Research On Android Malware Detection Method Based On Heterogeneous Information Network

The market share of Android system in the field of mobile operating systems has reached 84%.In the meantime,it has also become a breeding ground for malicious softwares,which seriously threatens users' data privacy and property security.To counter these threats,researchers have come up with a number of machine-learning-based methods for detecting Android malwares.But they tend to consider only the adjacency between Android Application Packages(APKs)and features,the semantic information between features is ignored.In order to fully mine the rich structural and semantic information between entities,malware detection methods based on heterogeneous information network have emerged in recent years.However,such schemes usually only use APK and one kind of feature to build a heterogeneous network model.The feature type is single,which is not only easy to be bypassed by specific types of malwares,but also due to excessive use of the internal relationship of one entity resulting in information redundancy.Aiming at these problems,this thesis proposes an Android heterogeneous information network model containing three entity types,and uses the Metapath2 vec algorithm to embed the heterogeneous network based on multiple meta-paths,and finally sends the APK embedding vectors into the multi-kernel learning model for detection and classification.After experimental verification,this scheme can achieve an accuracy of 98.05%when detecting five types of Android software samples,which is 0.9% higher than the best comparison scheme.It can even achieve a 100% recall rate on SMS malwares with obvious behavioral characteristics.The innovations of this thesis are summarized as follows:1.In order to fully explore the relationship between entities,this thesis constructs an Android heterogeneous network model that includes the mapping relationship between APIs and permissions and the relationship between permissions in the same group.The use of single-type feature is easy to be bypassed by specific types of malwares.Considering that API is the interface between applications and devices,and permissions are used to regulate the behaviors of applications,this thesis uses these two features to characterize the behavior of Android softwares from different perspectives,while incorporating APK as an entity type for building heterogeneous network.In addition,in order to reasonably utilize the semantic information among a small number of entities,this thesis maps three entity types and five relationship types to the heterogeneous network model,in which the mapping relationship between APIs and permissions and the same-group relationship of permissions are the first application in Android heterogeneous network.2.In order to group all permissions of the Android system,this thesis puts forward a new idea,which is dividing them into different groups according to the description of the purpose of permissions in Android source files.In order to reduce the complexity of heterogeneous information network and improve the efficiency of malware detection,it is necessary to screen APIs.Meanwhile,it is also necessary to ensure the integrity of API and permission mapping.This thesis will use the TF-IWF algorithm to calculate the importance of APIs in each category of samples and use it as its weight,and then retain the same number of APIs with the highest weights from each kind of samples.These APIs are the smallest set that satisfy the mapping relationship.