due to blind authorization[EB/OL]. , 2013.
[4]	WITTEN I H . Data Mining: Practical Machine Learning Tools and Techniques[M]. Beijing: China Machine Press, 2012.
[5]	李海峰，章宁，朱建明等．时间敏感数据流上的频繁项集挖掘算法[J]．计算机学报， 2012,35(11):2283-2293. LI H F , ZHANG N , ZHU J M , et al. Frequent itemset mining over time-sensitive streams[J]. Chinese Journal of Computers, 2012,35(11):2283-2293.
[6]	Androguard[EB/OL]. , 2013.
[7]	JIANG X X . An evaluation of the application (″app″) verification service in Android 4.2[EB/OL]. , 2013.
[8]	ZHOU Y J , WANG Z , ZHOU W , et al. 2012 Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets[A]. Proceedings of the 19th Annual Network ＆ Distributed System Security Symposium[C]. 2012.1-13.
[9]	ENCK W , ONGTANG M , MCDANIEL P . On lightweight mobile phone application certification[A]. Proceedings of the 16th ACM Con-ference on Computer and Communications Security CCS '09[C]. Chi-cago, IL, USA, 2009.235-245.
[10]	BARRER D , KAYACIK H G , VAN OORSCHOT P C , et al. A meth-odology for empirical analysis of permission-based security models and its application to Android[A]. Proceedings of the 17th ACM Con-ference on Computer and Communications Security CCS '10[C]. Chi-cago, IL, USA, 2010.73-84.
[11]	FELT A P , CHIN E , HANNA S , et al. Android permissions demysti-fied[A]. Proceedings of the 18th ACM Conference on Computer and Communications Security CCS '11[C]. Chicago, IL, USA, 2011.627-638.
[12]	WEI X T , GOMEZ L , NEAMTIU I , et al. Permission evolution in the Android ecosystem[A]. Proceedings of the 28th Annual Computer Se-curity Applications Conference ACSAC '12[C]. Orlando, Florida, USA, 2012.31-40.
[13]	WU D J , MAO C H , WEI T E , et al. DroidMat: Android malware detection through manifest and API calls tracing[A]. Proceedings of the Seventh Asia Joint Conference on Information Security Asia JCIS 2012[C]. Tokyo, Japan, 2012.62-69.
[14]	SHABTAI A , KANONOY U , ELOVICI Y , et al. Andromaly: a behav-ioral malware detection framework for Android devices[J]. Journal of Intelligent Information Systems, 2012,38 (1):161-190.
[15]	IKER B , URKO Z , SIMIN N T . Crowdroid: behavior-based malware detection system for Android[A]. Proceedings of the ACM CCS workshop on Security and Privacy in Smartphones and Mobile De-vices SPSM'11[C]. Chicago, Illinois, USA, 2011.15-26.
[16]	AGRAWAL R , IMIELINSKI T , SWAMI A N . Ming association rules between sets of items in large databases[A]. Proceedings of the 1993 ACM SIGMOD the International Conference on Management of Data[C]. Washington DC, USA, 1993.207-216.
[17]	WANG L N , TAN X B , PAN J F , et al. Application of prefixspan*algorithm in malware detection expert system[A]. Proceedings of the First International Workshop on Education Technology and Computer Science[C]. 2009.448-452.
[18]	HAN J W , KAMBER M . Data Mining Concepts and Techniques[M]. Elsevier Inc San Francisco, 2007.
[19]	KANTARDZIC M . Data mining: concepts, models, methods, and algorithms[A]. IEEE Computer Society, A John Wiley ＆ Sons[C]. Hoboken, NJ, 2003.143-151.
[20]	ZHOU Y J , JIANG X X . Dissecting Android malware: characteriza-tion and evolution[A]. Proceedings of the 33rd IEEE Symposium on Security and Privacy[C]. Oakland, USA, 2012.95-109.
[21]	Google-play-crawler[EB/OL]. , 2012.
[22]	The Android manifest.xml file[EB/OL]. , 2013.

Metrics

Recommended 0

No Suggested Reading articles found!

TID	权限项集
1.apk	ACCESS_NETWORK_STATE, READ_PHONE_STATE, AC-CESS_FINE_LOCATION
2.apk	INTERNET, READ_PHONE_STATE, SEND_SMS
3.apk	ACCESS_NETWORK_STATE,INTERNET,READ_PHONE_STATE, SEND_SMS
4.apk	INTERNET, SEND_SMS

迭代次数	侯选权限项集	计数	S/%	选择
	{ ACCESS_NETWORK_STATE }	2	50	取
	{ READ_PHONE_STATE }	3	75	取
第一次	{ ACCESS_FINE_LOCATION }	1	25	舍
	{ INTERNET }	3	75	取
	{ SEND_SMS }	3	75	取
	{ ACCESS_NETWORK_STATE,INTERNET }	1	25	舍
	{ ACCESS_NETWORK_STATE，READ_PHONE_STATE }	2	50	取
第二次	{ ACCESS_NETWORK_STATE,SEND_SMS }	1	25	舍

	{ INTERNET，READ_PHONE_STATE }	2	50	取

	{ INTERNET，SEND_SMS }	3	75	取
	{ READ_PHONE_STATE,SEND_SMS }	2	50	取
第三次	{ INTERNET,READ_PHONE_STATE,SEND_SMS }	2	50	取

序号	权限规则
1	SET_DEBUG_APP
2	READ_PHONE_STATE, RECORD_AUDIO, INTERNET
3	PROCESS_OUTGOING_CALL, RECORD_AUDIO, INTER-NET
4	ACCESS_FINE_LOCATION, INTERNET, RECEIVE_BOOT_COMPLETE
5	ACCESS_COARSE_LOCATION, INTERNET, RECEIVE_BOOT_COMPLETE
6	RECEIVE_SMS, WRITE_SMS
7	SEND_SMS, WRITE_SMS
8	INSTALL_SHORTCUT, UNINSTALL_SHORTCUT
9	SET_PREFERRED_APPLICATION

恶意代码族	DroidRanger得出的敏感权限	本文方法得出的极大频繁权限项集
ADRD	INTERNET, ACCESS_NETWORK_STATE, RECEIVE_BOOT_COMPLETED	INTERNET, ACCESS_NETWORK_STATE, MODIFY_PHONE_STATE, READ_PHONE_STATE, RECEIVE_BOOT_COMPLETED, WRITE_APN_SETTINGS, WRITE_EXTERNAL_STORAGE
Bgserv	INTERNET, RECEIVE_SMS, SEND_SMS	INTERNET, RECEIVE_SMS, ACCESS_WIFI_STATE, WAKE_LOCK, ACCESS_NETWORK_STATE, SEND_SMS, RECEIVE_BOOT_COMPLETED, READ_ PHONE_STATE, BROADCAST_SMS, CHANGE_NETWORK_STATE, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION, WRITE_EXTERNAL_STORAGE,
DroidDream	CHANGE_WIFI_STATE	INTERNET, CHANGE_WIFI_STATE, ACCESS_WIFI_STATE, READ_PHONE_STATE
DroidDreamLight	INTERNET, READ_PHONE_STATE	INTERNET, READ_CONTACTS, ACCESS_NETWORK_STATE, RECEIVE_BOOT_COMPLETED, READ_PHONE_STATE , GET_ACCOUNTS, READ_SMS
Geinimi	INTERNET, SEND_SMS	INTERNET, ACCESS_FINE_LOCATION, CALL_PHONE, MOUNT_UNMOUNT_FILESYSTEMS, READ_CONTACTS, READ_PHONE_STATE, SEND_SMS, SET_WALLPAPER, WRITE_CONTACTS, WRITE_EXTERNAL_STORAGE
jSMSHider	INSTALL_PACKAGES	INTERNET, ACCESS_NETWORK_STATE, DELETE_PACKAGES, READ_PHONE_STATE , ACCESS_COARSE_LOCATION, INSTALL_PACKAGES,
Pjapps	INTERNET, RECEIVE_SMS	INTERNET, RECEIVE_SMS, SEND_SMS, READ_PHONE_STATE, WRITE_ EX-TERNAL_ STORAGE
Zsone	RECEIVE_SMS, SEND_SMS	INTERNET, RECEIVE_SMS, SEND_SMS, RESTART_PACKAGES, ACCESS_COARSE_LOCATION
zHash	CHANGE_WIFI_STATE	INTERNET, READ_CONTACTS, ADD_SYSTEM_SERVICE, CHANGE_WIFI_STATE, RECEIVE_SMS, MODIFY_PHONE_STATE, ACCESS_WIFI_STATE, ACCESS_NETWORK_STATE, MODIFY_AUDIO_SETTINGS, PROCESS_ OUTGOING_CALLS, SEND_SMS, WRITE_SMS, CALL_PHONE, READ_PHONE_STATE, CHANGE_NETWORK_STATE, READ_SMS

恶意代码族	样本个数	Androguard	Google	Kirin	本文方法	恶意代码族	样本个数	Androguard	Google	Kirin	本文方法
ADRD	22	19	8	1	19	AnserverBot	187	0	2	2	187
Asroot*	8	0	5	0	0	BaseBridge	122	100	7	3	82
BeanBot	8	0	0	0	7	Bgserv	9	0	0	0	8
CoinPirate	1	0	0	0	1	CruseWin	2	0	0	0	2
DogWars	1	0	1	0	1	DroidCoupon*	1	0	0	0	0
DroidDeluxe*	1	1	0	0	0	DroidDream*	16	16	6	0	0
DroidDreamLight	46	0	18	0	31	DroidKungFu1	34	33	8	1	22
DroidKungFu2	30	30	9	0	13	DroidKungFu3	309	285	21	14	228
DroidKungFu4	96	96	18	0	89	DroidKungFuSapp	3	0	0	3	3
DroidKungFuUpdate*	1	0	0	0	0	Endofday	1	0	0	0	1
FakeNetflix	1	0	0	0	1	FakePlayer*	6	0	5	0	0
GamblerSMS	1	0	0	1	1	Geinimi	69	67	11	3	53
GGTracker	1	0	1	0	1	GingerMaster	4	4	2	0	4
GoldDream	47	32	6	0	46	Gone60	9	0	0	0	9
GPSSMSSpy	6	0	1	0	6	HippoSMS	4	3	1	0	4
Jifake	1	0	0	0	1	jSMSHider	16	16	4	0	9
KMin	52	52	39	0	52	LoveTrap	1	1	0	0	1
NickyBot	1	0	0	1	1	NickySpy	2	2	0	2	2
Pjapps	58	40	8	3	55	Plankton*	11	11	2	1	0
RogueLemon	2	0	0	0	2	RogueSPPush	9	9	0	0	3
SMSReplicator	1	0	0	0	1	SndApps	10	10	0	0	10
Spitmo	1	0	0	0	1	Tapsnake*	2	1	1	0	0
Walkinwat	1	1	1	0	1	YZHC	22	22	3	1	22
zHash	11	0	1	0	11	Zitmo	1	0	0	0	1
Zsone	12	12	4	0	11
总共	1 260	863	193	36	1 003
注：标注*的是本文方法忽略的恶意应用家族，检测率为0。

Android malware detection method based on permission sequential pattern mining algorithm

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 7

References 22

Related Articles 15

Metrics

Recommended 0

[1]	Zhongping ZHANG, Sen LI, Weixiong LIU, Shuxia LIU. Outlier detection algorithm based on fast density peak clustering outlier factor [J]. Journal on Communications, 2022, 43(10): 186-195.
[2]	Zhongping ZHANG, Weixiong LIU, Yuting ZHANG, Yu DENG, Mianxin WEI. ERDOF: outlier detection algorithm based on entropy weight distance and relative density outlier factor [J]. Journal on Communications, 2021, 42(9): 133-143.
[3]	Sheng GAO, Kang XIANG, Youliang TIAN, Weijie TAN, Tao FENG, Xiaoxue WU. BCP-based joint delegation learning model and protocol [J]. Journal on Communications, 2021, 42(5): 137-148.
[4]	Fengli XU,Yong LI. Survey on user’s mobility behavior modelling in urban environment [J]. Journal on Communications, 2020, 41(7): 18-28.
[5]	Yingzhuo XIANG,Zhengguo XU,Ling YOU. Instruction flow mining algorithm based on the temporal sequence of node communication actions [J]. Journal on Communications, 2019, 40(9): 51-60.
[6]	Ying WANG,Zhuang SU. Survey of mobility prediction in wireless network [J]. Journal on Communications, 2019, 40(8): 157-168.
[7]	Zheng HU,Hao YUAN,Xinning ZHU,Wanli NI. Research on crowd flows prediction model for 5G demand [J]. Journal on Communications, 2019, 40(2): 1-10.
[8]	Jian PENG,Tuntun WANG,Yu CHEN,Tang LIU,Wenzheng XU. User recommendation based on cross-platform online social networks [J]. Journal on Communications, 2018, 39(3): 147-158.
[9]	Bo CHEN,Yong-tao PAN,Tie-ming CHEN. Android malware detection method based on SimHash [J]. Journal on Communications, 2017, 38(Z2): 30-36.
[10]	Zhi-qiang GAO,Yu-tao WANG. Survey on differential privacy and its progress [J]. Journal on Communications, 2017, 38(Z1): 151-155.
[11]	Ming HE,Wei-shi LIU,Jiang ZHANG. Association rules recommendation algorithm supporting recommendation nonempty [J]. Journal on Communications, 2017, 38(10): 18-25.
[12]	Hai-rong MU,Li-ping DING,Yu-ning SONG,Guo-qing LU. DiffPRFs:random forest under differential privacy [J]. Journal on Communications, 2016, 37(9): 175-182.
[13]	Hong-cheng LI,Xiao-ping WU,Yan CHEN. k-means clustering method preserving differential privacy in MapReduce framework [J]. Journal on Communications, 2016, 37(2): 125-131.
[14]	. Survey of differential privacy in frequent pattern mining [J]. Journal on Communications, 2014, 35(10): 23-209.
[15]	Li-ping DING,Guo-qing LU. Survey of differential privacy in frequent pattern mining [J]. Journal on Communications, 2014, 35(10): 200-209.