| With the development of Internet technology, the Internet has been gradually shift to mobile terminal from traditional PC. Compared to the PC Internet era,smartphone is a platform with highly privacy-intensive. Through the specific android api the applications can easily get data such as contact list, messages, and even capital account passwords. However, apps reviewing in many marketplaces is far away from perfect. In order to guarantee the security of Android user's privacy and promote the healthy development of Android ecosystem, malware detection based on the Android platform is crucial.Malware detection methods based on the Android platform is usually divided into dynamic method and static method. Dynamic method use code instrumentation to dynamically collect the date of behavior features when the program is running; While Static method decompiling Apk to analyze the source code and extract attributes,based on these data to establish detection model. Features extracted by dynamic or static method can be divided into two categories: 1) the syntax features, such as permissions and Intent- Action; 2) the semantic features: such as Api call chains.Methods based on syntax features need to constantly update detection model to detect new malwares, which means higher maintenance cost, but with faster detection speed and lower algorithm complexity; Method based on semantic features is able to accurately describe program behavior, but the complex feature database increasing the difficulty to train the detection model. Therefore, method based on syntax or semantic features is not a perfect approach.This paper proposes a hybrid feature extraction method, using the set of class-based taint propagation paths as the semantic feature and using claiming permissions and Intent-Actions as syntax features, normalizing all the extracted features before training and clustering the data set by K-means, then producing feature vectors of each malware family, finally adapting the euclidean distance computation to measure the similarity between the unknown program and the feature vectors. The prototype is implemented on top of FlowDroid and is used to analyze 400 real programs, and the results demonstrate the method gains higher precision... |
PDF Full Text Request