Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

wu fan,lu jixiang,cao wenjing

DOI: https://doi.org/10.3969/j.issn.1000-1220.2018.01.030

2018-01-01

Abstract:Nowadays,there are so many malicious programs. Each of detection technology generate a lot of behavioral information. In recent years,scholars began to use data mining technology to detect malicious programs. But there are some deficiencies,such as: For one thing,the classifier needs to deal with a wide variety of data and For another thing,the same algorithm could not give full use to detect the different characteristics of malicious applications. According to the above limitations,this paper proposed hybrid algorithm based on multi features. Firstly,it uses the dynamic-static combination technology to collect the function call and system call feature.Then it uses the chi square statistical to process the huge characteristic data. Finally,it uses 49 families of 1100 malicious programs and1000 normal procedures for the experimental detection. The results show that the performance of the method is better than other related work at the time of execution efficiency and detection rate.

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Jinxin Liu,Hao Wu,Huabin Wang

DOI: https://doi.org/10.1049/ic.2014.0154

2014-01-01

Abstract:In recent years, the Android operating system for mobile terminals has developed very quickly. A variety of mobile devices which are using Android operating system are more than 60% in the domestic market share. With the number of Android application raising fast, a variety of information leakage, malicious chargeback, failure of operating system events occurred frequently; the safety of Android system also attracts wide attention of researchers. In this paper, combining static analysis and dynamic analysis, we present a malicious code detection method and implementation. Through the statistics of the sensitive API functions and tracking the flow of sensitive information, static analysis module uses the static analysis reverse technology to achieve the detection of malicious behaviors. And dynamic analysis module mainly uses system log analysis and records a variety of sensitive behaviors generated during the operation to discover intrusions. Furthermore, the ultimate combination of static analysis and dynamic analysis will determine whether the target software contains malicious codes.

Yingbo Li,Jing Fang,Cheng Liu,Mengrong Liu,ShaoHua Wu

DOI: https://doi.org/10.1109/iceiec.2015.7284546

2015-01-01

Abstract:With the increasing popularization of smart phones in life, malicious software targeting smart phones is emerging in an endless stream. As the phone system possessing the highest current market share, Android is facing a full-scale security challenge. This article focuses on analyzing the application of Dalvik injection technique in the detection of Android malware. Modify the system API (Application Program Interface) through Dalvik injection technique can detect the programs on an Android phone directly. Through the list of sensitive API called by malicious programs, eventually judge the target program as malicious or not.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

WEN Wei-ping,MEI Rui,NING Ge,WANG Liang-liang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.08.011

2014-01-01

Abstract:For the Android platform security problem, a mobile client and server collaborative malware detection pro-posal was proposed, where mobile client application was mainly based on permission detection technology and imple-mented lightweight testing. The server-side detection system is mainly responsible for testing suspicious samples submit-ted by the mobile terminals, meanwhile implements the functions of software behavior analysis, signature library updates, and mobile client synchronization, etc. The server-side detection techniques include permission-based detection technol-ogy, bytecode-based static detection technology and root-based dynamic detection technology. The result of the experi-ment shows that the three detection techniques can achieve better detection results.

Wang Quanmin,Li Zhenguo,Zheng Shuang,Gu Shi,Sun Yanfeng,Wang Kaiyang

DOI: https://doi.org/10.2991/icacie-17.2017.12

2017-01-01

Abstract:The recent growth in network usage has motivated the creation of new malicious code for various purposes, including economic ones. Today's signature-based anti-viruses are very accurate, but cannot detect new malicious code. Recently, classification algorithms were employed successfully for the detection of unknown malicious code. However, most of the studies use byte sequence n-gram representation of the binary code of the executable files on windows. We propose the use of Dalvik Operation Code on Android, generated by disassembling the application. We then use n-gram of the operation code as features for the classification process. We present a full methodology for the detection of unknown malicious code, based on text categorization concepts. The experiment results show that the method results are in a high accuracy rate.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

LOU Yun-cheng,SHI Yong,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2015.04.018

2015-01-01

Abstract:The characteristics of application market for Android system would usually lead to the rapid spread of the malwares,thus cause tremendous harm to the useru0027s mobile phone and personal privacy. Firstly,the reverse technology of Android application is described,and then the code- behind technology used by Android malwares and the code characteristics of privacy access are analyzed.In light of this,a malicious behavior detection method based on the reverse engineering of Android and in combination with static detection and dynamic detection is proposed,and this method could detect malicious behavior more effectively. Finally,the analysis of Android sample application indicates the feasiblility and effectiveness of this method.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

WANGZhiqiang,ZHANGYuqing,LIUQixu,HUANGTingpei

DOI: https://doi.org/10.3969/j.issn.1001-2400.2015.03.002

2015-01-01

Abstract:The paper presents a novel Android malware behavioral detection algorithm.The algorithm characterizes Android applications”behaviors by system call sequences and control flow sequences,trains a malware feature base and a threshold by analyzing known malware samples.Then,we calculate the similarities between the feature base and Android applications,and detect malware by comparing the similarities with the threshold.Finally,an Android malware detection system named SCADect is developed according to the algorithm.The detection accuracy of detecting 3 000 samples is up to 96.8%,and the detection rate of classifying 8-cluster obfuscated malware including 237 samples can reach 89%,obviously better than the tool Androguard.The results show that the SCADect is able to resist obfuscated and cryptographic attacks,improves the detection accuracy and reduces the false negative rate.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Yongkai Fan,Jing Lei,Cong Peng,Jinghan Wang,Jiaxu Liu,Guanqun Zhao,Jianrong Bai

DOI: https://doi.org/10.1109/CYBER46603.2019.9066678

2019-01-01

Abstract:Malware issue puzzles software users. Under the development of Internet, software technology has been involved in all parts of life such as Robot Control Software. There have been many methods to detect malicious Android applications. However, most of these are single behavior analysis models. In order to better detect the malicious behavior for more fields, we propose a malicious behavior analysis model based on system call and function interface with machine learning algorithm training. To clear the analysis model, we discuss the reasonable feature selection, data collection and analyze the implementation of static methods, dynamic methods and hybrid methods. In addition, we compare several important algorithm models to get the optimal model. Experimental result shows that our proposed optimal model has a higher accuracy than traditional way.

Linfeng Wei,Weiqi Luo,Jian Weng,Yanjun Zhong,Xiaoqian zhang,Zheng Yan

DOI: https://doi.org/10.1109/access.2017.2771470

IF: 3.9

2017-01-01

IEEE Access

Abstract:In this paper, we propose a machine learning-based approach to detect malicious mobile malware in Android applications. This paper is able to capture instantaneous attacks that cannot be effectively detected in the past work. Based on the proposed approach, we implemented a malicious app detection tool, named Androidetect. First, we analyze the relationship between system functions, sensitive permissions, and sensitive application programming interfaces. The combination of system functions has been used to describe the application behaviors and construct eigenvectors. Subsequently, based on the eigenvectors, we compare the methodologies of naive Bayesian, J48 decision tree, and application functions decision algorithm regarding effective detection of malicious Android applications. Androidetect is then applied to test sample programs and real-world applications. The experimental results prove that Androidetect can better detect malicious applications of Android by using a combination of system functions compared with the previous work.

Qingfeng Li,Guoqiang Chen,Bo Li

DOI: https://doi.org/10.1155/2023/2796988

IF: 1.968

2023-04-17

Security and Communication Networks

Abstract:The security issues with mobile devices have received more attention as a result of the development of mobile Internet technology and the adoption of mobile intelligent terminal devices. It is becoming more crucial to quickly and effectively identify and remove harmful applications from systems in order to protect user data and personal devices. The Dalvik bytecode, permission applications, and system calls of Android apps are the main targets of the current Android malware analysis approaches. However, in recent years, an increasing amount of Android malware conceals harmful code in native code. The method for using program gene technology to identify malware on the Android platform is presented in this research. This method extracts executable library files from the Native layer binary executable files of Android programs and disassembles the library files to obtain program genes. Then, the programs' genes perform feature screening by the information gain method and next use Word2Vec to express the semantic abstraction of the screened features. Finally, the screened features were used in deep neural network models for training and detection. The experimental results demonstrate that compared with KNN, SVM, and other machine learning algorithms, the deep neural network model is more effective and the detection accuracy reaches up to 97.51%. Thus, it confirmed the feasibility of the Android malicious program detection method based on program genes in this paper.

computer science, information systems,telecommunications

Li Boya,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1000-5137.2017.01.003

2017-01-01

Abstract:With the increasing popularization of mobile phones,people′s dependence on them is rising,the security problems become more and more prominent.According to the calling of the APK file permission and the API function in Android system,this paper proposes a dynamic detecting method based on API interception technology to detect the malicious code.The experimental results show that this method can effectively detect the malicious code in Android system.

Xi Xiao,Xianni Xiao,Yong Jiang,Xuejiao Liu,Runguo Ye

DOI: https://doi.org/10.1002/ett.3016

IF: 3.6

2016-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

Fei Tong,Zheng Yan

DOI: https://doi.org/10.1016/j.jpdc.2016.10.012

IF: 4.542

2017-01-01

Journal of Parallel and Distributed Computing

Abstract:Android security incidents occurred frequently in recent years. This motivates us to study mobile app security, especially in Android open mobile operating system. In this paper, we propose a novel hybrid approach for mobile malware detection by adopting both dynamic analysis and static analysis. We collect execution data of sample malware and benign apps using a net_link technology to generate patterns of system calls related to file and network access. Furthermore, we build up a malicious pattern set and a normal pattern set by comparing the patterns of malware and benign apps with each other. For detecting an unknown app, we use a dynamic method to collect its system calling data. We then compare them with both the malicious and normal pattern sets offline in order to judge the unknown app. Based on the test on a set of mobile malware and benign apps, we found that our approach achieves better detection success rate than some methods using either static analysis or dynamic analysis. What is more, the proposed approach is generic, which can detect different types of malware effectively. Its detection accuracy can be further improved since the pattern sets can be automatically optimized through self-learning.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.