Research Of Android Malware Detection Technology Based On Graph Kernel Method

The rapid development of mobile Internet technology has made mobile terminal such as smart phone and wearable device an integral part of people's work and life.Android system is currently the most popular mobile operating system,occupying a dominant position in the mobile market.Driven by economic interests,many unscrupulous hackers use the open source features of the Android platform to develop a large number of malware variants through repackaging,code obfuscation,and malicious code embedding.Malware can attack mobile devices from different sources,seriously threatening users' personal privacy and property security.Once the mobile device is infected,the malicious program can easily collect the user's private information,such as address book,account password,call record,etc.,and send the personal information to the illegal remote server by SMS or http request.In view of the current Android malware,researchers have proposed many static and dynamic detection methods,but existing methods have certain limitations,and the accuracy of detecting unknown malware is low.It is of great theoretical significance and application value to continue to study the detection technology of Android malware.The main research work of this paper is as follows:1.Firstly,we introduce the research background and significance of Android malware detection.The research status of Android malware detection methods at home and abroad is summarized.We briefly introduce the development process of Android APP and the design of Android security architecture;We research related detection methods based on existing malware attack technology,summarizing the limitations and shortcomings of existing methods.2.Secondly,The method of applying graph kernel detection for Android malware is studied.We transform the Android malware detection problem into a function call graph similarity analysis problem,and then extract the context of the Android sensitive API call to improve the re-labeling process of the graph kernel function.We use the improved graph kernel to calculate the Similarity between two function call graph.Experiments with classical kernel functions such as WLK,CWLK,and NHGK were designed to analyze the experimental data of detection accuracy,true positive rate,false positive rate and false negative rate.3.Finaly,Aiming at the computational complexity problem and function call graph characteristics of graph kernel algorithm,the graph reconstruction method based on frequent subgraph mining is studied.Graph-based malware detection only focuses on sensitive permission APIs and contextual information.This paper deletes nodes and edges in the function call graph that are not associated with sensitive APIs.The frequent subgraph mining algorithm is used to mine frequent subgraphs and infrequent subgraphs,and the low discrimination subgraphs are removed according to the discrimination coefficients to simplify the original graph dataset.The parameter optimization experiment and related contrast experiments were designed,and the experimental data analysis of the classification was carried out.The innovations in this paper include the following:1.An improved malware detection method based on graph kernel is proposed.This method extracts two characteristics of activation event and context factor to form contextual information,and enhances the function call graph node label information,making the graph kernel method more suitable for Android malware detection.The detection accuracy of this method is 2.93% and 4.79% higher than the CWLK and WLK kernel methods,respectively.2.An improved original graph reconstruction method based on frequent subgraph mining is proposed.The method uses the gSpan algorithm to mine the subgraph structure,and deletes the low discrimination subgraph in the original graph set according to the subgraph discrimination coefficient,so that the function call graph is more suitable for the graph kernel calculation.The experimental results show that the proposed method is 0.93% higher in classification accuracy than the graph kernel function without graph reconstruction,and higher than the two classical detection methods of Androguard and Drebin.