Malware detecting device and method

Abstract

The present invention relates to the technical field of security detection, in particular to a malware detecting device and method. The malware detecting device comprises: a decompiling module which is used for decompiling an input application software installing package to obtain a smali file; a feature extracting module which is used for extracting an API (Application Programming Interface) signature file from the smali file; a feature formatting module which is used for formatting the extracted API signature file into a set file format; and a model training and detecting module which is used for training a random forest classifying model through the formatted API signature file and detecting malware through the random forest classifying model. The device disclosed by the invention has the advantages that the device is not interfered by the abuse of application software authority and the whole training and detecting process is automated with no need for the manual selection of APIs;and distributed random forests are introduced to effectively cope with the model training when large amount of malware serves as samples and improve the model training efficiency.

Description

technical field [0001] The invention relates to the technical field of security detection, in particular to a malicious software detection device and method. Background technique [0002] In recent years, the rapid development of mobile smart terminals has greatly changed people's habits of using mobile phones. Mobile phones are no longer just used to make and receive calls, but have penetrated into all aspects of personal life. At the same time, more and more personal privacy is stored in the mobile phone. Once the mobile phone is invaded by malicious software, it may face hazards such as theft of mobile phone information, theft of account numbers, and passwords, resulting in loss of personal property or interests. Or due to the illegal operation of the malicious program in the background, the function of the mobile phone is abnormal, affecting the normal use of the user. [0003] As one of the current popular smartphone operating systems, Android has a very high market sh...

AI Technical Summary

Problems solved by technology

[0005] Although the permission features adopted by the detection method based on data mining are easy to extract, because the permissions declared by the application may not be used in practice, and some studies have shown that there are a large number of application software abuse permissions, so the permission is directly used as a feature to describe the application behavior. , the reliability is not good, and the use of API features is faced with the problem of a large number of APIs. It is necessary to rely on manual selection of some APIs as features, and it is impossible to achieve fully automated detection.

In addition, most of the malware detection methods in the prior art are based on a stand-alone version, which cannot cope with a large number of software samples.

Images