Machine-Learning Based Research On Android Native Program's Obfuscation Analysis

In the field of Android app source code reinforcement and protection,compared with Android Java layer code obfuscation protection,the obfuscation protection for Android Native layer code is a more widely used and more difficult to analyze.The diversity of obfuscators and obfuscation methods available in Android's Native layer leads to the difficulty and cost of security analysts' reverse analysis.Therefore,how to correctly identify the obfuscator and obfuscation method from Android's Native obfuscation samples can not only help security analysts to carry out reverse work,but also facilitate the tailoring and optimization of reverse tools,and also promote the update of obfuscation algorithm,and further enhance the effectiveness and security of the obfuscation algorithm.At present,various anti-obfuscation methods based on machine learning for Android app are mainly aimed at the Java layer which is easy to analyze.For the Android Native layer which is more difficult to reverse and has more malicious load aggregation,due to the complexity of obfuscation transformation,the related analysis and research are not enough.This paper takes Android Native program as the starting point,studies the obfuscation technology in Android Native layer through reverse engineering,and refers to some classical machine learning algorithms,considering the particularity of Android Native layer,proposes an Android Native obfuscated program recognition method ANRec to identify the corresponding obfuscators and obfuscation methods used in this obfuscated program.This method mainly includes the following aspects:(1)Aiming at the difficulty of obtaining obfuscated samples in Android Native layer,we do not adopt the traditional idea of sample acquisition,that is,first crawl a large number of apks,then do reverse analysis and discrimination of obfuscator and obfuscation methods.Instead,we use the Android Native layer obfuscated sample generator designed in this paper to generate different obfuscated samples directly and purposefully.(2)In order to better classify and identify the obfuscator and obfuscation methods in Android Native program,we first process the samples generated by different obfuscators and different obfuscation methods through reverse engineering,in order to understand its internal working principle and find some informative features.(3)For the classification and recognition of different obfuscators,this paper designs a method of obfuscator classification and recognition for Android Native obfuscator based on graph neural network according to the related working principle of obfuscator studied by reverse engineering.(4)For the classification and recognition of different obfuscation methods,a text-based feature extraction method is proposed.The corresponding term frequency–inverse document frequency features are extracted from static and dynamic disassembly files respectively,and the classical machine learning algorithm is used to train the classifier.(5)A prototype system based on ANRec method is implemented and evaluated through experiments.The experimental results show that the two different classification models have good recognition effect on Android Native layer obfuscation samples,and can basically accurately predict and identify the obfuscators and obfuscation methods used.