Research On Android Malware Detection Based On Two-layer Model

With the rapid development of communication technology,smartphones are becoming more and more important in human life.Android system has become a mainstream mobile operating system due to its high degree of openness,and its market share reached 87% in 2019.However,with the popularity of the Android system,more and more attackers have targeted Android applications.Therefore,it is urgent to study efficient Android malicious code detection methods to cope with Android malware.Existing Android malicious code detection methods can be divided into three types: static analysis,dynamic analysis and hybrid analysis.Static analysis methods often use permissions and API calls as features,which has the advantage of less detection time.However,the current static analysis method cannot work well on detecting malicious code using anti-detection methods,e.g.,hiding malicious behavior by dynamic loading.Dynamic analysis methods often use system calls as features,which can effectively solve the problems caused by anti-detection technology.However,dynamic analysis requires manual or behavioral triggering tools to run the application,which leading to problems of incomplete triggering and long detection time.The hybrid analysis method combines the above two methods,effectively integrating the advantages of the static analysis method and the dynamic analysis method,but the system has high complexity and requires even more detection time than dynamic analysis.In order to quickly and accurately detect Android malware,under the idea of divide and conquer,a tow-layer model Android malicious code detection system based on static analysis methods was proposed in this thesis.The first layer identifies simple Android applications as benign and malicious,and identifies complex Android applications as unknown which will feed to second layer.The second layer model targets anti-detection technologies such as dynamic code loading mechanisms to further detect complex Android applications that cannot be recognized by the first layer program.Based on the analysis of the Android system architecture,Android components,and Android security mechanisms,research on Android malicious code detection has been conducted.The main contents of this thesis are as follows:(1)As the first layer of the detection system,in order to quickly and accurately classify Android applications,a better permission-based Android malicious code detection model was proposed.With the proposed feature selection method,feature vectors have been constructed by mining important features from all permissions.Based on the feature vector a classifier was trained.This detection model has achieved fast detection speed and high accuracy for the determined benign and malicious results.(2)As the second layer of the detection system,aiming at the low detection accuracy for malware using anti-detection technology,permission complement was proposed to characterize behaviors of malicious codes hiding in external executable files.Combined with ensemble learning,a novel Android malware detection method was proposed based on API calls and permission complement,which achieved high detection accuracy on complex Android apps identified as unknown by first level.(3)Based on the idea of divide and conquer,we designed a combination strategy to integrate the two models proposed as above,and constructed a detection system based on the two-layer model.The first layer implements fast classification,and the second layer solves the problem of low detection rate of complex Android malicious code.The detection system significantly reduces the average detection time while ensuring high detection accuracy.(4)Experiments have been conducted to verify the performance of proposed detection model,i.e.the permission-based Android malicious code detection model,the detection model based on API calls and permission complements,and the two-layer Android malicious code detection system.Two datasets have been constructed for testing.Dataset D1 consists of 6000 benign applications and 6000 malicious applications collected from an Android application market and a security company.Dataset D2 is composed of 3000 complex benign and malicious applications.The experimental results show that the detection system based on the two-layer model achieves a high detection accuracy of more than 90% and a low average detection time of less than 7.13 s on the datasets D1 and D2,which is significantly improved compared with similar methods.