Research And Implementation Of Android Malicious Code Exploration Based On Runtime Feature

In recent years,the rapid development of the mobile Internet has brought many conveniences to people's lives,but at the same time,various malicious applications and viruses have emerged one after another,causing great harm to the mobile Internet community.Malware continues to evolve in the process of confronting detection technology,which brings severe challenges to existing security detection.Malicious developers maintain the diversification of code forms by modifying the malicious source code to avoid detection methods based on specific code characteristics.At the same time,the emergence of one-click malicious code generators has led to a sharp increase in the number of various types of malicious software and variants,increasing the cost of detection technology.In addition,the deficiencies of various malicious detection methods also affect the security detection of mobile malicious applications.Most of the existing malware detection technologies rely on supervised learning methods and construct classifiers based on labeled data.This type of method has a large cost of sample labeling,and its ability to detect un-known malicious behaviors is weak.At the same time,the existing detec-tion methods have poor interpretability.These methods only perform pre-liminary screening and determination of malicious applications,and cannot provide security personnel with specific judgment basis and more detailed information at the code level.In order to solve the shortcomings of current detection methods,we designs and implements an Android malicious code exploration method based on runtime feature.This method uses dynamic analysis to detect and locate the malicious code under the triggering condition of the malicious behavior.This method can effectively detect malicious behavior while providing more code details,which can be used as an important basis for malicious application research and family classification.The main achievememnts are as follows:1.This research designs and implements an automated testing method for malicious applications based on a deep reinforcement learning model to solve the problem that the malicious behavior of samples cannot be ef-fectively triggered during the dynamic testing process.This method col-lects UI control information,API call information,permissions,and broad-cast information during application runtime as the environment state of the Deep Deterministic Policy Gradient(DDPG)algorithm,and the reinforce-ment learning model generates optimal interactive actions by observing en-vironmental changes and reward value feedback,so that automated testing tools can trigger malicious behaviors in applications more efficiently.2.This research designed an application dynamic information collec-tion method,through dynamic binary instrumentation technology to obtain API trigger function parameters,function call stack information,UI inter-face information,activity stack information,etc.Compared with the tradi-tional static binary instrumentation,this method can monitor the runtime application while ensuring the original logic integrity of the tested program.And compared with other dynamic instrumentation methods(such as Xposed,Cydia,etc.),this method is more flexible.Due to different test environments,different versions of the API need to be adjusted.This re-search can facilitate API adaptation and function expansion.3.This research summarizes two types of malicious application be-haviors,including passive trigger and active trigger,and constructing de-tection models according to related characteristics.For passive trigger be-haviors,we implement machine learning models to learn and determine the relationship between interactive actions and triggered behaviors,so as to accurately identify this type of malicious behavior.For active trigger be-haviors,we constructs a multivariate time series according to the charac-teristics of malicious behaviors such as cyclic triggering,random trigger-ing,and effectively detects them by adding heuristic detect rules.4.This paper implement an Android malicious code exploration method based on dynamic feature.Experiments show that this method can effectively trigger and detect malicious behaviors in applications,and lo-calize corresponding malicious code segments based on runtime infor-mation and obtain a complete malicious code call path.Compared with traditional detection methods,this research can effectively provide a basis for fine-grained malicious application judgments in security analysis.