ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2016, Vol. 53 ›› Issue (10): 2299-2306.doi: 10.7544/issn1000-1239.2016.20160348

所属专题: 2016网络空间共享安全研究进展专题

• 信息安全 • 上一篇    下一篇

Maldetect:基于Dalvik指令抽象的Android恶意代码检测系统

陈铁明,杨益敏,陈波   

  1. (浙江工业大学计算机科学与技术学院 杭州 310023) (tmchen@zjut.edu.cn)
  • 出版日期: 2016-10-01
  • 基金资助: 
    国家自然科学基金项目(U1509214);浙江省自然科学基金项目(LY16F020035) This work was supported by the National Natural Science Foundation of China (U1509214) and the Natural Science Foundation of Zhejiang Province of China (LY16F020035).

Maldetect: An Android Malware Detection System Based on Abstraction of Dalvik Instructions

Chen Tieming, Yang Yimin, Chen Bo   

  1. (College of Computer Science and Technology, Zhejiang University of Technology, Hangzhou, 310023)
  • Online: 2016-10-01

摘要: 提出了一个Android恶意代码的静态检测系统Maldetect,首先采用逆向工程将DEX文件转化为Dalvik指令并对其进行简化抽象,再将抽象后的指令序列进行N-Gram编码作为样本训练,最后利用机器学习算法创建分类检测模型,并通过对分类算法与N-Gram序列的组合分析,提出了基于3-Gram和随机森林的优选检测方法.通过4000个Android恶意应用样本与专业反毒软件进行的检测对比实验,表明Maldetect可更有效地进行Android恶意代码检测与分类,且获得较高的检测率.

关键词: 恶意代码, 安卓, Dalvik指令, N-Gram, 机器学习

Abstract: A novel static Android malware detection system Maldetect is proposed in this paper. At first, the Dalvik instructions decompiled from Android DEX files are simplified and abstracted into simpler symbolic sequences. N-Gram is then employed to extract the features from the simplified Dalvik instruction sequences, and the detection and classification model is finally built using machine learning algorithms. By comparing different classification algorithms and N-Gram sequences, 3-Gram sequences with the random forest algorithm is identified as an optimal solution for the malware detection and classification. The performance of our method is compared against the professional anti-virus tools using 4000 malware samples, and the results show that Maldetect is more effective for Android malware detection with high detection accuracy.

Key words: malware, Android, Dalvik instruction, N-Gram, machine learning

中图分类号: