| Mobile devices are very popular in today’s society and have gradually been integrated into our daily life.Mobile device users can download desired apps not only from official app stores,but also from third-party channels.Apps can provide users with various services,such as location tracking,money management,and more.While mobile devices bring convenience to users,there is also a certain degree of risk.As users rely more and more on mobile devices,more and more sensitive information is stored on the devices,and these sensitive information and huge user base also attract more and more malicious program developers.They continuously release malicious programs to the application market and third-party channels for the purpose of money or destroying the system environment,which threatens the user’s data security and privacy,so the detection technology for malicious programs also attracts attention.The static-based malware analysis method mainly extracts,processes and analyzes the static features of the application,such as permission features and opcode features.Therefore,the static analysis method depends on the utilization of effective features.Dynamic-based malicious program analysis methods mainly extract the dynamic behavior characteristics of applications,but they are easily limited by low code coverage and cannot trigger all malicious behaviors of programs.There are more and more obfuscation techniques in the program,especially the obfuscation based on the modification of instruction logic,which increases the difficulty of malicious program detection.In view of the above problems,this thesis improved a dynamic and static combination of malicious program de-obfuscation method and uses deep learning model to detect and classify malicious programs.The main research work includes the following parts:(1)In view of the variety of obfuscation techniques for malicious programs at present,most of the existing obfuscation analysis methods only stay on the problem of analyzing obfuscation techniques that do not modify the logic of bytecode instructions.This thesis improved a target execution and context-dependent deobfuscation method.Combine the advantages of static analysis technology and dynamic analysis technology.Firstly,the analysis target points are centrally located at the code position with the characteristics of instruction logic modification,and the application program is executed dynamically.In order to locate the target position,the static analysis method is used before dynamic execution,combined with the idea of context approximation,to search for the potential behavior of the application,and extract the code path of these behavior logic,and then select and execute the path to achieve accurate target.Behavior analysis.Continuously iterate the dynamic and static analysis process,and finally generate a complete API call graph.Through experiments,the method improved in this thesis can extract the hidden behavior features of malicious programs.(2)Aiming at the problem that the current malicious programs use obfuscation technology to hide their malicious behavior,which leads to the low utilization of effective features in static detection methods,which reduces the detection effect.This thesis optimized an anti-obfuscation deep learning malicious program detection method.The method mainly deals with the API call characteristics of the application,and combines the de-obfuscation technology and the static detection method based on the attention mechanism.On the one hand,the method uses the static detection method based on the attention mechanism to enhance the feature learning ability of the model and ensure the efficiency of batch detection of applications;effective feature utilization.Through verification,the use of deobfuscation method can improve the accuracy of malicious program detection. |
PDF Full Text Request