Research And Implementation Of Android Malware Dynamic Detection System

The openness of Android systems is making the publication of applications increase dramatically.However,a large amount of malicious software attack occurs at the same time,such as malicious chargeback,privacy theft,and so on.Thus,how to detect and categorize the malicious software becomes a hotspot in the field.As most of existing security software cannot trigger enough malicious behavior and cannot classify the malware effectively,this paper presents a SVM-based dynamic detection and classification model aiming at solving the former two problems.Furthermore,the model have been developed as a software product,in which the user can upload the application to the server,then it detects and classifies the application and return the result to the user.The main works of this article are as follows:1.The Dynamic Detection on Event Trigger(DDET)is prosented,which is consists of Event Trigger and Monkey Runner,and in which in-time fake events can be injected according to the corresponding callback function API at the most appropriate execution time.Comparing to triggering true events,DDET can reduce the resource consumption and enlarge the analyzing scope substantially,which is helpful to get a more accurate result.However,it could not guarantee a complete coverage over all possible behavior,and the coverage problem is left as a future work.2.7 kinds of behavior in the DDET log file are selected to establish the keyword-behavior-library.And different weights are given according to the behavior of different malware families in the library.3.The rapid hash based identifying method is proposed: The hash values of known malware are extracted from the DDET.Before analyzing the log files,it first matches the extracted hash value to quickly determine whether the program is a malicious program that has been identified.4.The Classification Model of Malware Families(CMMF)is achieved: Firstly,the behavior matching algorithm is designed to match the behavior in the log files with the keywords in the library respectively.Then,the matching results are transformed into the format that SVM can recognize.After that,the radial basis function is chosen as the kernel function of SVM,and the cross validation method is used to select the best parameters to maximize the edge of the decision boundary,which is fatal to the model.Finally,to evaluate the efficiency,200 malware and 100 benign applications are mixed up as a testing dataset,and the results show that the false rate of the CMMF model is 0,and the detection rate of unknown application is about 96.36%.However,the weights of the behavioral characteristic in different malware families are given manually,so further works on similarities between the features is needed.The innovations of this article are of two folds,the first is the design of the Event Trigger,which can trigger more potential malicious behavior to provide more behavioral characteristics;and the second is proposing the different weights for behavioral characteristics according to malicious families to train out the malware decision models of different malicious families.