Research Of Android Malware Behavior Detection Technology

Smart phones have been an important entrance of the Internet traffic.At the same time,smart phone terminals have been the first target which criminals to carry out cyber crime.Android is a smart phone operating system with a high market share.Because the attackers are highly concerned about Android,the security situation which Android faces is more urgent.The malware and phishing behavior cause the most serious loss in all Android malicious attacks.As a result,it is urgent to strengthen the research of Android malware and phishing detection technology.Phishing on Android platform induces users to access phishing wegpages for stealing users' sensitive information and brings immeasurable threats to users' properties even personal safety.The detection performance of active SVM learning algorithm which is used for detecting phishing webpage is insufficient,and the detection performance is improved in this paper.In this paper,based on feature similarity we combine kernel space distance clustering technology with SVM active learning algorithm(KSDCASVM)to improve the detection accuracy,while reducing the false positive rate,false negative rate,and improving phishing detection performance.Finally,KSDCASVM method is verified by experiments.The results show that the KSDCASVM uses the kernel space distance clustering technology to select a representative sample set as the training dataset.The classification hyperplane of KSDCASVM is better than ASVM,and KSDCASVM can detect phishing web pages more effectively than ASVM on the condition that the number of learning samples is same.Not only phishing makes huge loss,but also malware brings serious harm.To ensure the system security,Android customizes its own security mechanism on the base of the Linux security mechanism.Android uses the permissions mechanism to bind the operation behavior of the sensitive resources with the permissions,the applications must request all permissions that they need and the successfully get these permissions for successful installations at the time of the applications' installation.The permissions requested by benign applications and malware are different which means they need different permission combinations.The existing method detects malicious applications with permission combinations blacklist which is based on the requested frequency difference between the benign applications and malware to the same permission combination.However,the blacklist method can't find out the malware which don't use the permission combinations in the blacklist.In this paper,we not only judge the request frequency difference of permission combinations between malware and normal applications,but also use decision tree to mining the permission combinations which used by malware.Finally,the experiment results show that the proposed method can not only find out the malware which permission combinations blacklist can find out,but also can find out the malware which permission combinations blacklist can't find out.At the same time,the proposed method has lower false positive rate in reasonable range than the blacklist method.