Malware Detection Method Based On Feature Combination And Accessibility Feature Of API

Many researchers have proposed machine learning to deal with Android malware detection.However,as time goes on and malware changes,old classification model lacks features suitable for modern samples.Developers must re-extract basic features based on modern samples to train malware classification model.To ensure the accuracy of the model,most of the current methods need to extract a large number of features in a greedy form.However,considering the complexity and changes of malware,extracting features takes much time.Targeting at this problem,this paper proposes to extract features based on malicious behavior to collect essential features in groups according to malicious behavior to reduce time consumed.Considering that repeated features are extracted by different malicious behaviors,repeated features play different roles and importance in malicious behaviors.Therefore,this paper adopts GBDT to generate feature combinations according to malicious behaviors.Malware samples in this paper are from 2013,2017 and 2018 malware collected by Virus Share according to the year.Half of each year's dataset is used to extract malicious behavior features.The other half and 1021 benign applications are used to train malware detection model.Experimental results show that this method can signifificantly reduce the time of feature extraction while maintaining the accuracy.In order to further improve the accuracy,some researchers gradually discuss features about data stream.Most of them consider whether important application interfaces in malware are triggered by UI related interfaces or some sensitive data streams,but lack of considering the association between application interfaces.Feature combination based on GBDT is difficult to measure whether features have relationship about data flow with each other.Then,Android malware detection based on accessibility feature of API is proposed.This method determines connectivity between APIs by intersection,defines the accessibility between close APIs.By paying attention to difference between malicious behaviors,this paper extracts accessibility features between repeated features and unique features of malicious behaviors,and effectively makes feature set contain edge information.Experiments are carried out on 1151 malicious programs and 1021 benign programs.Experimental results show that accessibility feature of API improves the recall rate and accuracy of the model,and is more important than other features in the experiment.