Research And Implementation Of Android Malicious Applications Detection System Based On Application Runtime Behaviors

With the rapid development of mobile Internet, mobile intelligent terminal has become an indispensable part of people's life. On the other hand, the intelligent mobile terminal also caused some security risks. With the increasing number of Android malicious applications in recent years,the detection of malicious applications has become the focus of academic and industrial attention.This paper includes the following research contents and results:(1) this paper proposes a Android application analysis technique to support dynamic behavior interception. The technique consists of the following three parts. First, through the process of injection and dynamic modification of virtual machine instance, to intercept the Android API, and analysis of API call timing, parameters, return values, threads, context and other information. Second, based on Strace to achieve the interception of system calls, and resolve the system call parameters, return values, threads and other information. Third, through multi process analysis to automatically identify multiple objectives, multi process behavior analysis.Without modifying the source code of the system, this technique can simultaneously implement the multidimensional behavioral analysis of the JAVA API level and the kernel hierarchy.(2) the concept of behavior chain is put forward based on the comprehensive analysis of the additional information such as time sequence, thread and context of the application program, and the design of the behavior chain of the 50 representative chains is presented. Behavioral chain can better reflect the behavior intention of the application. It is verified that the feature vector based on the behavior chain can reduce the dimension of the feature vector while improving the performance of the detection system.(3) this paper designs and implements a malicious application detection system for runtime behavior. The system uses the C/S framework:the client is responsible for the dynamic analysis of the measured application and upload behavior records; server is responsible for receiving and analyzing the behavior record, through the behavior chain matching feature vectors are generated by using machine learning algorithm to get the test results. The verification accuracy of the system is 90.2%, the accuracy rate was 87%, the recall rate is 93.7% and has better detection capabilities.The malicious application detection system proposed in this paper has some practical value, and experimental data can provide reference for malicious application detection research.