An Android Malicious Code Detection Method Based on Native  Code Features

Abstract

Abstract: In the face of the rapid growing number of Android malicious code, in order to effectively and accurately detect malicious code, a malicious code detection method based on Android native code features is proposed. The Dalvik bytecode and SO file are converted into ARM assembly code and the control flow graph of each function is generated. The pattern is used to annotate the control flow graph. The subgraph isomorphism and pattern matching are used to calculate the similarity of the control flow graph set. The comparison between the similarity and a threshold determines whether the application to be detected contains malicious code. The code coverage of the method is higher than the traditional static detection method. Finally, the above method is validated by experiments to show this method is feasible and the accuracy and detection rate of the method is better than the static detection tool Androguard.

Key words: Android, malicious code, Android runtime, control flow graph, subgraph-isomorphism

摘要： 由于移动互联网的快速发展，Android系统已经成为市场占有率最高的移动操作系统，Android系统的开源特性使其成为恶意软件的主要攻击目标.面对高速增长的恶意软件，为了有效和准确地检测恶意代码，提出一种基于Android本地代码特征的恶意代码检测方法，该方法的代码覆盖率比传统的静态检测方法高.将Dalvik字节码和SO文件转换为汇编代码，并生成各个函数的控制流图，通过定义的模式对控制流图进行注释，利用子图同构和模式匹配计算控制流图集合的相似度，并与设定阈值比较，以判定待检测的应用是否包含恶意代码.通过实验验证该方法可行，并且该方法的准确率和检测率比静态检测工具Androguard更优.

关键词: 安卓, 恶意代码, 安卓运行时, 控制流图, 子图同构

何平胡勇. 一种基于本地代码特征的Android恶意代码检测方法[J]. 信息安全研究, 2018, 4(6): 511-517.

References

[1] 李寅, 范明钰, 王光卫. 基于反编译的Android平台恶意代码静态分析[J]. 计算机系统应用, 2012, 21(11):187-189 [2] 李挺, 董航, 袁春阳,等. 基于Dalvik指令的Android恶意代码特征描述及验证[J]. 计算机研究与发展, 2014, 51(7):1458-1466 [3] Kang B, Kang B J, Kim J, et al. Android malware classification method:Dalvik bytecode frequency analysis[C]// Research in Adaptive and Convergent Systems. 2013:349-350 [4] Chen T, Yang Y, Bo C. Maldetect:An Android malware detection system based on abstraction of Dalvik instructions[J]. Journal of Computer Research & Development, 2016, 53(10):2299-2306 [5] 李自清. 基于函数调用图的Android恶意代码检测方法研究[J]. 计算机测量与控制, 2017, 25(10):198-201 [6] Sun M, Tan G. NativeGuard:protecting android applications from third-party native libraries[C]// Proc of the 2014 ACM Conf on Security and Privacy in Wireless & Mobile Networks.New York:ACM, 2014:165-176 [7] 陈新. 基于程序控制流图源代码相似程度分析系统[J]. 计算机系统应用, 2013, 22(3):144-147 [8] 吕博然, 吴军华. 基于路径序列相似度判别的程序克隆检测方法[J].计算机工程与应用, 2018,54(2):55-61 [9] Garey M R, Johnson D S. Computers and Intractability: A Guide to the Theory of NP-Completeness[M]. New York:W H Freeman and Company, 1983. 208-209 [10] Ullmann J R. An algorithm for subgraph isomorphism[J]. Journal of the ACM, 1976, 23(1):31-42 [11] Cordella L P, Foggia P, Sansone C, et al. A (sub)graph isomorphism algorithm for matching large graphs[J]. IEEE Trans on Pattern Analysis & Machine Intelligence, 2004, 26(10):1367-1372 [12] Arp D, Spreitzenbarth M, Hübner M, et al. DREBIN: Effective and explainable detection of Android malware in your pocket[C]// Network and Distributed System Security Symp. 2014

[1]	. Research on Android Application Privacy Security [J]. Journal of Information Security Research, 2021, 7(3): 287-292.
[2]	. Obfuscated Android Malware Detection Based on Random Forest [J]. Journal of Information Security Research, 2021, 7(2): 126-135.
[3]	. Design and Implementation of Threat Level Decision Rules for Android Applications [J]. Journal of Information Security Research, 2021, 7(1): 27-36.
[4]	. Research on Technologies of Windows Malware Detecting Based on Abnormal Behavior in KVM Environment [J]. Journal of Information Security Research, 2020, 6(6): 0-0.
[5]	. Design of Protocol Monitoring System Based on Cloud Computing and Deep Learning [J]. Journal of Information Security Research, 2020, 6(12): 1127-1132.
[6]	. Android Malware Detection Algorithm Based on CNN and Naive Bayesian Method [J]. Journal of Information Security Research, 2019, 5(6): 470-476.
[7]	. A Taxonomy of Android Application Vulnerabilities Based on Layered Structure of Application [J]. Journal of Information Security Research, 2018, 4(9): 792-798.
[8]	. Android Malware Detection Method Based on Convolutional Neural Network [J]. Journal of Information Security Research, 2018, 4(8): 715-721.
[9]	. A Static Tagging Method of Malicious Code Family Based on Multi-Feature [J]. Journal of Information Security Research, 2018, 4(4): 322-328.
[10]	. An Image and Video Protection Scheme Based on Android Kernel Extension [J]. Journal of Information Security Research, 2018, 4(4): 342-351.
[11]	. Method on the Detection of Second-Order Vulnerability for PHP Applications [J]. Journal of Information Security Research, 2018, 4(4): 380-386.
[12]	. Android Malware Detection and Analysisof Malware Behavior Base on Semi-supervised Learning [J]. Journal of Information Security Research, 2018, 4(3): 242-250.
[13]	. Android malicious application detection system based on multidimensional feature [J]. Journal of Information Security Research, 2018, 4(2): 133-139.
[14]	. Design and Implementation of Android Malware Detection System Based on Deep Learning [J]. Journal of Information Security Research, 2018, 4(2): 140-144.
[15]	. Detection Method of Android Malware by Using Permission [J]. Journal of Information Security Research, 2017, 3(9): 817-822.

An Android Malicious Code Detection Method Based on Native Code Features

一种基于本地代码特征的Android恶意代码检测方法

PDF

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 15

Recommended Articles

Metrics