基于敏感特征深度域关联的Android恶意应用检测方法

Android Malware Detection Approach Based on Deep Domain Correlation of Sensitive Features

利用机器学习或深度学习算法进行Android恶意应用的检测是当前主流方法,取得了一定的效果。然而,多数方法仅关注应用的权限和敏感行为等信息,缺乏对敏感行为协同的深度分析,导致恶意应用检测准确率低。对敏感行为协同深度分析的挑战主要有两个:表征敏感特征域关联和基于敏感特征域关联的深层分析与检测。本文提出了一种新的Android恶意应用检测模型GCNDroid,基于敏感特征域关联关系图描述的应用程序主要敏感行为以及敏感行为之间的域关联关系来有效地检测Android恶意应用。首先,为了筛选出对分类更加敏感的特征,同时减少图节点的数量,加速分析,本文构建了敏感特征字典。接着,定义类或者包为域,在同一个域中的敏感特征具有域关联关系。通过敏感特征所在域的相对范围,构造敏感特征之间不同的域关联权重,生成敏感特征域关联关系图,敏感特征域关联关系图可以准确表征特定功能模块中的敏感行为,以及敏感行为之间的完整关系。然后,基于敏感特征域关联关系图,设计基于图卷积神经网络的深度表征,构建Android恶意应用检测模型GCNDroid。在实践中,GCNDroid还可以利用新的敏感特征不断更新,以适应移动应用程序新的敏感行为。最后,本文对GCDNroid进行了系统评估,召回率、调和平均数、AUC等重要指标均超过96%。与传统的机器学习算法(支持向量机和决策树)和深度学习算法(深度神经网络和卷积神经网络)相比,GCNDroid取得了预期的效果。

The approaches based on traditional machine learning or deep learning algorithms are popular for Android malware detection,however,the majority of existing approaches focus only on the permissions of applications and sensitive APIs,and still lack in-depth analysis of the coordination of sensitive behaviors,resulting in low accuracy.There are two main challenges to study Android applications based on domain correlation:characterizing sensitive feature domain correlation and deep analysis and detection based on sensitive feature domain correlations.In this paper,we propose a new Android malware detection model called GCNDroid,which is based on the main sensitive behaviors of the application described by the sensitive feature domain correlation graph,and the domain correlation between sensitive behaviors to effectively detect Android malware.First,in order to filter out the features that are more sensitive to classification,and reduce the number of graph nodes to make the analysis faster,a dictionary of sensitive features is constructed in this paper.Then,we define a class or package as a domain,and sensitive features in the same domain have a domain correlation.Through the relative range of the sensitive feature’s domain,we construct various domain correlation weights between the sensitive features,and generate the sensitive feature domain correlation graph,which can accurately characterize the sensitive behaviors in a specific functional module and the complete relationship between sensitive behaviors.Then,based on the graph,we design a deep representation with graph convolutional neural network to construct the Android malware detection model GCNDroid.In practice,GCNDroid can also be constantly updated using new features,which can adapt to the new sensitive behaviors of mobile apps.Finally,extensive evaluations of GCNDroid have been done,compared with traditional machine learning algorithms(SVM and Decision Tree)and deep learning algorithms(DNN and CNN)and the results show that GCNDroid achieves high agreement on Android malware detection,in which the recall,f1-score,AUC,etc.all exceed 96%.