基于字节码图像和深度学习的Android恶意应用检测
|
摘要
提出一种将字节码转换成彩色图像后,再采用深度学习模型的新型Android恶意应用检测方法。首先将Android应用的字节码文件映射为三通道的RGB彩色图像,同时计算局部信息熵值,并将其作为Alpha通道,与RGB图像融合为带透明度的RGBA彩色图像,最后利用卷积神经网络方法对图像进行分类,实现一个Android恶意应用检测原型系统。通过对8种恶意代码家族进行分类实验验证,并与灰度图等其他同类可视化成像方法进行对比,发现该方法具有检测速度快、精确度高等优点。
A new Android malware detection method based on byte-code image and deep learning was proposed. Firstly, Android malware byte-code files were mapped to RGB colorful images which had three channels. Also, the Shannon entropy as Alpha channel of images were calculated, and then merged with RGB images into RGBA images. Finally, the convolutional neural network as classifier was employed to classify aforementioned images. According to the experiment on malware of eight malicious families and compared this method with the method which mapping the byte-code to gray image, the result shows that the method using RGBA images has good performance not only in speed, but also in accuracy.
A new Android malware detection method based on byte-code image and deep learning was proposed. Firstly, Android malware byte-code files were mapped to RGB colorful images which had three channels. Also, the Shannon entropy as Alpha channel of images were calculated, and then merged with RGB images into RGBA images. Finally, the convolutional neural network as classifier was employed to classify aforementioned images. According to the experiment on malware of eight malicious families and compared this method with the method which mapping the byte-code to gray image, the result shows that the method using RGBA images has good performance not only in speed, but also in accuracy.
引文
[1]360烽火实验室.2017年Android恶意软件专题报告[Z].2018.360 Fiber Home Lab.2017 Android malware special report[Z].2018.
[2]蔡林,陈铁明.Android移动恶意代码检测的研究概述与展望[J].信息网络安全,2016(9):218-222.CAI L,CHEN T M.Research review and outlook on Android mobile malware detection[J].Netinfo Security,2016(9):218-222.
[3]NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malware images:visualization and automatic classification[C]//8th International Symposium on Visualization for Cyber Security,July 20,2011,Pittsburgh,Pennsylvania,USA.New York:ACM Press,2011.
[4]KANCHERLA K,MUKKAMALA S.Image visualization based malware detection[C]//2013 Computational Intelligence in Cyber Security,April 16-19,2013,Singapore.Piscataway:IEEE Press,2013.
[5]韩晓光,曲武,姚宣霞,等.基于纹理指纹的恶意代码变种检测方法研究[J].通信学报,2014,35(8):125-136.HAN X G,QU W,YAO X X,et al.Research on malicious code variants detection based on texture fingerprint[J].Journal on Communications,2014,35(8):125-136.
[6]HUANG H D,KAO H Y.R2-D2:ColoR-inspired convolutional neural network(CNN)-based Android malware detections[J].arXiv:1705.04448v5,2017.
[7]苏志达,祝跃飞,刘龙.基于深度学习的安卓恶意应用检测[J].计算机应用,2017(6):1650-1656.SU Z D,ZHU Y F,LIU L.Android malware application detection using deep learning[J].Journal of Computer Applications,2017(6):1650-1656.
[8]罗世奇,田生伟,禹龙,等.基于纹理指纹与活动向量空间的Android恶意代码检测[J].计算机应用,2018,38(4):1058-1063.LUO S Q,TIAN S W,YU L,et al.Android malware detection based on texture fingerprint and malware activity vector space[J].Journal of Computer Applications,2018,38(4):1058-1063.
[9]ELENKOV N.Android security internals:an in-depth guide to Android’s security architecture[M].[S.l.:s.n.],2014.
[10]杨益敏,陈铁明.基于字节码图像的Android恶意代码家族分类方法[J].网络与信息安全学报,2016,2(6):38-43.YANG Y M,CHEN T M.Android malware family classification method based on the image of bytecode[J].Chinese Journal of Network and Information Security,2016,2(6):38-43.
[11]SHANNON C E.A mathematical theory of communication[J].Bell System Technical Journal,1948,27(4):379-423.
[12]任卓君,陈光.熵可视化方法在恶意代码分类中的应用[J].计算机工程,2017(9):167-171.REN Z J,CHEN G.Application of entropy visualization method in malware classification[J].Computer Engineering,2017(9):167-171.
[13]任卓君,韩秀玲,孔德凤,等.像素归一化方法在恶意代码可视分析中的应用[J].计算机工程与应用,2016,52(21):121-125.REN Z J,HAN X L,KONG D F,et al.Pixel normalization method applied in malware visualization analysis[J].Computer Engineering and Applications,2016,52(21):121-125.
[14]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-based learning applied to document recognition[J].Proceedings of the IEEE,1998,86(11):2278-2324.
[15]KARBAB E M B,DEBBABI M,DERHAB A,et al.Android malware detection using deep learning on API method sequences[J].arXiv:1712.08996,2017.
[16]HAN J,KAMBER M.Data mining:concepts and techniques[J].Data Mining Concepts Models Methods&Algorithms Second Edition,2011,5(4):1-18.
[17]ARP D,SPREITZENBARTH M,HüBNER M,et al.DREBIN:effective and explainable detection of Android malware in your pocket[C]//2014 Network and Distributed System Security Symposium,February 23-26,2014,San Diego,California,USA.[S.l.:s.n.],2014.
[18]SUAREZ-TANGIL G,DASH S K,AHMADI M,et al.DroidSieve:fast and accurate classification of obfuscated Android malware[C]//2017 ACM Conference on Data and Application Security and Privacy,March 22-24,2017,Scottsdale,Arizona,USA.New York:ACM Press,2017.
[19]SUAREZ-TANGIL G,TAPIADOR J E,PERIS-LOPEZ P,et al.Dendroid:a text mining approach to analyzing and classifying code structures in Android malware families[J].Expert Systems with Applications,2014,41(4):1104-1117.
[20]AAFER Y,DU W,YIN H.DroidAPIMiner:mining API-level features for robust malware detection in Android[J].Lecture Notes of the Institute for Computer Sciences Social Informatics&Telecommunications Engineering,2013(127):86-103.
[21]YANG C,XU Z,GU G,et al.DroidMiner:automated mining and characterization of fine-grained malicious behaviors in Android applications[C]//2014 European Symposium on Research in Computer Security,September 6-10,Wroclaw,Poland.Heidelberg:Springer,2014.
[22]ZHANG M,DUAN Y,YIN H,et al.Semantics-aware Android malware classification using weighted contextual API dependency graphs[C]//The 2014 ACM SIGSAC Conference on Computer and Communications Security,November 3-7,2014,Scottsdale,Arizona,USA.New York:ACM Press,2014:1105-1116.
[23]DESHOTELS L,NOTANI V,LAKHOTIA A.DroidLegacy:automated familial classification of Android malware[C]//2014ACM Sigplan on Program Protection and Reverse Engineering Workshop,January 22-24,2014,San Diego,CA,USA.New York:ACM Press,2014.
[24]XIA M,GONG L,LYU Y,et al.Effective real-time Android application auditing:security and privacy[C]//2015 IEEE Symposium on Security and Privacy,May 17-21,2015,San Jose,CA,USA.Piscataway:IEEE Press,2015.
[25]AVDIIENKO V,KUZNETSOV K,GORLA A,et al.Mining Apps for abnormal usage of sensitive data[C]//2015 IEEE/ACM37th IEEE International Conference on Software Engineering,May 16-24,2015,Florence,Italy.Piscataway:IEEE Press,2015:426-436.
[26]LINDORFER M,NEUGSCHWANDTNER M,PLATZER C.MARVIN:efficient and comprehensive mobile App classification through static and dynamic analysis[C]//2015 IEEEComputer Software and Applications Conference,July 1-5,2015,Taichung,China.Piscataway:IEEE Press,2015.
[27]GARCIA J,HAMMAD M,MALEK S.Lightweight,obfuscation-resilient detection and family identification of Android malware[C]//2018 IEEE/ACM 40th International Conference on Software Engineering,May 27-Jun 3,2018,Gothenburg,Sweden.Piscataway:IEEE Press,2018.
[28]DASH S K,SUAREZTANGIL G,KHAN S,et al.DroidScribe:classifying Android malware based on runtime behavior[C]//2016 IEEE Security and Privacy Workshops,May 22-26,2016,San Jose,CA,USA.Piscataway:IEEE Press,2016.
[29]SARACINO A,SGANDURRA D,DINI G,et al.MADAM:effective and efficient behavior-based Android malware detection and prevention[J].IEEE Transactions on Dependable&Secure Computing,2018(99):1.
[30]HUANG H D,KAO H Y.R2-D2:ColoR-inspired convolutional neural network(CNN)-based Android malware detections[C]//OWASP AppSec USA 2017,September 19-22,2017,Orlando,FL,USA.[S.l.:s.n.],2017.
[31]LIU J,WU T,DENG X,et al.InsDal:a safe and extensible instrumentation tool on dalvik byte-code for Android applications[C]//IEEE International Conference on Software Analysis,Evolution and Reengineering,Feb 20-24,2017,Klagenfurt,Austria.Piscataway:IEEE,2017:502-506.
[32]陈昊,卿斯汉.基于组合式算法的Android恶意软件检测方法[J].电信科学,2016,32(10):15-21.CHEN H,QING S H.Android malware detection method based on combined algorithm[J].Telecommunications Science,2016,32(10):15-21.
[2]蔡林,陈铁明.Android移动恶意代码检测的研究概述与展望[J].信息网络安全,2016(9):218-222.CAI L,CHEN T M.Research review and outlook on Android mobile malware detection[J].Netinfo Security,2016(9):218-222.
[3]NATARAJ L,KARTHIKEYAN S,JACOB G,et al.Malware images:visualization and automatic classification[C]//8th International Symposium on Visualization for Cyber Security,July 20,2011,Pittsburgh,Pennsylvania,USA.New York:ACM Press,2011.
[4]KANCHERLA K,MUKKAMALA S.Image visualization based malware detection[C]//2013 Computational Intelligence in Cyber Security,April 16-19,2013,Singapore.Piscataway:IEEE Press,2013.
[5]韩晓光,曲武,姚宣霞,等.基于纹理指纹的恶意代码变种检测方法研究[J].通信学报,2014,35(8):125-136.HAN X G,QU W,YAO X X,et al.Research on malicious code variants detection based on texture fingerprint[J].Journal on Communications,2014,35(8):125-136.
[6]HUANG H D,KAO H Y.R2-D2:ColoR-inspired convolutional neural network(CNN)-based Android malware detections[J].arXiv:1705.04448v5,2017.
[7]苏志达,祝跃飞,刘龙.基于深度学习的安卓恶意应用检测[J].计算机应用,2017(6):1650-1656.SU Z D,ZHU Y F,LIU L.Android malware application detection using deep learning[J].Journal of Computer Applications,2017(6):1650-1656.
[8]罗世奇,田生伟,禹龙,等.基于纹理指纹与活动向量空间的Android恶意代码检测[J].计算机应用,2018,38(4):1058-1063.LUO S Q,TIAN S W,YU L,et al.Android malware detection based on texture fingerprint and malware activity vector space[J].Journal of Computer Applications,2018,38(4):1058-1063.
[9]ELENKOV N.Android security internals:an in-depth guide to Android’s security architecture[M].[S.l.:s.n.],2014.
[10]杨益敏,陈铁明.基于字节码图像的Android恶意代码家族分类方法[J].网络与信息安全学报,2016,2(6):38-43.YANG Y M,CHEN T M.Android malware family classification method based on the image of bytecode[J].Chinese Journal of Network and Information Security,2016,2(6):38-43.
[11]SHANNON C E.A mathematical theory of communication[J].Bell System Technical Journal,1948,27(4):379-423.
[12]任卓君,陈光.熵可视化方法在恶意代码分类中的应用[J].计算机工程,2017(9):167-171.REN Z J,CHEN G.Application of entropy visualization method in malware classification[J].Computer Engineering,2017(9):167-171.
[13]任卓君,韩秀玲,孔德凤,等.像素归一化方法在恶意代码可视分析中的应用[J].计算机工程与应用,2016,52(21):121-125.REN Z J,HAN X L,KONG D F,et al.Pixel normalization method applied in malware visualization analysis[J].Computer Engineering and Applications,2016,52(21):121-125.
[14]LECUN Y,BOTTOU L,BENGIO Y,et al.Gradient-based learning applied to document recognition[J].Proceedings of the IEEE,1998,86(11):2278-2324.
[15]KARBAB E M B,DEBBABI M,DERHAB A,et al.Android malware detection using deep learning on API method sequences[J].arXiv:1712.08996,2017.
[16]HAN J,KAMBER M.Data mining:concepts and techniques[J].Data Mining Concepts Models Methods&Algorithms Second Edition,2011,5(4):1-18.
[17]ARP D,SPREITZENBARTH M,HüBNER M,et al.DREBIN:effective and explainable detection of Android malware in your pocket[C]//2014 Network and Distributed System Security Symposium,February 23-26,2014,San Diego,California,USA.[S.l.:s.n.],2014.
[18]SUAREZ-TANGIL G,DASH S K,AHMADI M,et al.DroidSieve:fast and accurate classification of obfuscated Android malware[C]//2017 ACM Conference on Data and Application Security and Privacy,March 22-24,2017,Scottsdale,Arizona,USA.New York:ACM Press,2017.
[19]SUAREZ-TANGIL G,TAPIADOR J E,PERIS-LOPEZ P,et al.Dendroid:a text mining approach to analyzing and classifying code structures in Android malware families[J].Expert Systems with Applications,2014,41(4):1104-1117.
[20]AAFER Y,DU W,YIN H.DroidAPIMiner:mining API-level features for robust malware detection in Android[J].Lecture Notes of the Institute for Computer Sciences Social Informatics&Telecommunications Engineering,2013(127):86-103.
[21]YANG C,XU Z,GU G,et al.DroidMiner:automated mining and characterization of fine-grained malicious behaviors in Android applications[C]//2014 European Symposium on Research in Computer Security,September 6-10,Wroclaw,Poland.Heidelberg:Springer,2014.
[22]ZHANG M,DUAN Y,YIN H,et al.Semantics-aware Android malware classification using weighted contextual API dependency graphs[C]//The 2014 ACM SIGSAC Conference on Computer and Communications Security,November 3-7,2014,Scottsdale,Arizona,USA.New York:ACM Press,2014:1105-1116.
[23]DESHOTELS L,NOTANI V,LAKHOTIA A.DroidLegacy:automated familial classification of Android malware[C]//2014ACM Sigplan on Program Protection and Reverse Engineering Workshop,January 22-24,2014,San Diego,CA,USA.New York:ACM Press,2014.
[24]XIA M,GONG L,LYU Y,et al.Effective real-time Android application auditing:security and privacy[C]//2015 IEEE Symposium on Security and Privacy,May 17-21,2015,San Jose,CA,USA.Piscataway:IEEE Press,2015.
[25]AVDIIENKO V,KUZNETSOV K,GORLA A,et al.Mining Apps for abnormal usage of sensitive data[C]//2015 IEEE/ACM37th IEEE International Conference on Software Engineering,May 16-24,2015,Florence,Italy.Piscataway:IEEE Press,2015:426-436.
[26]LINDORFER M,NEUGSCHWANDTNER M,PLATZER C.MARVIN:efficient and comprehensive mobile App classification through static and dynamic analysis[C]//2015 IEEEComputer Software and Applications Conference,July 1-5,2015,Taichung,China.Piscataway:IEEE Press,2015.
[27]GARCIA J,HAMMAD M,MALEK S.Lightweight,obfuscation-resilient detection and family identification of Android malware[C]//2018 IEEE/ACM 40th International Conference on Software Engineering,May 27-Jun 3,2018,Gothenburg,Sweden.Piscataway:IEEE Press,2018.
[28]DASH S K,SUAREZTANGIL G,KHAN S,et al.DroidScribe:classifying Android malware based on runtime behavior[C]//2016 IEEE Security and Privacy Workshops,May 22-26,2016,San Jose,CA,USA.Piscataway:IEEE Press,2016.
[29]SARACINO A,SGANDURRA D,DINI G,et al.MADAM:effective and efficient behavior-based Android malware detection and prevention[J].IEEE Transactions on Dependable&Secure Computing,2018(99):1.
[30]HUANG H D,KAO H Y.R2-D2:ColoR-inspired convolutional neural network(CNN)-based Android malware detections[C]//OWASP AppSec USA 2017,September 19-22,2017,Orlando,FL,USA.[S.l.:s.n.],2017.
[31]LIU J,WU T,DENG X,et al.InsDal:a safe and extensible instrumentation tool on dalvik byte-code for Android applications[C]//IEEE International Conference on Software Analysis,Evolution and Reengineering,Feb 20-24,2017,Klagenfurt,Austria.Piscataway:IEEE,2017:502-506.
[32]陈昊,卿斯汉.基于组合式算法的Android恶意软件检测方法[J].电信科学,2016,32(10):15-21.CHEN H,QING S H.Android malware detection method based on combined algorithm[J].Telecommunications Science,2016,32(10):15-21.