Feature Matching Based Malicious Behavior Detection Technology Of Android Software

With the popularity of the Android system,malicious software for the Android platform also rapidly increase,seriously threatening the information security of Android system users.At present,domestic and foreign researchers have proposed a variety of Android malware detection technologies.They mainly start with features such as application permissions,sensitive APIs,components,UIs,APK structures,API call sequences,which are combined with static analysis technology or dynamic analysis technology for research.In this thesis,it is found that malicious software developers often use code obfuscation techniques,NDK protection,and shell protection to deal with static analysis techniques,while dynamic analysis tools are too large and complex to operate.As the malware developer's technology continues to improve and they learn from each other,Android malware has more functions and is more invisible.The application features used in the existing Android malware detection technologies are insufficient to accurately identify malware.In order to solve the above problems,a deep research on various application features is conducted and both the advantages and disadvantages of each application feature are analyzed.Through the accurate analysis of the malicious functions of different family malware samples,the sensitive API call sequence is finally selected as the research feature.In this thesis,a malware detection method based on feature matching for Android software is proposed and Check Droid,an Android malware detection system with B/S architecture,is implemented.Our work is as follows:1.For the problem that the application features used in the prior technologies cannot accurately identify the malware,in this thesis the sensitive API call sequence is selected as research feature,and the use of this feature can accurately reflect the sensitive behavior of the malicious software.2.The malware samples in each malware family are studied and analyzed,and the malicious behavior of malicious software and the execution process of malicious functions are mastered.3.The contents and structure of the trace file are studied and analyzed.A frequent API call sequence extraction algorithm are designed and implemented,which can effectively extract the frequent API call sequence of each application.4.A sensitive API data set is built.The set of sensitive API call sequences is filtered from the frequent API call sequence set of each malware family.Then the number of the same sensitive API contained in the set is taken as the weight value,and the longest continuous common subsequence containing the same sensitive API call sequence are extracted as the matching feature.The degree of similarity between each malware and its family is calculated,and then the minimum similarity match threshold of the malware family is selected.Finally,the Android malware signature database is constructed using matching features,weight values,and minimum similarity matching thresholds.5.An Android malware detection system,Check Droid,is implemented,which can quickly and efficiently detect malware.The experimental results show that the system has a low false alarm rate for non-malware.