Android malicious software detection system and Android malicious software detection method based on signature and data flow mode excavation

Abstract

The invention discloses an Android malicious software detection system and an Android malicious software detection method based on signature and data flow mode excavation. The system contains a signature analysis component and a data flow analysis component, wherein the signature analysis component contains a signature generating module, a malicious software signature database and a signature matching module; the data flow analysis component contains a data flow analysis module, a data flow mode excavation module, a data flow mode matching module and a data flow mode rule base. During operation, signature operation and data flow mode excavation are carried out on known malicious software, a malicious software signature base and the data flow mode rule base are established, and then signature matching and data flow rule matching are carried out on to-be-detected software, so that the to-be-detected software is judged to be malicious privacy disclosure software or not. The system and the method which are disclosed by the invention have the advantages that the disadvantage that manual confirmation needs to be carried out on the traditional data flow detection is overcome, detection efficiency is improved, and misinformation problem caused by 'abuse' problem is avoided.

Description

technical field [0001] The invention relates to the field of data flow pattern mining, in particular to an Android malware detection system and method based on signature and data flow pattern mining. Background technique [0002] Android is currently the most widely used smartphone operating system. In 2014, the sales of Android mobile phones accounted for 81% of the global mobile phone sales, reaching 1 billion units. On the other hand, the openness of the Android system has brought many security problems while being favored by application developers. At present, there are a large number of malware stealing user privacy on the Android platform, which seriously threatens user security. [0003] There are two mainstream Android malware detection methods, dynamic analysis method and static analysis method. The dynamic analysis method builds the Android operating environment, which can simulate the real behavior characteristics of the software to be tested. This detection met...

AI Technical Summary

Problems solved by technology

The dynamic analysis method builds the Android operating environment, which can simulate the real behavior characteristics of the software to be tested. This detection method has high precision, but because the software needs to run dynamically, it needs to consume resources.

The characteristic of the static analysis method is that it does not need to run the software to be tested. It analyzes whether the software is malware through signature or control flow and data flow. The disadvantage of this method is that it is easy to generate false positives.

The disadvantage of this scheme is that the requirements for classification features are relatively high, and the effectiveness of features directly determines the accuracy of classification.

Most machine learning methods still use permissions as feature information, therefore, they cannot solve the false positives caused by the phenomenon of "abuse of authority"

Images