Research And Design Of Android Massive Data Analysis Of Malicious Application Detection And Result Evaluation Method

With the growing popularity of Android smartphones in people's life,the number of applications is gradually increasing.In order to obtain the huge economic benefits,the attacker regards Android platform as a new target.Through developing and releasing malicious applications,the Android platform are infected.Especially,the domestic application market is generally lack of strong supervision,which has become a hardest hit by malicious software.Therefore,regular spot check for applications in Android market is the trend of the times.At present,there are a variety of Android anti virus engines,which are used to detect malicious applications.As the different expression forms of the same application detection result in each engine and the meanings of the results are different,the users cannot know whether there are relations between a variety of different forms of detection results,and whether the detection result of the application is malicious or not.Through professional analysis,the specific meaning of each kind of engine test results can be clear,and the more accurate comprehensive evaluation results can be obtained.But it is certainly unrealistic to to complete the analysis and evaluation of the massive application by only artificial way.In order to solve these problems,the paper develops a detection data analysis and evaluation method based on the results,and designs the comprehensive evaluation system based on the method.The system can analyse and evaluate the results of multi engine detection and static detection,to show a detailed application evaluation report which has good readability.The main contents are as follows:First,the definition,category,detection,naming rules and families of the Android malicious application are introduced in this paper.This part focuses on the summary of the malicious applications naming rules which are defined by detection products and research institutions,and formulates a malicious application standard naming rules.Second,the result analysis and evaluation method about the multi engine detection,the static detection and comprehensive assessment are studied.In the multi engine detection results analysis and evaluation,respectively,through the lexical,syntax analysis and sample matching method the detection results can be standardized according to the standard naming rules,and all the results are compared,to determine whether the application is threatening and which family it belongs to.In the static detection results analysis and evaluation,the results of the extraction of API and digital string information is compared with the specific API-API,API-digital string combination to determine whether the application has a potential threat.In the comprehensive evaluation,the static features of the known malicious family is extracted by Apriori algorithm,compared with the feature of the application to get Jaccard similarity.If the similarity is greater than the specified threshold,it turns out the application is malicious.Otherwise,the application is marked as a suspected application.Third,an automation system based on the above method are designed,to complete the analysis and evaluation of the application of the detection results.The system is divided into several parts,including multi engine module,static module and result integration module and related database.Multi engine module and static module are used to realize analysis and evaluation of the detection results of the application by single method.The integrated module obtains the relevance of the results of the two,to produce a detailed analysis report.Each module's work flow and the vast majority of the relevant database's creation process can be completed automatically by the programs.Fourth,the research chooses a suitable sample and creates a system of the rule base,as the experiment base.The application example analysis is carried out based on the research methods of this paper and the results are evaluated,compared with the security manager,to indicate that the method of the paper to judge the results are better.Fifth,the research results in this paper are summarized.It points out that this paper needs to be improved,because the judge rules are not perfect.In the follow-up works,the research needs to collect more samples,and constantly explore new rules.