| With the increasing number and types of malicious software,the traditional static detection methods have the problems of single feature,confusion and high failure rate,and it is difficult to detect unknown malicious software,and it is difficult to meet people's needs for software security protection.The dynamic detection method based on abnormal behavior can effectively avoid the above problems and has become the focus of the field of abnormal detection.In this paper,three algorithm models of abnormal behavior detection of system call are designed for android mobile malware detection.They are:multi-state system call language model SYSLM,which is responsible for real-time abnormal behavior sequence detection and extraction;The neural network model with multi-dimensional time distribution TGM is responsible for the detection of overall abnormal behaviors within the time window.The sense-based abnormal behavior detection model,SBL,relies on the abnormal sequence provided by SYSLM and is responsible for real-time behavior sequence inference.In this paper,the abnormal behavior detection system based on system call is implemented with three algorithm models as the core.The main innovations of this paper are:comparing the system call sequence to the communication language between the application program and the kernel,proposing the multi-semantic return state of system call,designing the multi-dimensional feature matrix of time distribution and the system call sensitivity algorithm.Finally,this paper uses the open Android data set and adfa-ld data set to test and verify the effectiveness of the system.In the test set of arm architecture,the AUC value is 0.83,0.07 higher than that of KNN and RF.An AUC value of 0.93 was achieved on the test set of the x86 architecture,and the ability to detect unknown attack types was validated,reaching 78%in the specificity assessment of the unknown exception set,12%higher than the traditional LM. |
PDF Full Text Request