An Android Malware Detection Scheme Based On The Application Category

With the rapid development of mobile communication technology,smart phones have been indispensable equipment for individuals around the world.Most smart phones install the Android operating system.Due to the openness of Android platform,in recent years the number of malicious applications in Android operating system has grown rapidly.Malicious behaviors,such as malicious deduction and privacy leakage,become extreme threats for users.The applications in our smart phones are likely to be malicious and not be perceived.Therefore,it is very urgent for individuals to detect Android malicious applications.The previous detection methods cannot evaluate the malicious degree of applications,so users cannot know the risk of their applications.Therefore,it is necessary to improve the application detection methods.This thesis makes a thorough research on the analysis of malware features in Android platform.Moreover,we design an analysis system for Android malware detection by taking into consideration the following parameters: analyzing the relevant research background,including the current Android malware detection technology,malware detection environment and tools,machine learning algorithm for classifying malware.This system consists of the feature extraction module,risky degree evaluation module and the machine learning classification module.The specific content is as follows:First,this thesis designs and implements a malware detection framework with the static and dynamic detection methods.In this framework,this thesis designs a static characteristic extraction module which detects and analyzes permissions,signature and JAVA source code of mobile applications,and searches the malicious system function calls and unexpected operation behaviors.It also designs a dynamic feature extraction module which utilizes a simulator and a smart phone to execute the applications.We combine Droidbox with Taint Droid to record the behavior features such as network connections,file reading and privacy leakage.This module also employs network traffic analysis to obtain the supplement information of API calls.This framework is able to avoid the applications hiding malicious behaviors to escape from the detection.Second,we design a malware evaluation scheme based on the application category and behavioral features,and achieve a risk assessment system.We could extract features from lots of malware to form the feature template.We can classify the features and define the suitable risk values in terms of the application functions.Based on the application category,we can judge the features are normal or malicious,and the risk value is given different weights.We compare the application and the feature template to calculate the weighted risk value,which can be used to evaluate the dangerous degree of the application.Third,in the scheme,we utilize the SVM algorithm,the K-means algorithm and the K-nearest neighbor algorithm to classify the applications according to the dangerous value of static and dynamic features of all types.The experiments demonstrate that for social applications and wallpaper applications,the SVM-based scheme is more accurate than the K-means and K-nearest neighbor algorithms-based scheme,and the latter is more accurate than the former in the video applications,system applications and games.With the sandbox environment and a real mobile phone,the system combines the static analysis and dynamic analysis.We have implemented the system in the real environment.Comparing with other tools,our system could detect more features and behaviors.Comparing with current technology and schemes,our scheme has higher malware detection accuracy.