Android malicious software sorting method based on dynamic behavior dependency graph

A malicious software and classification method technology, applied in the field of network security, can solve problems such as the inability to effectively determine the type of malicious software, divide thread behavior attacks, etc., and achieve the effects of strong flexibility, scalability, and high detection rate

Active Publication Date: 2016-06-08
INST OF INFORMATION ENG CAS
View PDF4 Cites 32 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

Or simply conduct a simple malicious assessment based on the key interface call behavior, such as distinguishing malicious or normal software, which cannot effectively determine the specific type of malware
In addition, dynamic analysis methods are also used to extract malware thread-level API behavior sequences for analysis, but this method will be attacked by techniques such as dividing thread behavior or recording independent APIs

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Android malicious software sorting method based on dynamic behavior dependency graph
  • Android malicious software sorting method based on dynamic behavior dependency graph

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0034] The present invention will be further described below through specific embodiments and accompanying drawings.

[0035] figure 1 It is a flow chart of steps of the Android malicious program classification method of the present invention, wherein 1(a), 1(b), 1(c) are the processing procedures of Android application training samples, 2(a), 2(b), 2( c) is the processing process of an unknown Android application. The method specifically includes the following steps:

[0036] 1) Dynamic behavior information extraction

[0037] figure 2It is the basic process diagram for Dalvik sandbox to execute Android applications and extract behaviors and dependencies between behaviors. The Android application is first executed in a specially constructed execution sandbox, extracting its framework layer interface call behavior and the dependencies between the behaviors. In this process, the Java instruction interpretation process in the Dalvik virtual machine is in charge. When a fun...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to an Android malicious software sorting method based on a dynamic behavior dependency graph. The sorting method includes the steps that an APP is run through a user-defined Dalvik virtual machine, and dynamic behavior information such as framework layer interface calling behaviors and dependency among the behaviors is extracted; the corresponding dynamic behavior dependency graph is constructed according to the dynamic behavior information; the dynamic behavior dependency graph is optimized and divided into subgraphs; similar subgraph structures are extracted from a set composed of Android malicious software of different types and are used as essential characteristics; according to the essential characteristics, model training is conducted on a training set composed of known malicious software and normal software to obtain a classifier; unknown APPs are classified and judged through the classifier; the method is verified and assessed. Similarity of the behavior subgraphs is measured with the graph editing distance, basic characteristics are found on the basis, and the sorting method has good flexibility and expandability.

Description

technical field [0001] The invention belongs to the technical field of network security, and in particular relates to a method for classifying Android malicious software based on a dynamic behavior dependency graph. Background technique [0002] With the popularity of the Android system, more and more application software is downloaded and installed by users. According to official data from Google, more than 1.5 billion apps are downloaded from the Google Play application market every month. Driven by this huge benefit, attackers have developed a large number of Android malware and uploaded them to the Internet or third-party application markets for damage or profit. As McAfee Labs reported, they detected 1.1 million mobile malware in the first quarter of 2015. These malware seriously threaten the security of the Android system platform. [0003] In order to protect the security of the Android system and resist malicious software attacks, researchers have proposed a serie...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
IPC IPC(8): G06F21/56G06F21/53
CPCG06F21/53G06F21/566
Inventor 王蕊林子敏代朋纹张道娟武传坤操晓春
Owner INST OF INFORMATION ENG CAS
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap