Detecting Android Malicious Applications Based On String And Function Call Graph Features

With the continuous development of the mobile Internet,smart phones have become an indispensable part of people's daily life and brought great convenience to people's lives.While enjoying the convenience of smart terminal applications(apps),users are also facing increasingly serious network security issues,including personal privacy information and property security issues.As the current mainstream mobile operating system,Android has undoubtedly become the main target of malicious application developers.It is of great practical significance to study how to effectively detect Android malicious applications(malapps).Characterizing the behavior of Android apps is a crucial part of detecting Android malapps.Many existing static analysis work mainly extracts string features from Android apps to characterize the behavior of an app,such as permissions,system Application Programming Interface(API)calls,etc.Part of the work uses Android's structural features for Android malapp detection,such as the app's control flow graph,data flow graph and other features.However,because the behavior of Android malapps becomes more and more complex,using only one type of features to detect malapps may cause more apps to be misclassified.Therefore,this thesis studies how the two types of features of string and function call graphs can effectively collaborate to achieve the better results than single-class feature detection.The main research work is as follows:(1)This thesis extracts six types of string features and two types of function call graph features to describe the static behavior of Android apps.String features include applied permissions,hardware features,filter intents,restricted API calls,code related features and used permissions.Function call graph features include function call graph feature based on sensitive API and Dalvik instruction coding.(2)This thesis proposes to fuse two types of heterogeneous features for Android malapp detection.It proposes that the frequency relation matrix obtained by the function call graph feature based on the sensitive API is transformed into vectors,and vectors and string features are put in the same matrix for feature fusion.This thesis proposes to fuse the classification prediction results of string and function call graph based on Dalvik instruction coding features.The two methods make full use of the classification advantages of the two types of features to improve the accuracy of Android malapp detection.(3)This thesis uses Support Vector Machine(SVM),k-Nearest Neighbor(kNN),Logistic Regression(LR)and Random Forest(RF)four machine learning algorithms to evaluate the classification performance of the extracted features.The experimental results show that the optimal accuracy rate based on string features is 97.02%,and the optimal accuracy rate based on function call graph is 91.93%.The optimal detection rate based on the ensemble of two types of features is up to 97.79%,which is 2.16%higher than the detection rate only using string features.The optimal accuracy rate based on the ensemble of prediciton results of two types of features is 98.63%and false positive rate is 0.72%.Compared with only using string features detecting,the false positive rate is reduced by 0.96%.The experimental results show that the detection effect of Android malapps based on the collaboration of string and function call graph features is better than that of only using string or function call graph features.