An Android malicious software detection method based on an API calling sequence

Abstract

The invention discloses an Android malicious software detection method based on an API calling sequence, and mainly solves the problems that a confused application programming interface API cannot beidentified, extracted features cannot be replaced by APIs, the types of the APIs are various, and the calculation amount is large in the prior art. The method comprises the following steps: (1) generating a training sample set and a test sample set; (2) generating a small file; (3) generating a calling sequence set of the application programming interface API; (4) replacing an application programming interface API with the package name; (5) generating a feature matrix; and (6) detecting malicious software. According to the method, the API in the API calling sequence of the application programming interface is replaced by the basic package name, the confusion package name and the user-defined package name, so that the API types can be greatly reduced, the calculation complexity can be greatly reduced, the malware identification and detection efficiency can be improved, and the method can adapt to the replacement of API versions.

Description

technical field [0001] The invention belongs to the field of computer technology, and further relates to a method for detecting Android malware based on an application programming interface API (Application Interface) calling sequence in the field of Internet network technology. The present invention can use the application software programming interface API call sequence of the Android application software to judge whether the Android application software is malicious software, and is used for security analysis of the Android application software. Background technique [0002] The research on the static detection of Android malware originates from the research work of mobile terminal application security, which is characterized by using the permission information and application programming interface API information in Android application software files to analyze the changes in permissions and the calls between application programming interface APIs relationship, extract c...

AI Technical Summary

Problems solved by technology

At present, the existing methods for static detection of Android malware are basically carried out from two aspects of authority and application programming interface API, but this method has the following shortcomings: First, due to the large number of APIs, including the official API provided by Android 1. APIs and custom APIs provided by third-party organizations lead to a large amount of calculations for classification algorithms that rely on API features; second, with the continuous improvement of Android security technology, Android applications use code obfuscation technology to prevent Android applications from being hacked. Decompilation makes it difficult to analyze the obfuscated Android application software; third, the current static detection methods for Android malware cannot adapt to the replacement of the API version, and will cause the detection efficiency to decrease with the change of the API version

The disadvantage of this method is that in the obfuscated Android application software, the 20 high-risk APIs will be replaced by obfuscated names, so this method will miss this key feature, resulting in low detection efficiency

The disadvantage of this method is that the quality of the detection model of this method depends on the API version of the sample in the sample set, and this method has a large amount of calculation, which increases the overhead of malware identification process and the recognition rate is low.

The disadvantage of this method is that the detection method is prone to errors. For example, inexperienced developers may have applied for certain permissions in advance, but they did not use the functions affected by the permissions in programming, so the accuracy rate and omissions are serious

Images