Fine-grained Android Malware Detection And Behavior Classification

With the rapid popularity of Android system,Android malicious applications have become a serious threat in people's daily life.In recent years,researchers have proposed many methods and tools to detect and defend Android malicious applications,but most of the methods focus on coarse-grained detection of malicious applications and fail to take into account specific categories of malicious behaviors in a more detailed and accurate way.By studying the static resources extracted from the malware,this thesis classifies the malware according to its malicious behaviors,and introduces a malware behavior classification system called Androi MD.Androi MD extracts and optimizes the known features of Android malicious behaviors and uses the two-layer classification model for detection.Moreover,Androi MD studies the detection method of Android malicious applications in the anti-environment,so as to better identify malicious applications.The specific work of this thesis is as follows:1.Aiming at the problem that single Android static feature is easy to be confused,and single classification learner can lead to poor generalization performance or the deviation of training results due to the accuracy of selection,this thesis proposes a fine-grained classification method for malicious application based on dynamic integration learning.This method firstly extracts and optimizes multiple types of static features by combining a variety of static analysis methods to obtain features that can fully reflect the behavior of Android applications.On this basis,this thesis proposes a learning algorithm based on dynamic integration of the double classification model,which starts with a coarse-grained classification of malicious and benign,followed by a further dynamic selection of classifier combinations for fine-grained classification of specific malicious behaviors of Android malware.The advantages of the integrated learning algorithm are not only applied to the detection of malicious behaviors,but also can be used to dynamically select the most appropriate classifier combination based on the complementarity of different classification algorithms,thus improving the classification accuracy of the whole model.This thesis analyzed 3000 benign Android apps from Google Play and 24,553 malicious Android apps belonging to 73 malware families.According to their malicious descriptions,they were divided into 10 categories of malicious behaviors.The experiment results show that the accuracy of the malicious application detection method and the classification algorithm can reach 93.87% and 96.11%,respectively2.Aiming at the problem that the adversary can change and confuse the features of malicious software to cheat classifiers and evade the detection,this thesis proposes a robust detection method in the confrontation environment.This thesis first constructs a modified Android application program to simulate targeted enemy attacks to confuse classifiers and reduce detection accuracy,and then designs a robust defense method.Finally,the accuracy rate of the malicious detection method applied in a confrontational environment can reach 93.24%.3.A prototype system called Androi MD is designed aiming at the goal of this thesis.This system can decomcompile Android applications to extract and characterize the static features,and then use the two-layer classification model to operate the coarse-grained and fine-grained detection.At the same time,it can also realize the generation and defense of confrontation samples in the confrontation environment.