Real-time detection of Android malware using a random forest classifier

A malware and random forest technology, applied in the field of communications, can solve the problems of reducing the success rate of Android malicious detection, ineffective detection, and reducing the accuracy of malware detection, and achieve the effect of good detection accuracy.

Active Publication Date: 2019-08-13
XIDIAN UNIV
View PDF2 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

The disadvantage of this method is: this method uses the support vector machine as the final detection basis. This processing method makes a lot of parameters need to be adjusted, resulting in a long adjustment cycle, such as selecting the most suitable kernel function, regularization penalty, etc.
The disadvantage of this detection method is that all the features extracted by the random forest classifier designed by this method come from the static features of the sample, and it cannot detect the runtime data of Android application samples.
This method extracts features for all Android applications, reduces the success rate of Android malicious detection, and cannot make full use of random forest classifiers to classify features
Some classifier-based Android malware detection methods at this stage have the following deficiencies: First, the existing classifier-based Android malware detection methods usually analyze different Android samples after classification, or sample one by one The processing method of static analysis makes the real-time performance of malware detection can not be guaranteed; second, the existing Android malware detection method based on application program interface data flow analysis uses a single call sequence feature, and does not make full use of the application program interface. The various types of characteristics of the data flow make the detection accuracy of the malware detection can not be guaranteed; the third, the API data flow call sequence used in the existing Android malware detection method based on the API data flow analysis Generally, the existing Android malware detection methods based on clustering algorithms analyze Android samples with the same family, or statically analyze the samples one by one so that the intrinsic correlation between the samples detected by malware cannot be detected. Fourth, the static features used in the existing Android malware detection methods based on random forest classifier analysis are usually features such as Android application identifiers, application permissions, and APIs called. The sample cannot be effectively detected when the runtime data analysis is performed; fifth, the existing classifier-based Android malware detection method uses relatively single runtime data characteristics, and does not make full use of the various types of Android application samples runtime. characteristics, reducing the accuracy of malware detection

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Real-time detection of Android malware using a random forest classifier
  • Real-time detection of Android malware using a random forest classifier
  • Real-time detection of Android malware using a random forest classifier

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0041] The present invention proposes a method for real-time detection of Android malware using a random forest classifier, the method is based on a hidden Markov model, and the similarity between the application program and each category can be judged by the inherent similarity; on this basis The random forest model, which is more suitable for dealing with classification problems, is introduced to reflect the differences of different categories and similar behaviors to a certain extent, that is, the random forest classifier model is used to identify similar behavior sequences.

[0042] refer to figure 1 , the double security authentication process of the present invention is as follows:

[0043] Step 1, collect network data.

[0044] Use the data packet capture tool to collect the runtime API call data flow generated by normal software samples and malware samples respectively, and use the collected runtime API call data flow as the initial data set for training the malware d...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method for detecting Android malicious software by means of a random forest classifier in real time. The method comprises the steps of 1 collecting network data, 2 calling data flow through an application program interface for grouping, 3 extracting data flow minimum unit, 4 extracting calling sequence characteristics, 5 training a hidden Markov model, 6 training a random forest model, 7 extracting application program interface data flow characteristics of a to-be-detected sample, 8 inputting feature vectors of the to-be-detected sample into a random forest detection model and judging whether or not output of a field network characteristic detection model is the malicious software category and 9 outputting the malicious software category corresponding to the to-be-detected sample. Accordingly, the malicious software can be detected in real time, software transmitted in the network can be detected, and the good detection accuracy rate is achieved.

Description

technical field [0001] The invention belongs to the technical field of communication, and further relates to a method for detecting Android malicious software in real time by using a random forest classifier in the technical field of network security. The invention can be used to detect in real time whether malicious software exists in the Android software, so that other network security technologies can process the malicious software existing in the Android software, thereby ensuring the information security of the Android software. Background technique [0002] Android malware detection technology is used to discover malware existing on mobile devices, so that other network security technologies can prevent malware from harming mobile devices. The Android malware detection technology using the random forest classifier has attracted the attention of scholars in recent years. This method usually analyzes the feature data generated by the application and extracts the features...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Patents(China)
IPC IPC(8): G06F21/56
CPCG06F21/566
Inventor 董庆宽曾敏张文博陈原白丽娜
Owner XIDIAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap