面向海量软件的未知恶意代码检测方法

软件应用市场级别的安全审查需要同时具备准确性和可扩展性。然而,当前的审查机制效率通常较低,难以应对新的威胁。我们通过研究发现,恶意软件作者通过对几个合法应用重打包,将同一段恶意代码放在不同的应用中进行传播。这样,恶意代码通常出现在几个同源应用中多出的代码部分和非同源应用中相同的代码部分。基于上述发现,我们开发出一套大规模的软件应用检测系统——MassVet。它无需知道恶意代码的代码特征或行为特征就可以快速的检测恶意代码。现有的检测机制通常会利用一些复杂的程序分析,而本文方法仅需要通过对比上传的软件应用与市场上存在的应用,尤其关注具有相同视图结构的应用中不同的代码,以及互不相关的应用中相同的部分。当移除公共库和一些合法的重用代码片段后,这些相同或不同的代码部分就变得高度可疑。我们把应用的视图结构或函数的控制流图映射为一个值,并基于此进行DiffCom分析。我们设计了基于流水线的分析引擎,并对来自33个应用市场共计120万个软件应用进行了大规模分析。实验证明我们的方法可以在10秒内检测一个应用,并且误报率很低。另外,在检测覆盖率上,MassVet超过了VirusTotal中的54个扫描器（包括NOD32、Symantec和McAfee等）,扫描出近10万个恶意软件,其中超过20个为零日（zero-day）恶意软件,下载次数超过百万。另外,这些应用也揭示了很多有趣的现象,例如谷歌的审查策略和恶意软件作者躲避检测策略之间的不断对抗,导致Google Play中一些被下架的应用会重新出现等。     

基于软件基因的Android恶意软件检测与分类

随着移动互联网的发展,针对Android平台的恶意代码呈现急剧增长。而现有的Android恶意代码分析方法多聚焦于基于特征对恶意代码的检测,缺少统一的系统化的分析方法,且少有对恶意代码分类的研究。基于这种现状,提出了恶意软件基因的概念,以包含功能信息的片段对恶意代码进行分析;基于Android平台软件的特点,通过代码段和资源段分别提取了软件基因,其中代码段基因基于use-def链（使用-定义链）进行形式化。此外,分别提出了基于恶意软件基因的检测框架和分类框架,通过机器学习中的支持向量机对恶意软件基因进行学习,有较高的检测率和分类正确率,其中检测召回率达到了98.37%,验证了恶意软件基因在分析同源性中的作用。     

Fingerprinting Android malware families

The domination of the Android operating system in the market share of smart terminals has engendered increasing threats of malicious applications (apps). Research on Android malware detection has received considerable attention in academia and the industry. In particular, studies on malware families have been beneficial to malware detection and behavior analysis. However, identifying the characteristics of malware families and the features that can describe a particular family have been less frequently discussed in existing work. In this paper, we are motivated to explore the key features that can classify and describe the behaviors of Android malware families to enable fingerprinting the malware families with these features.We present a framework for signature-based key feature construction. In addition, we propose a frequency-based feature elimination algorithm to select the key features. Finally, we construct the fingerprints of ten malware families, including twenty key features in three categories. Results of extensive experiments using Support Vector Machine demonstrate that the malware family classification achieves an accuracy of 92% to 99%. The typical behaviors of malware families are analyzed based on the selected key features. The results demonstrate the feasibility and effectiveness of the presented algorithm and fingerprinting method.     

一种面向图神经网络安卓恶意代码检测的通用解释定位方法

面对不断涌现的安卓恶意应用,虽然大量研究工作采用图神经网络分析代码图实现了准确高效的恶意应用检测,但由于未提供应用内恶意代码的具体位置信息,难以对后续的人工复核工作提供有效帮助.可解释技术的出现为此问题提供了灵活的解决方法,在基于不同类型神经网络及代码特征表示实现的检测模型上展示出了较好的应用前景.本研究聚焦于基于图神经网络的安卓恶意代码检测模型上,使用可解释技术实现安卓恶意代码的准确定位:（1）提出了基于敏感API及多关系图特征的敏感子图提取方法.根据敏感API,控制流逻辑以及函数调用结构三类特征与恶意代码子图分布的关联性,细致刻画恶意代码特征,精简可解释技术关注的代码图规模;（2）提出了基于敏感子图输入的可解释技术定位方法.使用基于扰动原理的可解释技术,在不改变检测模型结构的情况下对代码图边缘进行恶意性评分,为各类基于图神经网络安卓恶意代码检测提供解释定位;（3）设计实验验证敏感子图提取对于与恶意代码特征的刻画效果以及基于敏感子图提取的解释定位效果.实验结果显示,本文的敏感子图提取方法相较于MsDroid固定子图半径的方法更为精确,能够为可解释技术提供高质量的输入;基于此方法改进后得到的可解释技术定位方法相较于GNNExplainer通用解释器及MsDroid定位方法,在保证定位适用性和效率的同时,恶意代码平均定位准确率分别提高了8.8%和2.7%.     

Android恶意软件特征研究

智能手机的广泛应用导致手机恶意软件的数量急速增加,尤其是近几年,基于Android操作系统的手机在智能手机市场占据主导地位,针对Android系统的恶意软件数量快速增加。手机恶意软件主要收集手机用户地理位置、语音通信、短信等个人隐私信息,或进行恶意扣费、耗费系统资源等行为,给用户自身和手机系统带来很大危害。准确分析恶意软件行为特征可以为后续清除恶意软件提供有力依据。传统的恶意软件分析技术主要包括静态分析与动态分析,文中介绍了当前存在的一些手机恶意软件分析检测技术及其缺陷,并从安装、激活、恶意负载三方面对已知Android恶意软件主要行为特征进行详细分析。     

基于深度信念网络的Android恶意应用检测方法

传统的机器学习算法无法有效地从海量的行为特征中选择出有本质的行为特征来对未知的Android恶意应用进行检测。为了解决这个问题,提出DBNSel,一种基于深度信念网络模型的Android恶意应用检测方法。为了实现该方法,首先通过静态分析方法从Android应用中提取5类不同的属性。其次,建立深度信念网络模型从提取到的属性中进行选择和学习。最后,使用学习到的属性来对未知类型的Android恶意应用进行检测。在实验阶段,使用一个由3 986个Android正常应用和3 986个Android恶意应用组成的数据集来验证DBNSel的有效性。实验结果表明,DBNSel的检测结果要优于其他几种已有的检测方法,并可以达到99.4%的检测准确率。此外,DBNSel具有较低的运行开销,可以适应于更大规模的真实环境下的Android恶意应用检测。     

Reducing the window of opportunity for Android malware Gotta catch ’em all

Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned. From end-users?? side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3?months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs?? Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious. The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware.     

一种基于组合事件行为触发的Android恶意行为检测方法

当前Android恶意应用程序在传播环节缺乏有效的识别手段,对此提出了一种基于自动化测试技术和动态分析技术的Android恶意行为检测方法。 通过自动化测试技术触发Android应用程序的行为,同时构建虚拟的沙箱监控这些行为。设计了一种组合事件行为触发模型——DroidRunner,提高了Android应用程序的代码覆盖率、恶意行为的触发率以及Android恶意应用的检测率。经过实际部署测试,该方法对未知恶意应用具有较高的检测率,能帮助用户发现和分析未知恶意应用。     

基于机器学习算法的Android恶意程序检测系统

对于传统的恶意程序检测方法存在的缺点,针对将数据挖掘和机器学习算法被应用在未知恶意程序的检测方法进行研究。当前使用单一特征的机器学习算法无法充分发挥其数据处理能力,检测效果不佳。文中将语音识别模型与随机森林算法相结合,首次提出了综和APK文件多类特征统一建立N-gram模型,并应用随机森林算法用于未知恶意程序检测。首先,采用多种方式提取可以反映Android恶意程序行为的3类特征,包括敏感权限、DVM函数调用序列以及OpCodes特征;然后,针对每类特征建立N-gram模型,每个模型可以独立评判恶意程序行为;最后,3类特征模型统一加入随机森林算法进行学习,从而对Android程序进行检测。基于该方法实现了Android恶意程序检测系统,并对811个非恶意程序及826个恶意程序进行检测,准确率较高。综合各个评价指标,与其他相关工作对比,实验结果表明该系统在恶意程序检测准确率和有效性上表现更优。     

结合资源特征的Android恶意应用检测方法

近年来Android平台遭到了黑客们的频繁攻击。随着安卓恶意应用的增多,信息泄露以及财产损失等问题也愈发严重。首先测试了恶意应用与正常应用在图片和界面元素两类资源特征上的差异,提出了一种结合资源特征的Android恶意应用检测方法——MalAssassin。该方法对APK进行静态分析,提取应用的8类共68个特征,包括综合了其他研究所提取的权限、组件、API、命令、硬编码IP地址、签名证书特征,并且结合了所发现的图片与界面元素两类资源特征。这些特征被映射到向量空间,训练成检测模型,并对应用的恶意性进行判定。通过对53 422个正常应用以及5 671个恶意应用的测试,MalAssassin达到了99.1%的精确度以及召回率。同时,资源特征的引入使得MalAssassin在不同数据集上具有较好的适应性。     

All about activity injection: Threats,semantics, detection,and defense

Android supports seamless user experience by maintaining activities from different applications (apps) in the same activity stack. Although such close inter-app communication is essential in the Android framework, the powerful inter-app communication contains vulnerabilities that can inject malicious activities into a victim app's activity stack to hijack user interaction flows. In this article, we demonstrate activity injection attacks with a simple malware, and formally specify the activity activation mechanism using operational semantics. Based on the operational semantics, we develop a static analysis tool, which analyzes Android apps to detect activity injection attacks. Our tool is fast enough to analyze real-world Android apps in 6 seconds on average, and our experiments found that 1761 apps out of 129,756 real-world Android apps inject their activities into other apps' tasks. Moreover, we propose a defense mechanism, dubbed signature-based activity access control (SAAC), which completely prohibits activity injection attacks. The defense mechanism is general enough to keep the current Android multitasking features intact, and it is simple enough to be independent of the complex activity activation semantics, which does not increase activity activation time noticeably. With the extension of the formal semantics for SAAC, we prove that SAAC correctly mitigates activity injection attacks without any false alarms.     

一种基于Native层的Android恶意代码检测机制

Android现有的恶意代码检测机制主要是针对bytecode层代码，这意味着嵌入Native层的恶意代码不能被检测，最新研究表明86%的热门Android应用都包含Native层代码。为了解决该问题，本文提出一种基于Native层的Android恶意代码检测机制，将smali代码和so文件转换为汇编代码，生成控制流图并对其进行优化，通过子图同构方法与恶意软件库进行对比,计算相似度值，并且与给定阈值进行比较，以此来判断待测软件是否包含恶意代码。实验结果表明，跟其他方法相比，该方法可以检测出Native层恶意代码而且具有较高的正确率和检测率。     

FSDroid:- A feature selection technique to detect malware from Android using Machine Learning Techniques

With the recognition of free apps, Android has become the most widely used smartphone operating system these days and it naturally invited cyber-criminals to build malware-infected apps that can steal vital information from these devices. The most critical problem is to detect malware-infected apps and keep them out of Google play store. The vulnerability lies in the underlying permission model of Android apps. Consequently, it has become the responsibility of the app developers to precisely specify the permissions which are going to be demanded by the apps during their installation and execution time. In this study, we examine the permission-induced risk which begins by giving unnecessary permissions to these Android apps. The experimental work done in this research paper includes the development of an effective malware detection system which helps to determine and investigate the detective influence of numerous well-known and broadly used set of features for malware detection. To select best features from our collected features data set we implement ten distinct feature selection approaches. Further, we developed the malware detection model by utilizing LSSVM (Least Square Support Vector Machine) learning approach connected through three distinct kernel functions i.e., linear, radial basis and polynomial. Experiments were performed by using 2,00,000 distinct Android apps. Empirical result reveals that the model build by utilizing LSSVM with RBF (i.e., radial basis kernel function) named as FSdroid is able to detect 98.8% of malware when compared to distinct anti-virus scanners and also achieved 3% higher detection rate when compared to different frameworks or approaches proposed in the literature.

     

基于多级签名匹配算法的Android恶意应用检测*

针对Android恶意应用泛滥的问题,提出了一种基于恶意应用样本库的多级签名匹配算法来进行Android恶意应用的检测。以MD5哈希算法与反编译生成的smali文件为基础,生成API签名、Method签名、Class签名、APK签名。利用生成的签名信息,从每一类恶意应用样本库中提取出这类恶意行为的共有签名,通过匹配待检测应用的Class签名与已知恶意应用样本库的签名,将待测应用中含有与恶意签名的列为可疑应用,并回溯定位其恶意代码,确定其是否含有恶意行为。在测试中成功的发现可疑应用并定位了恶意代码,证明了本系统的有效性。     

Network-based detection of Android malicious apps

Users leverage mobile devices for their daily Internet needs by running various mobile applications (apps) such as social networking, e-mailing, news-reading, and video/audio streaming. Mobile device have become major targets for malicious apps due to their heavy network activity and is a research challenge in the current era. The majority of the research reported in the literature is focused on host-based systems rather than the network-based; unable to detect malicious activities occurring on mobile device through the Internet. This paper presents a detection app model for classification of apps. We investigate the accuracy of various machine learning models, in the context of known and unknown apps, benign and normal apps, with or without encrypted message-based app, and operating system version independence of classification. The best resulted machine learning(ML)-based model is embedded into the detection app for efficient and effective detection. We collect a dataset of network activities of 18 different malware families-based apps and 14 genuine apps and use it to develop ML-based detectors. We show that, it is possible to detect malicious app using network traces with the traditional ML techniques, and results revealed the accuracy (95–99.9 %) in detection of apps in different scenarios. The model proposed is proved efficient and suitable for mobile devices. Due to the widespread penetration of Android OS into the market, it has become the main target for the attackers. Hence, the proposed system is deployed on Android environment.     

基于模型库的安卓恶意软件检测方法

单一算法生成的识别器普适性不足,对不同种群安卓软件进行识别产生的效果不稳定.针对这种情况,提出一种基于模型库的安卓恶意软件检测方法.通过Python程序进行爬虫与权限提取工作,得到应用的权限信息;使用SMO按照应用的权限信息分类得到不同种群的数据;将应用的种群信息输入到模型库中,得到恶意检测结果,并根据结果对模型库进行...     

Detecting plagiarized mobile apps using API birthmarks

This paper addresses the problem of detecting plagiarized mobile apps. Plagiarism is the practice of building mobile apps by reusing code from other apps without the consent of the corresponding app developers. Recent studies on third-party app markets have suggested that plagiarized apps are an important vehicle for malware delivery on mobile phones. Malware authors repackage official versions of apps with malicious functionality, and distribute them for free via these third-party app markets. An effective technique to detect app plagiarism can therefore help identify malicious apps. Code plagiarism has long been a problem and a number of code similarity detectors have been developed over the years to detect plagiarism. In this paper we show that obfuscation techniques can be used to easily defeat similarity detectors that rely solely on statically scanning the code of an app. We propose a dynamic technique to detect plagiarized apps that works by observing the interaction of an app with the underlying mobile platform via its API invocations. We propose API birthmarks to characterize unique app behaviors, and develop a robust plagiarism detection tool using API birthmarks.     

基于静态行为特征的细粒度Android恶意软件分类

由于Android系统的开放性,恶意软件通过实施各种恶意行为对Android设备用户构成威胁。针对目前大部分现有工作只研究粗粒度的恶意应用检测,却没有对恶意应用的具体行为类别进行划分的问题,提出了一种基于静态行为特征的细粒度恶意行为分类方法。该方法提取多维度的行为特征,包括API调用、权限、意图和包间依赖关系,并进行了特征优化,而后采用随机森林的方法实现恶意行为分类。在来自于多个应用市场的隶属于73个恶意软件家族的24 553个恶意Android应用程序样本上进行了实验,实验结果表明细粒度恶意应用分类的准确率达95.88%,综合性能优于其它对比方法。     

基于纹理指纹与活动向量空间的Android恶意代码检测

为了进一步提高恶意代码识别的准确率和自动化程度,提出一种基于深度学习的Android恶意代码分析与检测方法。首先,提出恶意代码纹理指纹体现恶意代码二进制文件块内容相似性,选取33类恶意代码活动向量空间来反映恶意代码的潜在动态活动。其次,为确保分类准确率的提高,融合上述特征,训练自编码器（AE）和Softmax分类器。通过对不同数据样本进行测试,利用栈式自编码（SAE）模型对Android恶意代码的分类平均准确率可达94.9%,比支持向量机（SVM）高出1.1个百分点。实验结果表明,所提出的方法能够有效提高恶意代码识别精度。     

Personal information leakage detection method using the inference-based access control model on the Android platform

The web services used on desktop can be accessed through a smartphone due to the development of smart devices. As the usage of smartphones increases, the importance of personal information security inside the smartphone is emphasized. The openness features of Android platform make a lot easier to develop an application and also deploying malicious codes into application is an easy task for hackers. The security practices are also growing rapidly as the number of malicious code increases exponentially. According to these circumstances, new methods for detecting and protecting the behavior of leaked personal information are needed to manage the personal information within a smartphone.In this paper, we study the permission access category in order to detect the malicious code, which discloses the personal information on Android environment such as equipment and location information, address book and messages, and solve the problem related to Resource access of Random Access Control method in conventional Android file system to detect the new malware or malicious code via the context ontology reasoning of permission access and API resource information which the personal information are leaked through. Then we propose an inference-based access control model, which can be enabled to access the proactive security. There is more improvement accuracy than existing malicious detecting techniques and effectiveness of access control model is verified through the proposal of inference-based access control model.