一种Android恶意行为检测算法

提出一种新的Android恶意行为检测算法,该算法使用系统调用序列和控制流序列表征Android应用程序的行为,通过分析已知恶意软件样本库,训练出一个恶意软件特征基和阈值,再计算Android应用程序与特征基的相似度,根据阈值判断目标是否为恶意软件.根据该算法,开发了一个Android恶意软件检测系统SCADect,并在华为U8860真机上对3 000个测试样本进行分类,准确率达到96.8%;针对包含混淆和加密操作的8簇237个恶意样本,该系统的检出率达到89%,明显优于工具Androguard.实验结果表明,SCADect能够抵抗混淆和加密攻击,提高恶意软件检测的准确率和降低误报率.

Algorithm to detect Android malicious behaviors

The paper presents a novel Android malware behavioral detection algorithm. The algorithm characterizes Android applications’ behaviors by system call sequences and control flow sequences, trains a malware feature base and a threshold by analyzing known malware samples. Then, we calculate the similarities between the feature base and Android applications, and detect malware by comparing the similarities with the threshold. Finally, an Android malware detection system named SCADect is developed according to the algorithm. The detection accuracy of detecting 3000 samples is up to 96.8％, and the detection rate of classifying 8-cluster obfuscated malware including 237 samples can reach 89％, obviously better than the tool Androguard. The results show that the SCADect is able to resist obfuscated and cryptographic attacks, improves the detection accuracy and reduces the false negative rate.