Research On Android Malware Detection Technology Based On Behavior Analysis

With the rapid development of information technology,mobile devices have penetrated into all aspects of life,such as smart phones,tablets,Internet of things terminals.Among mobile terminals,Android,the most popular mobile terminal operating system,has a huge market share.Its open source and portability attract users and developers.At the same time,Android platform has many security problems,such as high openness,lack of unified management,high user freedom,networking and so on,which make it vulnerable to diseases Malicious software,such as poison and Trojan horse,poses a serious threat to the user's privacy,digital property,equipment and file integrity.Among them,malicious behaviors,such as high consumption of traffic,causing tariff loss,stealing sensitive data,interfering with the normal interaction between the user and the device,are especially serious and common.How to detect malware,stop malicious behavior,and how to strengthen the security and protection ability of terminal sensitive data has become an important security issue in the field of mobile communication.The main research work of this paper includes:(1)This paper introduces the research background and significance of Android malware detection,analyzes the current use of smartphone operating system and the development trend of Android malware,and summarizes the research status of Android platform malware detection at home and abroad.(2)This paper studies the behavior characteristics of Android malware during its operation,classifies the currently popular malware according to the malicious behaviors implemented by it,and analyzes the behaviors of malicious applications under each category by combining the features of the new version of Android,such as the runtime permissions in the permission mechanism,and studies the intrusion modes.(3)Aiming at the problems of modifying kernel,rewriting system call and rewriting API call function in common dynamic detection technology,this paper studies the behavior analysis based on system call and data flow generated during software operation,uses automatic test framework to simulate click event,triggers maliciousbehavior,collects the generated data flow and system call details,and analyzed the experimental results of detection accuracy and false alarm rate.(4)Analyze the security problems and challenges caused by malicious software to common storage methods(such as database storage and file storage),study the storage security of current Android platform,and study the encryption technology of Android terminal for the problem of obtaining sensitive information by malicious software attack terminal.The innovations of this paper include:(1)This paper proposes a malicious behavior analysis method based on system call and data traffic.Used the apktool to analyze the androidmanifest.xml file in the installation package to obtain the declared permission and all the Activity information.The Monkey Runner tool is used to write the test Activity script and automate the test of software functions,which can more comprehensively trigger the malicious behavior.During the test,the strace tool is used to collect the details of system call during the operation of the software,construct the behavior vector,and input it into the KNN detection model for classification.As a supplement,for the malicious software disguised as normal software,the data flow was analyzed twice in combination with the permission of the software application,and the experimental results were analyzed.The classification accuracy of 95.5% was obtained without modifying the system kernel and API call.(2)Proposes an Android key management technology which combines multi cloud storage and secret sharing.Unlike the traditional Android encryption technology,it does not store sensitive information such as key,user fingerprint,pattern password on mobile devices,but instead stores secret shares in the cloud.In the multi cloud environment,the data from KB level to MB level are tested.Compared with the relevant research results in recent years,it increases the difficulty for attackers to obtain the key in reverse,resist the collusion attack of cloud client and cloud server,and the time cost is not high.