Anomaly Detection Of Malicious Android Applications Based On K-Nearest Neighbor

With the rapid development of the Internet, the amount of smart phones has experienced an explosive growth. Android system, with the characteristics of the low cost, good user experience and a strong openness, has occupied the largest share in the operating system market. Because the Android system is open-sourced, it has been chosen as a new attack target by hackers. Based on the openness of the third-party markets, any person (including malicious software developers) can submit applications to the market. Applications which users get from the reliable way are likely to be implanted with malicious code. Many kinds of viruses, such as malicious deductions, privacy theft and system corruption, have brought serious security problems Therefore, how to test and evaluate the security of the Android applications becomes very important to the market regulators and users.Based on the in-depth study of the Android system architecture, we propose an anomaly detection approach for malapps based on benign Android apps only. The main work is summarized as follows:(1) This thesis conducts a survey on the Android system architecture and security mechanism. In addition to the security mechanism of Linux kernel itself, Android system has some specific security mechanisms, such as process sandbox isolation, authority control, and signature mechanism.(2) This thesis analyzes and summarizes the current mainstream types of malicious applications and detection methods. We characterize the malapps based on their detailed behavior breakdown, including the installation, activation and pay loads. In response to the rapid dissemination of Android malware, two prevalent approaches for detecting such Android malware are signature_based detectors and taint analyzers.(3) In this work, we propose an anomaly detection approach for malapps based on benign Android apps only. We normalize the features which profile Android benign behaviors with permissions, components, as well as code information provided by our research group. Finally, we employ the algorithm, namely, k-Nearest Neighbor (k-NN), to build the detection models. Extensive experimental results show that the model can detect unknown malapps effectively. It achieves a detection rate of 95% with false positive rate of 10%.