Call-path-driven Detection Of Malicious Behavior In Android Applications

Android is currently the widely used mobile operating system.Due to the open source and open ecosystem of Android platform,developers can freely develop any third-party applications on mobile smart devices running Android system.Massive apps provide various of services and functions for billions of users.But a large amount of malwares hide in Android systems constantly stealing and manipulating user-sensitive private data,leading to illegal incidents,such as disclosure of information or telecommunication fraud.The state-of-art Android malware detection approaches usually use the set of sensitive APIs as malicious features,which have limitations of coarse granularity and low accuracy.The calling sequences and execution paths of the APIs are the essential feature of all apps.Extracting the calling sequences and execution paths of the sensitive APIs as features is an intensive extension for the naive APIs features,which can be called as "features-of-thefeatures".Therefore,in order to prevent the increasingly serious threat of Android malware and improve the security of Android ecosystem,this thesis focuses on the sensitive call paths of the apps.Based on the analysis of the running mechanism,listeners and callback mechanism of Android applications,sensitive call paths can be extracted by performing static analysis for the apps.And we introduce the machine learning algorithm to train the classifier of Android malware detection.Therefore,this thesis proposes an Android malware detection method based on sensitive call paths,which effectively implements the precise detection of suspicious Android malwares.The main contributions of this thesis are as follows:(1)Quantify the sensitive APIs of the Android system and establish a list of sensitive targeted APIs which contains 647 APIs.The keyword extraction technology in natural language processing is introduced to extract keywords of sensitive behavior from the Android malicious behaviors knowledge base.The list can be generated by searching and matching keywords in the Android official development document.(2)For the Android malware detection,a fine-grained malware detection scheme is proposed.Depending on a series of sensitive targeted APIs,this scheme leverages the static analysis to generate call graph,goes to the internal execution logic of methods,and generates a set of sensitive call paths ending with these target APIs.After analyzing a large number of Android app samples,we established a feature library of Android sensitive call paths,which contains 73,848 non-redundant call paths.(3)We use the supervised machine learning algorithms to train the Android malware detection classifier.The set of sensitive call paths generated from the sample software is matched with the feature library,and the corresponding feature vector is processed by onehot coding.The algorithms including k-nearest neighbor,naive Bayes,support vector machine and random forest,are used to train the malware detection classification model,and their parameters are analyzed and adjusted according to the model evaluation index.The final Android malware detection classifier trained by the random forest algorithm has the best performance.Its accuracy is 98.9%,and outperforms Droid APIMiner by 3.97% in accuracy.