Android Malware Detection Research Based On The Feature Of Dalvik Instruction

With the popularity of Mobile Internet and Android applications,the Android malware has a continuous high growth trend.In order to detect Android malware more effectively,a novel lightweight static detection model,which is proposed using the feature of Dalvik Instruction and machine learning techniques in this paper.Firstly,a symbol set based simplification method is proposed to abstract the OpCode sequence decompiled from Android DEX files.Then,N-Gram is employed to extract features from the simplified Opcode sequence,and a classifier is trained for the malware detection and classification tasks.To improve the efficiency and scalability of the proposed detection model,a compressed procedure is also used to reduce features and select exemplars for the malware sample dataset.Our method is compared against the state-of-the-art anti-virus tools in real-world using Drebin dataset.The experimental results show that our method can get a higher accuracy rate and lower false alarm rate with satisfactory efficiency.In addition,to solve the problem of malware family classification,this paper proposes an Android malware family classification method based on the image of bytecode.A bytecode file of Android malware is converted to a bytecode image and texture features are extracted from the image by GIST.The random forest algorithm is applied to classify the extracted features.We have verified the method by the experimental data of 14 kinds of common Android malware families and compared it against the Drebin on the same dataset.The experimental results show that our method has high detection precision and lower false positive rate.The main work of this paper is as follows:(1)A simple symbol set is introduced to simplify the original Dalvik instructions sequence,where one series of instructions with similar function can be assigned as one symbol.N-Gram technique is employed to handle the symbolic sequence.In order to achieve high efficiency of detection,a further reduced scheme is proposed to largely cut down the number of N-Gram items and training samples.Specifically,information gain is employed for attribute reduction,and affinity propagation for sample selection.(2)This paper proposes a fast method of creating the bytecode image and has a research on the relation the structure of DEX files with the texture of bytecode image.Texture features are extracted from the image by GIST and the random forest algorithm is applied to classify the extracted features.(3)An Android malware detection platform is designed and implemented,which is appropriate to use in the analysis service of APKs scenarios.