| With the further development of mobile Internet,the security of mobile applications is becoming more and more serious.Due to the lack of an effective regulatory mechanism in the Android application market,in which a large number of applications may threaten the user's information security,the security of the Android application is very prominent.In this paper,we propose a malicious Android application detection method based on dynamic analysis.Firstly,we use Hook technology to monitor the application's call to the system program interface and then make it an Android sandbox.Then we can fully trigger and capture the sensitive behavior of the application in the sandbox.According to the occurrence of these sensitive behavior to determine whether the application is a malicious application.In this paper,based on the current strengths and weaknesses of various dynamic analysis methods,this paper presents a dynamic analysis method,hook simultaneously in the Kernel and Framework layers of the Android system,to improve the comprehensiveness and accuracy of mobile application sensitive behavior monitoring.LKM technology is used to monitor the native function calls in the Kernel layer.The Framework layer uses the Hook system zygote process to monitor the sensitive APIs of other system calls.By analyzing the relationship and regularity of some sensitive behaviors of mobile applications,this paper proposes a model that predicts some future behavior of mobile applications,which can predict the possible occurrence of some sensitive behavior of mobile applications in the future.In this paper,a large number of sensitive behaviors obtained through dynamic analysis are used to model and study,and then extracted their behavioral feature vectors.Then these behavioral feature vectors are classified and trained for the classification model.When there is a new testing task,the sensitive behavior of the application is first obtained through dynamic analysis,and then the feature vectors are extracted from these sensitive behaviors and input into the classification model to obtain the judgment result.In particular,this paper combines the predicted future behavior with the actually monitored sensitive behavior as part of the classification reference to reduce the time required for dynamic application analysis.In this paper,we have carried on the detailed design to the above research method,and have realized an Android malicious software examination system,mainly divides into two modules:the dynamic analysis module and the malware examination module.The dynamic analysis module is responsible for monitoring the sensitive behavior during the application is running and mainly utilizes the Hook method described above.The malware examination module is mainly responsible for analyzing the sensitive behaviors acquired by the dynamic analysis module and judging whether the application is belongs to malware,mainly used in machine learning linear regression algorithm and support vector machine algorithm.Finally,this paper proves through experiments that this method and the system based on this method can effectively detect malware in Android applications.Due to the use of behavior prediction method instead of a part of time of the dynamic analyse,the system to some extent,improve the detection efficiency of the application. |
PDF Full Text Request