Android malicious software detection method and device based on capsule network

Abstract

The invention belongs to the technical field of network security, and particularly relates to an Android malicious software detection method and device based on a capsule network, and the method comprises the steps: collecting an Android software file sample, decompressing a to-be-processed file, converting the to-be-processed file into an RGB three-channel color image, and enabling the RGB three-channel color image to serve as training sample data; constructing a capsule network, and training the capsule network by using the sample data to obtain a trained network model containing a graph structure and network parameters, the capsule network realizing transmission between feature vectors in a capsule layer through an iterative dynamic routing algorithm; and inputting the to-be-detected target file into the trained capsule network model for testing, and judging whether the to-be-detected target file is a malicious software file or not through an output result. The method and device canefficiently run on the Android operation platform, occupy few resources, are high in efficiency and accuracy, can realize high-accuracy classification detection tasks even under the condition of small-scale training samples, and achieve the purpose of protecting the Android intelligent mobile terminal.

Description

technical field [0001] The invention belongs to the technical field of network security, in particular to a capsule network-based Android malware detection method and device. Background technique [0002] With the advent of the era of big data, Internet technology and mobile Internet technology have achieved rapid development, and the number of malicious application software has also increased rapidly, especially the new mobile malicious application software has shown an exponential growth trend. Space presents unprecedented challenges. Existing malware detection methods include: static detection methods based on OpCoden-gram type and formal description of Dalvik instructions to extract features; dynamic detection methods such as dynamic analysis based on API call sequence comparison, TaintDroid model using dynamic taint tracking technology; Based on Naive Bayesian (NativeBes, NB), Support Vector Machine (Support Vector Machine, SVM) and other machine learning classificatio...

AI Technical Summary

Problems solved by technology

However, today's obfuscation techniques are becoming more and more complex. Static analysis techniques based on signatures can be bypassed by multiple obfuscation techniques such as polymorphism, encryption, and packaging, while detection methods based on software signature libraries cannot detect new unknown malware; behavior-based Although the dynamic detection technology can avoid the interference of obfuscation technology, it needs to dynamically monitor and track executable programs in a honeypot environment, which has the disadvantages of high computing resource requirements and low execution efficiency, and cannot cope with large-scale sample detection. Disadvantages that cannot be applied to smart mobile device terminals; the feature extraction and screening of malware in the early stage of machine learning classification algorithms is too cumbersome, and the design of detection models is too complicated; detection algorithms based on convolutional neural networks require a large number of data samples to obtain good results. classification effect

None of the above detection methods can work well on smart mobile terminals based on the Android operating device platform.

Images