Unlock instant, AI-driven research and patent intelligence for your innovation.

Android malicious code family classifying method based on bytecode image clustering

A malicious code and classification method technology, applied in the field of Android malicious code family classification, can solve the problem of high false alarm rate, achieve the effect of low false positive rate, effective Android malicious code family classification, and high detection accuracy

Active Publication Date: 2016-11-09
ZHEJIANG UNIV OF TECH
View PDF4 Cites 27 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In 2014, D Arp and others collected 5,560 malicious samples and proposed a DREBIN method, which can classify Android malicious codes and normal codes as well as different families of Android malicious codes. This method has Higher detection rate, but higher false positive rate

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Android malicious code family classifying method based on bytecode image clustering
  • Android malicious code family classifying method based on bytecode image clustering
  • Android malicious code family classifying method based on bytecode image clustering

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0033] The present invention will be further described below in conjunction with the accompanying drawings.

[0034] refer to Figure 1 to Figure 5 , a kind of Android malicious code family classification method based on bytecode image clustering, comprises the following steps:

[0035] 1) The APK program code is mapped into a grayscale image

[0036] APK format files usually include a file named classes.dex, which encapsulates all Dalvik bytecodes that can be executed by the Dalvik virtual machine. The structure of the DEX file is composed of multiple structures, including dex header, string_ids, type_ids, proto_ids, field_ids, method_ids, class_def, data and other parts. The DEX file header specifies some attributes of the DEX file, and records the physical offset of the other 6 data structures in the DEX file.

[0037] If the bytecode of the DEX file is constructed into a pixel matrix of appropriate width (see Table 1 for the width suggestion), the pixel in the matrix is...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

An Android malicious code family classifying method based on bytecode image clustering includes the following steps of firstly, mapping an APK program code into a grayscale image; secondly, extracting characteristics through a GIST algorithm, wherein a pixel point matrix with the same height and width is calculated according to the total number of pixel points of an original image, the matrix still stores pixel points of the original image, a square image can be generated through the matrix, wavelet filtering in eight directions and four dimensions is conducted on each sub-region to extract texture characteristic information of the images, a 512 dimension characteristic vector is obtained finally for each image, and dimension reducing and data visualizing are conducted on obtained high-dimension data; thirdly, classifying the characteristics through a random forest algorithm, and completing Android malicious code family classifying by completing the clustering of the grayscale image. The method is high in accurate measurement precision and low in false alarm rate.

Description

technical field [0001] The invention relates to the technical field of malicious code analysis, in particular to a method for classifying Android malicious code families. Background technique [0002] With the vigorous development of the mobile Internet, the types and quantities of mobile applications have shown rapid growth, and at the same time, the scale of malicious code in mobile applications has also shown exponential growth. Alibaba Security’s 2015 Mobile Security Virus Annual Report pointed out that about 1 out of 5.6 devices on the Android platform was infected with a virus, and the device infection rate was as high as 18%, and about 95% of the applications contained virus counterfeiting. [0003] Although the number of malicious codes is increasing every year, most of the new variants are obtained through some transformation operations on the basis of the original malicious codes. Malware writers often use module reuse or automated tools to write variants during t...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F21/56G06K9/62
CPCG06F21/562G06F2221/033G06F18/23G06F18/24323
Inventor 陈铁明杨益敏
Owner ZHEJIANG UNIV OF TECH