Research On Detection Of Android Malicious Code Based On Dynamic API Call Sequence

In recent years,the popularity of smart phones rapidly increase and greatly facilitate our lives.Android has highest share of the market in the world.However,due to open source of Android system and the weakness of user security awareness,the number of malicious applications has increased dramatically.Therefore,the detection of Android malicious applications has been a worthy subject of in-depth study.In order to avoid the detection of static methods,lots of malicious applications have adopted lots of technologies,such as code obfuscation and run-time trigger.So,the paper proposes a dynamic detection method based on API call sequence to solve the problem.We build dynamic module to extract the API call while the application is running,and then API call sequence treated as tested object is modeled by topic model.In order to improve the ability of prediction and semantic expression,N-gram model is used to extract features with the original sequence.The main work of this paper is as follows:(1)we research the Android system from the view of security,and construct the dynamic monitoring environment based on Xposed framework,using the mechanism of zygote process fork.The behavior of test application is triggered by event trigger and monitored when the application is running.The API call and its parameters are obtained without destroying the system.Then,the API call sequence is constructed as the detected features of the later work.(2)For the extracted API call sequence,a variety of classification algorithms are used to classify and detect the sequence samples directly,and the corresponding test results are given.And we introduce the topic model to model it.The LDA model is used to map the sequence to the feature space based on the implicit topic,in order to extracte the potential meaning.Gibbssampling is used to estimate the model parameters and finally obtain the topic probability distribution of the sequence.The results show that the LDA-RF algorithm is the best.And the model is optimized according to different parameters.(3)On the basis of the original API call sequence,the N-gram method is used to extend the feature and strengthen the relativity of the API call.The constructed N-gram sequence was modeled by LDA model,and its validity was proved by comparison experiment.And we increase the number of samples to study the size of the sample set on the experimental results.