Android malware detection method based on api call sequence

Abstract

The invention discloses a method for detecting Android malware based on an API call sequence, which mainly solves the problems in the prior art that the confused application programming interface API cannot be identified, the extracted features cannot be used to adapt to the replacement of API versions, there are many types of APIs and the amount of calculation Big downside. The method steps are: (1) generating a training sample set and a testing sample set; (2) generating a smali file; (3) generating a call sequence set of an application programming interface API; (4) replacing the application programming interface API with a package name ; (5) generate feature matrix; (6) detect malware. The present invention uses the basic package name, confusing package name and self-defined package name to replace the API in the API call sequence of the application programming interface, which can greatly reduce the types of API, reduce the computational complexity and improve the efficiency of malware identification and detection, and can Adapt to the change of API version.

Description

Technical field [0001] The present invention belongs to the field of computer technology, and more is a further involving an Android malware detection method based on an application programming interface API (Application Interface) call sequence in the field of application programming interface API (Application Interface). The present invention can use the Application Software Programming Interface API calling sequence of Android applications to determine if the Android application is malware and is used to safety analysis of Android applications. Background technique [0002] The research of static detection of Android malware stems from the research work of mobile terminal application security, which is characterized by using the permission information and application programming interface API information, changes between the application programming interface API. Relationship, extract of classification features and identify malware through machine learning. At present, the met...

AI Technical Summary

Problems solved by technology

At present, the existing methods for static detection of Android malware are basically carried out from two aspects of authority and application programming interface API, but this method has the following shortcomings: First, due to the large number of APIs, including the official API provided by Android 1. APIs and custom APIs provided by third-party organizations lead to a large amount of calculations for classification algorithms that rely on API features; second, with the continuous improvement of Android security technology, Android applications use code obfuscation technology to prevent Android applications from being hacked. Decompilation makes it difficult to analyze the obfuscated Android application software; third, the current static detection methods for Android malware cannot adapt to the replacement of the API version, and will cause the detection efficiency to decrease with the change of the API version

The disadvantage of this method is that in the obfuscated Android application software, the 20 high-risk APIs will be replaced by obfuscated names, so this method will miss this key feature, resulting in low detection efficiency

The disadvantage of this method is that the quality of the detection model of this method depends on the API version of the sample in the sample set, and this method has a large amount of calculation, which increases the overhead of malware identification process and the recognition rate is low.

The disadvantage of this method is that the detection method is prone to errors. For example, inexperienced developers may have applied for certain permissions in advance, but they did not use the functions affected by the permissions in programming, so the accuracy rate and omissions are serious

Images