基于非用户操作序列的恶意软件检测方法

针对Android恶意软件持续大幅增加的现状以及恶意软件检测能力不足这一问题，提出了一种基于非用户操作序列的静态检测方法。首先，通过对恶意软件进行逆向工程分析，提取出恶意软件的应用程序编程接口（API）调用信息；然后，采用广度优先遍历算法构建恶意软件的函数调用流程图；进而，从函数流程图中提取出其中的非用户操作序列形成恶意行为库；最后，采用编辑距离算法计算待检测样本与恶意行为库中的非用户操作序列的相似度进行恶意软件识别。在对360个恶意样本和300的正常样本进行的检测中，所提方法可达到90.8%的召回率和90.3%的正确率。与Android恶意软件检测系统Androguard相比，所提方法在恶意样本检测中召回率提高了30个百分点；与FlowDroid方法相比，所提方法在正常样本检测中准确率提高了11个百分点，在恶意样本检测中召回率提高了4.4个百分点。实验结果表明，所提方法提高了恶意软件检测的召回率，有效提升恶意软件的检测效果。

Malware detection approach based on non-user operating sequence

Considering rapid growth of Android malware and poor capability of detecting malware, a static detection method based on non-user operation sequences was proposed. Firstly, the Application Programming Interface (API) call information of malware was extracted by reverse engineering analysis. Secondly, the malware's function-call graph was established by using breadth-first traversal algorithm; then, non-user operation sequence was extracted from the function-call graph to form malicious behavior database. Finally, the similarity of the detected sample and non-user operation sequence in the malicious behavior database was calculated by using the edit distance algorithm for malware identification. In the detection of 360 malicious samples and 300 normal samples, the proposed method could reach the recall rate of 90.8% and the accuracy rate of 90.3%. Compared with the Android malware detection system Androguard, the recall rate of the proposed method increased by 30 percentage points in the detection of malicious samples; and compared with the FlowDroid method, the precision rate increased by 11 percentage points in the detection of normal sample and the recall rate increased by 4.4 percentage points in the detection of malicious samples. The experimental results show that the proposed method improves the recall rate of malware detection and promotes the detection effect of malware.