一种基于Native层的Android恶意代码检测机制

doi:10.3969/j.issn.1006-2475.2019.05.001

计算机与现代化

• 操作系统 • 下一篇

一种基于Native层的Android恶意代码检测机制

(南京航空航天大学计算机科学与技术学院,江苏南京211106)

收稿日期:2018-11-21 出版日期:2019-05-14 发布日期:2019-05-14
作者简介:孙炳林(1993-),男,陕西渭南人,硕士研究生,研究方向:逆向分析,二进制安全,E-mail： 651718894@qq.com; 庄毅(1956-),女,教授,博士生导师,研究方向:可信计算,网络安全。
基金资助:
国家自然科学基金面上项目（61572253）；航空科学基金资助项目（2016ZC52030）

An Android Malicious Code Detection Mechanism Based on Native Layer

（College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing 211106, China）

Received:2018-11-21 Online:2019-05-14 Published:2019-05-14

摘要/Abstract

摘要： Android现有的恶意代码检测机制主要是针对bytecode层代码，这意味着嵌入Native层的恶意代码不能被检测，最新研究表明86%的热门Android应用都包含Native层代码。为了解决该问题，本文提出一种基于Native层的Android恶意代码检测机制，将smali代码和so文件转换为汇编代码，生成控制流图并对其进行优化，通过子图同构方法与恶意软件库进行对比,计算相似度值，并且与给定阈值进行比较，以此来判断待测软件是否包含恶意代码。实验结果表明，跟其他方法相比，该方法可以检测出Native层恶意代码而且具有较高的正确率和检测率。

关键词: 安卓, 恶意代码检测, 控制流图, 子图同构

Abstract: Android’s existing malicious code detection mechanism is mainly for the bytecode layer codes. This means that malicious code embedded in Native layer can’t be detected. The latest research shows that 86% of popular Android APPs contain Native layer code. In order to solve this problem, this paper proposes an Android malicious code detection mechanism based on Native layer, which converts smali code and so file into assembly code, generates control flow graph then optimizes it. Through comparing with malware library by subgraph isomorphism method, the similarity values are calculated and compared with the given thresholds to determine whether the software under test contains malicious code. The experimental results show that compared with the others the method can detect malicious code of Native layer and has higher accuracy and detection rate.

Key words: Android, malware detection, control flow graph, subgraph isomorphism

中图分类号:

TP302.7

孙炳林，庄毅. 一种基于Native层的Android恶意代码检测机制[J]. 计算机与现代化, doi: 10.3969/j.issn.1006-2475.2019.05.001.

SUN Bing-lin, ZHUANG Yi. An Android Malicious Code Detection Mechanism Based on Native Layer[J]. Computer and Modernization, doi: 10.3969/j.issn.1006-2475.2019.05.001.

参考文献

［1］ 360互联网安全中心,360烽火实验室. 2017年Android恶意软件年度专题报告［EB/OL］. （2018-03-02）［2018-08-21］. http://zt.360.cn/1101061855.php?dtid=11010-61451&did=491056914.
［2］杨欢,张玉清,胡予濮,等. 基于多类特征的Android应用恶意行为检测系统［J］. 计算机学报, 2014,37(1):15-27.
［3］ AFONSO V, BIANCHI A, FRATANTONIO Y, et al. Going Native: Using a large-scale analysis of Android Apps to create a practical Native-code sandboxing policy［C］// Symposium on Network and Distributed System Security. 2016:1-15.
［4］ SUN X, ZHONGYANG Y, XIN Z, et al. Detecting code reuse in Android applications using component-based control flow graph［C］//IFIP International Information Security Conference. 2014:142-155.
［5］ ZHAO Z, WANG J, BAI J. Malware detection method based on the control-flow construct feature of software［J］. IET Information Security, 2014,8(1):18-24.
［6］ SARACINO A, SGANDURRA D, DINI G, et al. Madam: Effective and efficient behavior-based Android malware detection and prevention［J］. IEEE Transactions on Dependable and Secure Computing, 2018,15(1):83-97.
［7］〖KG-*2〗LI J, SUN L, YAN Q, et al. Signicant permission identication for machine learning based Android malware detection［J］. IEEE Transactions on Industrial Informatics, 2018,14(7):3216-3225.
［8］ QIAO M, SUNG A H, LIU Q. Merging permission and API features for Android malware detection［C］// 2016 IEEE the 5th IIAI International Congress on Advanced Applied Informatics. 2016:566-571.
［9］ NARAYANAN A, CHANDRAMOHAN M, CHEN L, et al. A multi-view context-aware approach to Android malware detection and malicious code localization［J］. Empirical Software Engineering, 2018,23(3):1222-1274.
［10］FEIZOLLAH A, ANUAR N B, SALLEH R, et al. Androdialysis: Analysis of Android intent effectiveness in malware detection［J］. Computers & Security, 2017,65:121-134.
［11］XU K, LI Y, DENG R H. ICCDetector: ICC-based malware detection on Android［J］. IEEE Transactions on Information Forensics and Security, 2016,11(6):1252-1264.
［12］ENCK W, ONGTANG M, MCDANIEL P. On lightweight mobile phone application certification［C］// Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009:235-245.
［13］XIAO X, WANG Z, LI Q, et al. ANNs on co-occurrence matrices for mobile malware detection［J］. The KSII Transactions on Internet and Information Systems, 2015,9(7):2736-2754.
［14］SANTOS I, BREZO F, UGARTE-PEDRERO X, et al. Opcode sequences as representation of executables for data-mining-based unknown malware detection［J］. Information Sciences, 2013,231:64-82.
［15］DIMJAEVI〖XCC.TIF,JZ〗 M, ATZENI S, UGRINA I, et al. Evaluation of Android malware detection based on system calls［C］// Proceedings of 2016 ACM on International Workshop on Security and Privacy Analytics. 2016:1-8.
［16］SHABTAI A, KANONOV U, ELOVICI Y, et al. “Andromaly”: A behavioral malware detection framework for Android devices［J］. Journal of Intelligent Information Systems, 2012,38(1):161-190.
［17］王志强,张玉清,刘奇旭,等. 一种Android恶意行为检测算法［J］. 西安电子科技大学学报(自然科学版), 2015,42(3):8-14.
［18］ZOU S, ZHANG J, LIN X. An effective behavior-based Android malware detection system［J］. Security & Communication Networks, 2015,8(12):2079-2089.
［19］FEIZOLLAH A, ANUAR N B, SALLEH R, et al. Comparative evaluation of ensemble learning and supervised learning in Android malwares using network-based analysis［C］// Advanced Computer and Communication Engineering Technology. 2015:1025-1035.
［20］ALAM S, QU Z, RILEY R, et al. Droidnative: Semantic-based detection of Android Native code malware［J］. Computer Science, 2016, arXiv:1602.04693.
［21］CORDELLA L P, FOGGIA P, SANSONE C, et al. A (sub) graph isomorphism algorithm for matching large graphs［J］. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2004,26(10):1367-1372.
［22］Argus Cyber Security Lab. Android Malware Dataset［EB/OL］. ［2018-11-01］. http://amd.arguslab.org.
［23］VirusTotal Website. VirusTotal［DB/OL］. ［2018-11-01］. https://www.virustotal.com/#/home/upload.
［24］Desnos A. Androguard: Reverse Engineering, Malware and Goodware Analysis of Android Applications［EB/OL］. ［2018-11-01］. https://github.com/androguard/androguar.

[1]	邹梦苑, 樊志强, 徐珞, 刘洁, 梁万路. Inf-ProA信息活动过程模型相似性度量方法[J]. 计算机与现代化, 2022, 0(02): 26-32.
[2]	封栋, 陈晓. POF表项指令和动作的合法性检测[J]. 计算机与现代化, 2020, 0(10): 23-30.
[3]	王天华1,冷璐2,袁明汶3. 双点辅助定位的移动终端掌纹识别系统[J]. 计算机与现代化, 2018, 0(03): 112-.
[4]	肖程望,卢军,余力耕. 针对安卓手机提权漏洞的新型防范模型设计与验证[J]. 计算机与现代化, 2017, 0(9): 56-60,119.
[5]	钟锡武，许淳煜，黄奕涛，黄震. 基于ZigBee的博物馆参观引导系统[J]. 计算机与现代化, 2017, 0(6): 76-79+102.
[6]	吴丽淳，樊爽. 基于安卓平台的手机定位软件开发[J]. 计算机与现代化, 2014, 0(9): 95-98.
[7]	夏艳秋，袁汝华. 基于JFinal框架和HTML5技术的手机应用开发平台设计[J]. 计算机与现代化, 2014, 0(1): 201-205,210.
[8]	姬莉霞;马建红;张雷. 基于Android的智能图像共享系统的研究  [J]. 计算机与现代化, 2012, 8(08): 87-89.
[9]	夏玉辉李鸣万琳王洪艳. 一种基于故障模型的代码静态测试方法研究[J]. 计算机与现代化, 2011, 1(2): 0-80.

一种基于Native层的Android恶意代码检测机制

An Android Malicious Code Detection Mechanism Based on Native Layer

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 9

编辑推荐

Metrics

本文评价