83 results about "Android malware" patented technology

The invention discloses an automatic detection method for Android malicious software, and belongs to the technical field of system security. The method comprises the following steps: 1) setting a plurality of application programming interface (API) functions as sensitive APIs, disassembling software to be detected and analyzing all sensitive APIs and function call paths from a disassembled code; 2) judging the trigger mode of each sensitive API, analyzing control information triggering the sensitive API, inputting the control information into a dynamic detection sandbox and executing the control to automatically trigger a malicious act if the trigger mode is a user trigger mode, and sending system messages to the dynamic detection sandbox to trigger the malicious act if the trigger mode is a system message trigger mode; and (3) monitoring and recording the conditions of calling the sensitive API by the software and operating data through the dynamic detection sandbox, and judging the software as the malicious software if the call of the sensitive API and the operating data of the call indeed exist. By the method, manual intervention is not required, and the method provides powerful support for detecting large-scale malicious software.

The invention discloses a method for detecting Android malicious software. The method comprises the following steps: a server simulates and executes the to-be-detected software, and matches sensitive feature information and malicious feature information of the function invoked by the to-be-detected software with the sensitive feature information and the malicious feature information stored locally; and if the matching is successful, the function invoking is determined to be malicious, and the to-be-detected software is malicious. The invention further discloses a system and a device for detecting Android malicious software. By virtue of the technical scheme, the problem that the software cannot be detected to be the malicious software for a long time caused by the situations that the existing technology for detecting the Android malicious software has a lag phase, and the triggering conditions for malicious behaviors of some malicious software are complicated can be avoided.

The invention discloses a detection method for repackage application in an android market. The method comprises the steps: calculating the length of character string used according to dex files of android applications so that the lengths are taken as feature codes for distinguishing different applications, calculating the edition distance between the features codes of the different applications to obtain the similarity of different android applications, comparing the similarity with a given threshold, thus determining whether the repackage application exists. The detection method can be used as an effective assistant means for detecting android malware.

The invention relates to an Android malicious software sorting method based on a dynamic behavior dependency graph. The sorting method includes the steps that an APP is run through a user-defined Dalvik virtual machine, and dynamic behavior information such as framework layer interface calling behaviors and dependency among the behaviors is extracted; the corresponding dynamic behavior dependency graph is constructed according to the dynamic behavior information; the dynamic behavior dependency graph is optimized and divided into subgraphs; similar subgraph structures are extracted from a set composed of Android malicious software of different types and are used as essential characteristics; according to the essential characteristics, model training is conducted on a training set composed of known malicious software and normal software to obtain a classifier; unknown APPs are classified and judged through the classifier; the method is verified and assessed. Similarity of the behavior subgraphs is measured with the graph editing distance, basic characteristics are found on the basis, and the sorting method has good flexibility and expandability.

The invention provides an Android malicious software detection method based on a method call graph. A heterogeneous method call graph for constructing Android application Apk software is adopted, a sensitivity function is calibrated, and malicious codes are subjected to location and family classification by using the connectivity of the graph. The specific flow comprises the following steps: scanning the connectivity of the graph on the heterogeneous method call graph to obtain each sub-graph; grading the sensitivity function of each sub-graph, wherein the sub-graphs surpassing a threshold value are determined as malicious code modules, and similar malicious code sub-graph structures in different Android software are determined as malicious code families. According to the Android malicious software detection method, unknown malicious software can be found heuristically, families of the unknown malicious software are calibrated, and safe scanning and protection are provided for broad Android third-party markets and personal users.

The invention discloses an Android malware real-time detection method based on network flow analysis. The method comprises the following steps: (1) collecting network data; (2) dividing network data flow groups; (3) extracting a network data flow minimum unit; (4) judging whether a flow minimum unit port number is 80; (5) extracting network data packet field features; (6) judging whether the flow minimum unit port number is 443; (7) extracting network data flow statistical features; (8) training a statistical feature detection module; (9) training a field feature detection module; (10) extracting the network data feature of a to-be-detected sample; (11) judging whether a feature vector of the to-be-detected sample is a field feature vector; and (12) inputting the feature vector of the to-be-detected sample into the field feature detection model or a statistical feature detection model to obtain a detection result. By use of the real-time detection method disclosed by the invention, the malware can be detected in real time, and an encryption protocol can be used for detecting the software for performing the network data transmission.

The invention discloses a permission-based Android malicious software hybrid detection method. The method comprises the following steps: steps one, decompiling an Android application program and obtaining application program application permissions; step two, combining a system setting permission to carry out permission detection on the application program application permissions; dividing all applications to be detected into a kind application set, a malicious application set and a suspicious application set according to the difference of the conditions of the application program application permissions; step three, dynamically acquiring and detecting the behaviors of the application programs in the suspicious application set, collecting interface calling related to sensitive applications, giving vector space representation, and performing application program vectorization; step four, obtaining the detection result of kind application programs meeting safety detection standard through safety detection. Compared with the prior art, the permission-based Android malicious software hybrid detection method integrates two affecting factors of euclidean distance and cosine similarity, and the obtained detection result is more comprehensive and higher in accuracy.

The invention discloses an efficient Android malware detection model DroidDet based on rotating forest and belongs to the technical field of information security. According to the invention, a decompilation tool is used to decompile the Apk file in an Android application program and a combination of four groups of features is analyzed and extracted as the input for building a rotating forest classifier model. The model is characterized in that 1) the integrated learning method-rotating forest algorithm is initially adopted; further, each base learning device is trained through adopting PCA major constituent analysis and self-service sampling method and using a whole training set; accordingly, the model created in the invention has superior generalization performance; 2) the rotating forest algorithm has the feature of selecting the optimal characteristics so as to avoid noise data. The 10-fold cross-validation method is used for verifying the validity of the model created in the invention and the predicting accuracy of the model in the invention reaches 88.26%, which is 3.13% higher than the 84.93% of typical support vector machines. The model of the invention has wide application prospect in user information security.

The invention provides an Android malware detection method based on an improved Bayesian algorithm. The feature attributes of Android malicious programs and well-behaved programs are analyzed and classified through the improved Bayesian algorithm to realize the malware detection method based on the improved Bayesian algorithm. A judgment on whether software is malware is implemented from the aspect of permission application of applications. According to the method, a permission request label in an Android permission request mechanism is taken as a detection data source. The malware and well-behaved software are distinguished in a permission request label combination way, and a detection model is built by using the improved Bayesian algorithm. The improved Bayesian algorithm is characterized in that mutual independence among attributes of the data source is considered, and a naive Bayesian classifier is used for performing data modeling, so that the detection index is increased greatly, the detection accuracy is increased, and the false alarm rate is lowered.

The invention provides an Android malicious software detection method and system based on dynamic monitoring. The method comprises the following steps: S1, establishing a rule library of various information of a mobile terminal; S2, after a target function address is looked up, replacing the target function address with a function address comprising monitoring codes; S3, when an application of the mobile terminal is started, monitoring the behavior of the application; S4, judging whether or not the behavior of the application is a sensitive behavior executed by Android malicious software. According to the Android malicious software detection method and system based on dynamic monitoring, the aim of effectively monitoring malicious software is fulfilled by simulating running of third-party application software, monitoring sensitive data streams and analyzing sensitive data leakage of application software and making a safety alarm when the sensitive data is tampered.

Provided is a system for conducting the fast inspection of Android malwares, the system including a processor configured to compute the similarity between the signature for a given target application and one of signatures stored in a database, and a determiner configured to determine whether the target application is a malware based on the computed similarity, wherein the system relates to the technology for examining whether a certain Android application, which can be downloaded via a uniform resource locator (URL), is malicious by examining how similar the application is with the malwares and normal applications verified earlier.

The invention discloses an Android malicious software detection method based on a sensitive calling path, and mainly solves the problem that an existing scheme is low in malicious software detection accuracy. According to the scheme, a sensitive target interface API list is constructed through a natural language processing technology; Generating a sensitive calling path set by using the Android application software subjected to reverse analysis; Taking the sensitive calling path as a feature, and establishing an Android sensitive calling path feature library by analyzing a large number of benign software and malicious software data sets; Processing the sensitive calling path set of the sample into a feature vector, and training a classifier model by adopting a supervised machine learning algorithm by utilizing the feature vector; And detecting whether the Android application software with unknown security is malicious software or not by using the trained classifier model. The method ishigh in precision, easy to expand and remarkable in intelligence, and can be used for automatic detection of the mobile terminal and examination and analysis of the Android application market.

The invention relates to an Android malicious behavior dynamic detection method based on binary dynamic instrumentation, and belongs to the technical field of computer and information science. The method comprises the following steps: firstly, triggering all potential malicious behaviors of tested software through an Android dynamic detection framework; then, through a dynamic binary instrumentation technology, constructing a calling sequence of a program to a system API, using an N-Gram model to extract call timing relationship characteristics of a function; finally, inputting the generated time sequence relation characteristics into a trained GBDT (Gradient Boosting Decision Tree, Gradient Boosting Decision Tree) multi-classification algorithm detection model, identifying malicious software, and carrying out fine-grained classification on malicious behaviors of the software. According to the invention, a dynamic binary instrumentation technology is used.A system function calling timesequence feature of the software is extracted without knowing a program source code. Compared with the prior art, the Android malicious behavior detection method has high accuracy for Android malicious behavior detection, malicious behaviors of the software can be divided into six classes. More detailed detection conclusion granularity is achieved, and the detection efficiency of the Android malicious software is effectively improved.

The invention relates to a large-scale malicious Android software automatic detection system and method based on multi-class features and machine learning. The method includes: collecting security andmalware libraries, using software analysis tools such as Androguard and Droidbox, collecting the characteristics of each software from both dynamic and static angles, processing the receipts of the forms, defining the thresholds in different angles, when a certain feature does not meet the threshold requirements, deleting the feature, and utilizing a support vector machine, a neural network, an ensemble learning algorithm and other algorithms for detection, and obtaining the optimal results of detection results are obtained, so as to realize the automatic detection of large-scale malware. Theinvention can be used for detecting and identifying large-scale malicious mobile phone software and protecting the privacy and safety of users.

The invention discloses a hybrid feature screening method for Android malicious software detection. The method comprises the steps that a training set and a test set are generated according to existing data; a primary feature subset is screened out; an optimal feature subset corresponding to each type of classifiers is obtained; and the optimal feature subset is utilized to train the correspondingclassifiers. Through the hybrid feature screening method for Android malicious software detection, the optimal feature subset and a classification algorithm matched with the optimal feature subset can be screened out, modeling time of the classifiers is greatly shortened, and the detection efficiency and detection precision of Android malicious software detection can be improved.

The invention discloses an Android malicious software detection method based on a combined feature mode. Firstly, a certain amount of Android malicious software and Android benign software training samples are acquired to construct a training sample set; authority features and sensitive API features of each training sample are analyzed and combined to generate feature vectors of the training samples; the feature vectors of all the training samples serve as input to train an ELM, and the ELM is obtained; to-be-detected Android software serves as a test sample, and the authority feature and thesensitive API feature of the test sample are analyzed and combined to generate the feature vector of the test sample; the feature vector of the test sample is input into the ELM, and finally, whetherthe test sample is Android malicious software or not is judged by the ELM. The method has the advantages of being high in Android malicious software detection accuracy and short in learning time.

The invention provides an Android malicious software detection method. Graphs are called by adopting an isomerism method for constructing Apk software of Android application, sensitive functions are calibrated, and malicious codes are positioned according to the continuity of the graphs. The method specifically comprises the following steps of performing graph continuity scanning on the graphs called by the isomerism method to obtain all sub-graphs, performing sensitive function marking on all the sub-graphs, and determining that the sub-graphs of which the marks exceed a threshold value are malicious code modules. According to the method, unknown malicious software can be heuristically found, and security scanning and protection are supplied to a large range of Android third-party markets and individual users.

The invention relates to an Android malware detection method based on depth learning, belonging to the field of computer and information science and technology. The invention firstly extracts featuresof Android application software, and then extracts relevant security features by decompressing and decompressing Android application files. The extracted features include three aspects: file structure feature, security experience feature and N-Gram statistic characteristic. Then the extracted features are numerically processed to construct feature vectors. Finally, a DNN (Deep Neural Network) model is constructed based on the above extracted features. The new Android software is classified and identified by the constructed model. This method combines the analysis of instruction set and has the function of anti-malware confusion. At the same time, malware detection based on depth model can enhance the feature learning, can express the abundant information of big data, and can adapt to theevolving malware more easily.

The invention provides an Android malicious software detection system and an Android malicious software detection method. The method comprises the steps of extracting API (Application Program Interface) characteristics and permission characteristics by use of a characteristic extraction module; calculating TF-SFD of each API characteristic and permission characteristic according to a characteristic selection module, ranking the numbers of TF-SFD from large to small, selecting first M1 API characteristics and M2 permission characteristics to form a characteristic matrix; and training the characteristic matrix through a class identification module to obtain a classification model, and identifying the classification module. The above-mentioned detection method is simple, small in calculated amount and relatively high in detection effect.

The invention discloses an improved forest algorithm-based Android malicious software detection method. The method comprises an S01 stage of obtaining a data set, an S02 stage of carrying out reverse processing, an S03 stage of extraction feature vectors, an S04 stage of optimizing the feature vectors, an S05 stage of generating a decision tree set, an S06 stage of calculating a decision tree weight, an S07 stage of generating a final classification result and an S08 stage of assessing the classification result. Compared with the traditional detection method, the improved forest algorithm-based Android malicious software detection method has higher classification precision, and has the effects of improving the correctness of malicious software detection and reducing the probability that Android systems are attacked due to detection errors.

The invention provides an Android malicious software detection method and system based on RNN and CNN, and the method comprises the steps: carrying out the feature extraction of an original installation file of a training sample, and obtaining an operation code sequence; training a BLSTM network by using the operation code sequence; extracting the operation code sequence as a feature picture by using the trained BLSTM network; training a convolutional neural network by utilizing the feature pictures. Firstly, feature extraction is conducted on an installation file of a to-be-detected Android application, and an operation code sequence of the to-be-detected Android application is obtained. The operation code sequence is input into a trained BLSTM network, and a feature picture is extracted.Finally, the feature picture is input into a trained convolutional neural network, and a classification result that whether the feature picture belongs to malicious software or not is output. According to the method, recognition and distinguishing of good software and malicious software under the Android platform are achieved, and the safety of the Android software platform is improved.

The invention provides the design scheme of an Android malicious software detection method based on a program slicing technology. According to the scheme, starting from an installation file APK of an installation application, source codes of the application are analyzed through the program slicing technology, key nodes affecting the safety of the application are found out, Android malicious software is detected, and the purpose of reducing manual operation is achieved. The test result shows that the Android malicious software detection method based on the program slicing technology can reliably detect the Android malicious software; the method based on the program slicing is more accurate than a traditional detection method; the Android malicious software is analyzed from the angle of the source codes, and flexibility is higher for continuously updated viruses and Trojan variants.