| In recent years, the usage amount of intelligent mobile terminals is increasing rapidly, especially Android mobile phones, which has accounted for almost half of the mobile phone market. But due to Android’s open nature and convenience of Internet environment, a lot of attackers take intelligent terminals as targets. They can easily collect privacy information of users to threaten them. In this paper, we mainly study characteristics of malware on Android and the existing detection schemes, then propose a malware detection scheme based on network behaviors, and realize the effective detection of malware on Android.After analyzing the network characteristics(such as traffic, port, IP address, etc.) of running software, we find that in normal operation of software, network information is relatively stable and controllable. But once infected by theft Trojan or botnets, there will be a traffic surge or illegal website links etc. controlled by zombie. Thus, we can say that a variety of operations of malware are related to network information. So the detection method based on network behaviors is effective. The main research is as follows:Firstly, obtain the information of network behavior. In order to improve the authenticity of the network behavior data, mount the HOOK function on Netfilter framework from Linux Kernel and extract the needed information from network data packets on the kernel. This information which is from the Linux Kernel of Android can guarantee the authenticity of the data.Secondly, process data and detect abnormity. In order to improve the detection efficiency, we preprocess the captured original network data by simplified characteristic data, which can improve the applicability of Naive Bayes algorithm in network behaviors processing. In the preprocessing, clean network data to remove the garbage, divide the data with the help of methods like establishment of static address pool or field inquiry, and normalize multifarious data to construct feature vectors. In this paper, the abnormal recognition module mainly consists of the Naive Bayes classifier. Input the preprocessed data as feature vectors to Naive Bayes classifier, and divide them into two categories: normal and abnormal.Thirdly, introduce privacy data monitoring technology. The threat level is related to types and sources of stolen information. In order to ensure threat of privacy stealing of malware knowable, we introduce privacy data monitoring technology, trace data flows of malwares obtained from the abnormal recognition module, and determine leak paths of privacy data to detect harmfulness of malwares.Finally, we test the function of the system, and the test results demonstrate the efficiency of the proposed system. |
PDF Full Text Request