Method And Implementation Of Malware Detection Based On Static Behavior Features

While people benefit from portable services brought by mobile phones,the Android software security problem is becoming more and more serious.At present,the research of Android malware detection in academia mainly adopts dynamic and static analysis methods.The dynamic analysis method can capture the runtime state of the application,but it is time consuming and the detection cost is high.Static analysis method has the advantages of no need to run the application program and high code coverage,but there are still some shortcomings,such as the need to maintain the large virus characteristic library manually and the inability to identify new malware effectively.Aiming at the problems of static analysis method,this paper designs an Android malware detection method for static behavior feature modeling,and implements a complete detection system based on this method.Based on the extraction of the call graph,this system abstracts the probability eigenvector with higher semantics,which can also distinguish Android malware effectively.Thus,the accuracy of detecting malicious Android program is improved.The specific detection methods and implementation contents are as follows:1)The detection methods designed in this paper include four stage: preprocessing,API call sequence acquisition,behavior feature modeling and behavior detection model construction.Based on the open source framework Soot,the preprocessing phase obtains the call graph of the Android application in bulk and automatically by decompiling technology and the related instructions of Soot.Because the call graph contains many redundant API call chains and so on,the API call sequence acquisition phase can extract the primary API call sequence with temporal information and significantly less feature number from the call graph.Due to the low semantic abstraction of the primary API call sequence,which is not conducive to multi-version Android application detection,the behavior feature modeling phase extracts the corresponding higher-order sequence from the primary API sequence based on the index name of the package officially published by Android,and by means of the idea of state transition in Markov chain model,the high-order sequences are modeled to construct the probabilistic eigenvector,which can effectively represent the high-level semantics between API calls.Based on the Ada Boost lifting method and combining CART generation and pruning strategy,a classifier for detecting malicious programs can be learned from probabilistic eigenvector by the behavior detection model construction phase.2)Based on the above Android malware detection method,this paper implements a system for detecting malicious Android applications.The system consists of a preprocessing module,an API call sequence acquisition module,a behavior feature modeling module and a behavior detection algorithm module.In order to verify the validity of the detection system,this paper does some experimental tests on the validity of each module first.The results show that the new method can get the call graph corresponding to the APK,extract the easy-to-understand primary API call sequence,and abstract the probability eigenvector with high-level semantics.Then,the large data sets are tested using proportional segmentation method and ten times 10-fold crossvalidation method.Then lower error detection rate and higher detection rate are obtained.And it shows that the proposed detection system can effectively identify Android malware and adapt to the change of Android version in real time,and make correct judgement to the new Android malware.