Research On Android Malware Detection

With the rapid development of the mobile internet industry,the number of Android intelligent terminal user witnesses an explosive growth.In order to provide better service for end users,massive Android applications emerged.Malicious applications,phishing networks,nuisance calls,spam messages,mobile fraud,security vulnerabilities of the operating system and other security issues continue to endanger the property and personal safety of users.It follows that automatic detection is an urgent demand towards the malicious applications on Android platform As the openness and product design of Android system are not complete,the current Android platform still exits difficulties on fragmentation,compatibility,update,security and other issues.Moreover,problems like explosive growth on Android applications,frequent updating about various Android terminal devices and versions of Android operating systems and applications,enhancement of countermeasure technology of Android malicious applications,time-consuming and error-prone of manual handling,which bring unprecedented opportunities and challenges for the definition,classification,feature extraction,automated analysis and detection upon Android malicious applications.Based on the foregoing research background and incoming research emphasis and difficulties,the main work of this paper is as follows:Firstly,in terms of modeling research for malicious applications-Based on the research of the definition of malicious behavior at home and abroad,this paper combines the definitions and judgment criteria of multiple organizations to malicious behavior;summarizes the definitions and corresponding classification criteria of malicious applications(14 categories of 48 varieties)and completes the modeling of attack process of malicious applications.Secondly,in terms of Android malicious application detection based on similarity-This paper proposes a similarity detection method to anti-obfuscation application software,which can effectively overcome the technical problems of code obfuscation to detect Android malicious applications.This method selects the resource files and code features against obfuscation.By calculating the distance of high-dimensional space,the family of application software can be discriminated,hence the prototype system can be achieved.Experiments suggest that this method has high detection efficiency which can be applied for large-scale deployment,to effectively resist the code obfuscation technology,and to implement the automatic detection and similarity analysis toward Android applications.Thirdly,in terms of Android malicious application detection based on behavior-This paper proposes a detection method for malicious application based on behavior chain.This method transforms the call relationship into directed adjacency matrix,by calculating the accessibility of matrix to locate the path of sensitive behavior,and hence to detect whether there exits malicious behavior.Advantages of such method: a)To quickly and automatically check the paths of all sensitive malicious behavior in the Android applications;b)A computing algorithm of Wx Shall reachability matrix is proposed.Compare with classical Warshall algorithm,it reduces more than 50% of the number of calculation,and significantly improves the detection efficiency.Fourthly,in terms of Android malicious application detection based on machine learning-In this paper,5 shallow machine learning methods(SVM,Bayesian,logistic regression,decision tree and random forest)and deep machine learning methods are used to create modeling for the detection of Android malicious applications.And 8 categories(545000 dimensional features in total)are extracted from 123453 normal applications and5560 malicious application for training and testing;the above machine learning algorithm models are also conducted for assessment.Experiments prove that,random forest method of shallow learning works best,with 96.4% accuracy and 92.56% recalled rate;DBN of deep learning works better,with up to 99.63% accuracy and 95.04% recalled rate.Compare with traditional machine learning methods,the methods which are described in this paper can achieve more finer granular detection,not only it can detect whether the target application is malicious application,but also can further determine the family of malicious application,moreover,the methods in this paper enjoy high accuracy and recalled rate as well.Fifthly,in terms of automatic Android malicious application detection system-Based on the above four research results,this paper designs and implements the evaluation system for Android malicious applications(DroidWX).It elaborates the architecture and processing flow of DroidWX system,and introduces DroidWX core module,which including: static feature extraction of application,automatic analysis,visual display and other a dozen of modules.In addition,through the functional and performance test to DroidWX,the test results show that DroidWX can effectively detect and identify Android malicious applications.To sum up,based on the modeling analysis to malicious applications and innovation of detection methods in multi levels,this paper has reference values to secure the source,dissemination and terminal application of malicious applications.