摘要
由于移动互联网的快速发展,Android系统已经成为市场占有率最高的移动操作系统,Android系统的开源特性使其成为恶意软件的主要攻击目标.面对高速增长的恶意软件,为了有效和准确地检测恶意代码,提出一种基于Android本地代码特征的恶意代码检测方法,该方法的代码覆盖率比传统的静态检测方法高.将Dalvik字节码和SO文件转换为汇编代码,并生成各个函数的控制流图,通过定义的模式对控制流图进行注释,利用子图同构和模式匹配计算控制流图集合的相似度,并与设定阈值比较,以判定待检测的应用是否包含恶意代码.通过实验验证该方法可行,并且该方法的准确率和检测率比静态检测工具Androguard更优.
In the face of the rapid growing number of Android malicious code, in order to effectively and accurately detect malicious code,a malicious code detection method based on Android native code features is proposed. The Dalvik bytecode and SO file are converted into ARM assembly code and the control flow graph of each function is generated. The pattern is used to annotate the control flow graph. The subgraph isomorphism and pattern matching are used to calculate the similarity of the control flow graph set. The comparison between the similarity and a threshold determines whether the application to be detected contains malicious code. The code coverage of the method is higher than the traditional static detection method. Finally, the above method is validated by experiments to show this method is feasible and the accuracy and detection rate of the method is better than the static detection tool Androguard.
作者
何平
胡勇
He Ping;Hu Yong(College of Electronics and Information Engineering,Sichuan University,Chengdu 610065)
出处
《信息安全研究》
2018年第6期511-517,共7页
Journal of Information Security Research
关键词
安卓
恶意代码
安卓运行时
控制流图
子图同构
Android
malicious code
Android runtime
control flow graph
subgraph isomorphism
