Research On Android Malware Traceability Analysis Scheme Based On Threat Intelligence

The rise of mobile Internet has brought great convenience to people,however,more and more Android malware have penetrated into people's lives.Traceability analysis of Android malware helps to block malicious applications at the source,and is an important part of managing Android malware.In recent years,threat intelligence plays an increasingly important role in traceability analysis.However,the threat intelligence design of the mainstream intelligence analysis platforms focus on network attacks,computer viruses,etc.,the information related to mobile malware cannot be accurately and completely described.As for the correlation method of threat intelligence,the mainstream threat analysis platforms focus on the use of network information and sample hash for correlation,and does not carry out special processing according to the characteristics of mobile malware.Therefore,the existing threat intelligence platforms can not be well applied to mobile security traceability analysis practice.There are some manufacturers involved in the field of mobile security threat intelligence platform,but their design ideas have not left the traditional threat intelligence.Aiming at above problems and combining the characteristics of Android malware and traceability analysis,this thesis proposes an Android malware traceability analysis scheme based on threat intelligence.The detailed work is as follows:1)In the aspect of the acquisition of malicious applications,a multi?feature-based Android similar malware detection method is proposed.This method extracts a series of features from four dimensions:resource file,network,code and metadata,and then builds similarity detection algorithms for each dimension and use B-Tree index,inverted index and other techniques to improve detection efficiency.Experiments show that compared with the traditional method,the recall rate of this method is increased by 10.9%,the detection time is shortened by 28.9%,and the anti-aliasing ability is better.2)In the aspect of threat intelligence representation,this thesis proposes a threat intelligence representation and sharing framework for Android based on the mainstream threat information specification for the dynamic and static features of Android malware.The framework from the static characteristics and the dynamic characteristics of Android malware threat intelligence data model and description specification,and the use of Python to achieve improved intelligence generation,parsing and sharing procedures.Experiments have shown that the new Threat Intelligence Representation Framework has a 3 1%increase in success rate compared to STIX 2.0 in representing mobile threat intelligence.3)In the aspect of threat intelligence association method,the association method of traditional threat intelligence focuses on the use of network features such as IP and URL which cause some threat information to be unrelated.This thesis proposes a threat based on dynamic and static features of samples and information association method.This method extracts the dynamic and static features of a given sample and its associated samples through Android dynamic test and static test technology.When extracting features,a set of feature optimization schemes is proposed to extract more useful features to reduce interference characteristics,and direct matching and indirect matching are adopted.The two strategies match the intelligence,and finally use the Gephi visual framework to implement the visualization of the associated samples and their intelligence.Experiments show that this method can obtain more related threat information than traditional network-based,sample-hash-based intelligence correlation methods,and has good effects on ransomware and system-destructive classes that do not have obvious network characteristics.