Malware Detection And Behavior Analysis For Android

Due to the unique openness of the Android system,it is easy to be transformed and utilized by people,but also vulnerable to the erosion of malicious software.Developers can directly steal users' personal privacy,change key Settings of the system,or indirectly spread illegal and sensitive information through malicious software.These malicious behaviors not only bring inconvenience to users' actual use,but also pose a great threat to Android ecological security.The behavior-based malware recognition method has a good detection effect by fitting the specific characteristics of malicious behavior and combining it with the most popular dynamic and static methods,and has gradually attracted the attention of researchers at home and abroad.However,there are also disadvantages: the current research does not systematically classify Android software according to specific behaviors,and there is also a lack of targeted detection methods for different malicious behaviors,which makes it difficult to deal with the ever-changing variants of malware.Accordingly,this thesis reclassifies the category of malware from the perspective of behavior,and designs the detection method of malware for different behavior characteristics,so as to improve the accuracy of malware detection.The main work of this thesis is as follows:(1)First of all,this thesis proposes a gcForest based malware detection model for three common malicious behaviors: information theft,malicious withholding and system destruction.By learning from three static characteristics of benign and malicious software,the model can accurately identify and classify three kinds of malicious behaviors.Experiments have verified that the model proposed in this thesis is more in line with the detection requirements of general malicious behavior than the two classification algorithms of random forest and deep learning.In addition to achieving a higher F value of 0.859 for the behavior detection,it also reduces the complexity of parameter regulation and algorithm redundancy caused by large training samples.(2)Secondly,in view of the concealment of harmful content pushing behavior,this thesis proposes a TF-Bloom detection model to identify and filter the interface text generated during the software operation.Appium software and internal monitoring method were used to dynamically extract the interface and push contentsduring the operation of the software,and then the text was classified by TF-Bloom model.Experimental results show that the TF-Bloom model is superior to AC automata and Logistic regression in terms of detection effect and time complexity.(3)Finally,this thesis proposes a C-ADB(Confidence-AndroidDebugBridge)detection mechanism for the continuous variability of resource overconsumption behavior.The mechanism calls adb shell according to the input parameters of the user to monitor the resource consumption data generated by the software during a period of time.In order to increase the reliability of the detection results,the mechanism also introduces the trust evaluation index to calculate the trust of the software iteratively in multiple periods,and then judge whether the software has the malicious behavior.Through testing,the C-ADB mechanism can effectively monitor the consumption of software resources and dynamically adjust the evaluation of software according to different levels of trust.