Key Methods And Technologies Of Android Application Behavior Characterization

The rapid development of the mobile Internet has changed people's lives in all aspects.The Android platform has dominated the mobile phone market due to its openness.Millions of Android applications(apps)are developed to meet different needs of users.However,they also bring new security issues and privacy threats.On the one hand,malicious apps(malapps)have caused significant data and property losses to users.On the other hand,since there are a large number of low-quality apps mixed in the app market,it is difficult for users to quickly select high-quality apps from thousands of apps.How to characterize apps' behaviors,effectively detect malapps,filter out high-quality apps and protect users' information and property has become an urgent and critical issue.This dissertation takes Android apps as the main research object,focusing on the three key issues derived from the development of the Android system,including malapp family classification,locker-ransomware detection,and app quality evaluation.We are motivated to address practical problems and provide solutions.We aim to explore the behavior mechanism of Android apps in different scenarios,discover their behavioral rules and then extract fine-grained behavior features to precisely characterize the behaviors.According to different requirements,we also propose corresponding feature merging methods and classification models,in order to achieve the goal of efficiently distinguishing malapps from benign apps,and high-quality apps from low-quality apps.The main contributions are as follows:(1)We propose a malapp family classification method based on community discovery of apps'relationship graphs.Firstly,facing the problem of vague boundaries of malapp families,we extract 11 types of multi-source fine-grained features to describe the behaviors of malapp families.Secondly,to overcome the problem of the coarser granularity of traditional clustering algorithms in evaluating the similarity between apps,we construct a weighted relationship graph for malapps.To calculate the similarity weights between apps,we propose a method based on term frequency-inverse document frequency.In the process of constructing the relationship graph,we propose E-N method to overcome the isolated point problem of ? graph and the over-equilibrium problem of k-NN graph.Finally,we treat malapps in a correlation perspective and propose a family classification method based on the relationship graph community detection.We compare the differences between the detected communities and the original families,and provide an intuitive display of the similarity between families.The effectiveness of family feature sets and family classification methods are verified on 3996 malapp samples from 13 families,reaching a Rand index of 94.93%and an accuracy rate of 79.53%.(2)We propose an Android locker-ransomware detection method based on typical static features.Firstly,we conduct a comprehensive investigation of locker-ransomware transactions on Chinese social networks,systematically analyze locker-ransomware's behaviors and technical means,expose the transaction chain,development model,profit model and encryption methods in detail.Secondly,facing the problem that the unique behaviors of locker-ransomware cannot be precisely described with commonly used static features,we propose a locker-ransomware behaviors'feature set which consists of 6 types of features extracted from "words" and "actions".This feature set can overcome the invalidation of methods based on API names when detecting malapps with obfuscation.Finally,we employ an ensemble approach of machine learning algorithms to give the final decision.We collect 301 samples of locker-ransomware that are actually spreading on social networks and 15,751 benign samples as the data set.The experimental results show that the features and methods proposed achieve the average accuracy of 99.98%.(3)We propose an app quality assessment method based on the view graph.We leverages apps'inborn features extracted from source code to grade apps,rather than using extrinsic features like user-generated information,in the aim to warm-starting app recommendation.Firstly,according to the survey,the view is an important factor that affects the user experience.Therefore,we employ both static analysis and dynamic analysis to extract views and other factors that users care about.We propose a two-layer feature set which consists of app-level features and view-level features.In the process of dynamic analysis,we propose a dynamic trigger mechanism based on the priority of widgets to improve efficiency.Secondly,we propose a graph standardization model to merge the heterogeneous features.We construct a view graph based on the switching between views.We encode the graph by a sequence of key vertices and their neighbors to highlight the importance of main views within an app.The graph that represents an app is further converted into a feature vector.Finally,we employ an ensemble approach on the feature vectors to classify apps into three quality categories.Evaluated on a data set of 3050 apps in 16 categories from Google Play,our method achieves the best performance with the accuracy of 85.0%.