Research On Android Malware Detection Algorithm Based On Static Feature

As an open source mobile operating system based on the Linux kernel,Android has rich application markets and its market share is beyond 70%.However,its characteristics of open source and high popularity also make it become the target of 97% malware.The proliferation of Android malware has brought threats such as tariff consumption,privacy leakage,and remote control to a large group of Android users.Research on Android malware detection is conducive to the sound development of the Android device ecosystem and is of great significance to mobile security.According to the research object,Android malware detection research can be divided into two categories: malware classification and malware family classification.The main task of the former is to identify whether there are security problems in Android software and avoid the threats to users;the latter divides the malware into corresponding families on the basis of the former,which can reduce the workload of security researchers and accelerate malware analysis and research.According to the research method,the research can be divided into two categories: static analysis and dynamic analysis.Static analysis is based on static features constructed by reverse engineering,while dynamic analysis is based on the logs generated by running Android software.The static analysis method doesn't need to run software,and it has a fast detection speed and low cost.Therefore,it has been widely used.At present,the key of most machine learning based Android malware detection methods is the construction and selection of features.In fact,based on discriminative features,various classifiers can achieve good detection results.Therefore,aiming at the classification of malware and malware families,this thesis focuses on the extraction algorithm of static features,and designs the corresponding detection methods.The research content and main contributions of this thesis are briefly described as follows:(1)The shortcomings of existing static feature based Android malware detection methods has been studied and summarized in this thesis.On one hand,basic features(e.g.,permissions)based detection methods tend to have low accuracy and high false alarm rate.On the other hand,too complex features require feature engineering based on personal safety development experience,which has certain limitations.Up to now,no static feature extraction algorithm is shown to be effective and doesn't require much expert experience for malware classfication and malware family classfication.(2)To handle the above problems,a static feature extraction algorithm that combines the features of bytecode image and function call graph with adaptive compact bilinear fusion has been proposed in this thesis.The algorithm is divided into the following four steps:Android APK file preprocessing,feature extraction of bytecode image,feature extraction of function call graph,and feature fusion.In the feature extraction stage of bytecode image,to extract multi-scale texture features from the scaled bytecode image,Efficient Net is improved by replacing its adaptive pooling layer with the spatial pyramid pooling layer.In the feature extraction stage of function call graph,using the Word2 vec algorithm to assign each function node a dense feature vector with semantic information is innovatively proposed in this thesis,for the purpose of effectively extracting the structure and semantic features from function call graphs.In the feature fusion stage,fusing the features of bytecode image and function call graph is conducted to achieve the complementarity between the two features.Different weights that can be learned and optimized are set for this two features,which enables the fusion feature extraction algorithm to automatically optimize the weights in the training process when facing different detection tasks,and improves the detection accuracy.(3)Extensive experiments on three representative datasets has been conducted in this thesis to verify the effectiveness and advantages of the proposed feature extraction algorithm.The classification accuracy on the public Fal Droid malware family classification dataset,the self-built DADR malware classification dataset and the five-category dataset composed of some samples of CICMal Droid2020,have reached 96.2197%,91.1075% and 95.7333%respectively.Comparative experiments show that compared with bytecode image feature,function call graph feature,and traditional basic feature(e.g.,permission),the proposed fusion feature can effectively improve the accuracy of malware detection.Moreover,the proposed adaptive compact bilinear fusion is more effective than traditional concatenate fusion.Finaly,fusing bytecode image feature and function call graph feature is better than fusing basic feature(e.g.,permission)and function call graph feature.