Malicious Detection And Suspicious Code Location For Android Applications

The explosive growth of the number of Android malicious applications has brought huge security threats to mobile phone users in the past few years.The static detection method is the main method of Android malicious application detection,and a large number of existing researches have adopted the methods of feature engineering,machine learning and deep learning,etc.However,existing Android security analysis approaches are facing four main challenges,including features selection excessively depending on the prior knowledge of experts,the low detection efficiency with graph structure features to classify the malicious family,the malicious code of lacking interpretation and the impact of obfuscation encryption to static detection.The main work and contributions of this thesis are as follows:(1)Aiming at the existing feature selection excessively relies on the prior knowledge of experts,two feature selection methods are proposed in this thesis.The existing malicious behaviors is mostly related to the sensitive API.Firstly,this thesis proposes Hashdroid,an Android malicious application detection method based on the Sim Hash value of the sensitive API function call subgraph.This method characterizes sensitive API function call subgraphs with Sim Hash values,and selects Sim Hash features by Gini importance and permutation importance.The test results on public datasets show that this method can effectively extract malicious application features and achieve better detection results than existing research.Furthermore,based on the self-learning characteristics of the deep learning model,this thesis constructs a model for automatically acquiring malicious features of Android applications based on convolutional neural networks.The model is realized by the local key activation mechanism(LKAP)designed in this thesis.The test results show that using these combinations as features for malicious detection has achieved very good results.At the same time,after analyzing these extracted malicious features,the extracted API not only contains all types of currently recognized sensitive APIs,but also finds seven new types of sensitive APIs.These newly discovered seven categories of sensitive APIs are also closely linked to malicious behavior.(2)Aiming at the low efficiency algorithm caused by the subgraph matching in the existing Android malicious application classification algorithm,this thesis proposes a method based on neighbor signatures to calculate the similarity of function call graphs of different Android applications and use neighbor signatures as features to perform multifamily classification of Android malicious applications.The method uses a fixed-length neighbor signature to characterize the nodes in the function call graph,which can capture the calling and called relationships of different nodes in the function call graph.Then,a vector is formed by combining the neighbor signatures of all nodes to represent the calling relationship of the entire Android application function call graph.Finally,the vector is used for multi-family classification with the help of the classifier.Experiments show that the method improves the average detection efficiency by 20 times,and improves the recall rate and many other evaluation indicators.(3)Aiming at the existing detection methods stop at maliciousness determination and cannot conduct further analysis of malicious code behavior.By observing the distribution of the key API combination KApi G on the Android application function call graph,it is found that KApi G has obvious aggregation characteristics in malicious application codes.On this basis,a method for locating suspicious code in Android applications based on KApi G aggregation is proposed.The method achieves suspicious code localization by extracting consecutive KApi G sequences from function calls.Through the localization test and analysis of malicious applications and benign application datasets,it is shown that the method can successfully locate the malicious behavior codes marked by malicious families,and it is also found that suspicious codes in benign applications are mostly related to their completed functions.(4)Based on the interference of obfuscation and encryption technology on static analysis,this thesis proposes a malicious application detection method based on partial bytecode sequence of Dex data area.By analyzing the Dex file format,it is found that the Dex data area contains the structural information and real semantic information of Android applications,and is also the part with the least impact after obfuscation and encryption.Therefore,the method extracts the byte code sequence of Dex data Area,converts it into an image,and detects it with the InceptionRes Net-v2 model.The test results show that the use of Dex data area can not only improve the detection accuracy of Android applications,but also have a good effect on obfuscated Android applications.