高级检索
    李 挺, 董 航, 袁春阳, 杜跃进, 徐国爱. 基于Dalvik指令的Android恶意代码特征描述及验证[J]. 计算机研究与发展, 2014, 51(7): 1458-1466.
    引用本文: 李 挺, 董 航, 袁春阳, 杜跃进, 徐国爱. 基于Dalvik指令的Android恶意代码特征描述及验证[J]. 计算机研究与发展, 2014, 51(7): 1458-1466.
    Li Ting, Dong Hang, Yuan Chunyang, Du Yuejin, Xu Guo'ai. Description of Android Malware Feature Based on Dalvik Instructions[J]. Journal of Computer Research and Development, 2014, 51(7): 1458-1466.
    Citation: Li Ting, Dong Hang, Yuan Chunyang, Du Yuejin, Xu Guo'ai. Description of Android Malware Feature Based on Dalvik Instructions[J]. Journal of Computer Research and Development, 2014, 51(7): 1458-1466.

    基于Dalvik指令的Android恶意代码特征描述及验证

    Description of Android Malware Feature Based on Dalvik Instructions

    • 摘要: 为实现Android平台下恶意软件的高效检测,提出了一种基于Dalvik指令的Android恶意代码特征形式化描述和分析方法,能够在无需反编译应用程序的基础上,快速检测样本的恶意特征.该方法首先依照DEX文件格式对Android应用程序切分得到以方法为单位的指令块,通过对块中Dalvik指令进行形式化描述以实现程序特征的简化和提取,之后综合使用改进的软件相似度度量算法和闵可夫斯基距离算法计算提取特征与已知恶意特征的相似度,并根据相似度比对结果来判定当前待测软件是否含有恶意代码.最后建立原型系统模型来验证上述方法,以大量随机样本进行特征匹配实验.实验结果表明,该方法描述特征准确、检测速度较快,适用于Android恶意代码的快速检测.

       

      Abstract: In order to achieve an efficient detection of malicious software on Android, a method to analyze the malware in Android devices using Dalvik instructions has been proposed. The Dalvik executable format (DEX) files are segmented based on its format without decompile. Through the formalize description of Dalvik instructions the features of the program can be simplified and extracted. Using the MOSS algorithm and the Minkowski distance algorithm, it can be determined that whether the current software which will be tested contains malicious code based on the similarity threshold. Finally, a prototype system is built to validate the method with large amounts of random samples. Taking applications which in Android application stores as example, the extraction and description of signatures using this method proves that not only can this static detection method based on Dalvik instructions detect malicious code quickly, but also has a very low rate of false positives and false negatives. Experiments results confirm that the method proposed by this paper is feasible and credible and it is applicable for rapid detection of Android malicious code.

       

    /

    返回文章
    返回