We use cookies to improve your experience with our site.
陈健, 邹颖. 使用软件克隆检测方法检测Android的恶意软件[J]. 计算机科学技术学报, 2015, 30(5): 942-956. DOI: 10.1007/s11390-015-1573-7
引用本文: 陈健, 邹颖. 使用软件克隆检测方法检测Android的恶意软件[J]. 计算机科学技术学报, 2015, 30(5): 942-956. DOI: 10.1007/s11390-015-1573-7
Jian Chen, Manar H. Alalfi, Thomas R. Dean, Ying Zou. Detecting Android Malware Using Clone Detection[J]. Journal of Computer Science and Technology, 2015, 30(5): 942-956. DOI: 10.1007/s11390-015-1573-7
Citation: Jian Chen, Manar H. Alalfi, Thomas R. Dean, Ying Zou. Detecting Android Malware Using Clone Detection[J]. Journal of Computer Science and Technology, 2015, 30(5): 942-956. DOI: 10.1007/s11390-015-1573-7

使用软件克隆检测方法检测Android的恶意软件

Detecting Android Malware Using Clone Detection

  • 摘要: Android是目前最流行的智能手机操作系统之一。然而, Android有着全球移动恶意软件的最大份额, Android的安全问题已经显著收到大众的关注。在本文中, 我们研究了使用克隆检测技术来检测已知的Android恶意软件。我们收集了一组已知含有恶意软件的Android应用和一组良性的Android应用程序。我们从Android的应用程序中代码提取了Java源代码, 并使用NiCad, 一款成熟的克隆检测工具, 检测出一部分恶意应用的克隆聚类。然后, 我们把这些克隆聚类作为一个恶意代码签名来检测余下的恶意应用程序。良性应用集合被用作对照组。在我们的评测中, 我们成功地在反编译19个恶意软件系列1000多个恶意应用程序。我们的结果表明, 使用少部分恶意应用程序作为训练集部分可以检测到95%已知的恶意软件与极低的误报率和高精确度的96.88%。我们的方法可以发高效和可靠检测出属于某些恶意软件家族恶意应用程序。

     

    Abstract: Android is currently one of the most popular smartphone operating systems. However, Android has the largest share of global mobile malware and significant public attention has been brought to the security issues of Android. In this paper, we investigate the use of a clone detector to identify known Android malware. We collect a set of Android applications known to contain malware and a set of benign applications. We extract the Java source code from the binary code of the applications and use NiCad, a near-miss clone detector, to find the classes of clones in a small subset of the malicious applications. We then use these clone classes as a signature to find similar source files in the rest of the malicious applications. The benign collection is used as a control group. In our evaluation, we successfully decompile more than 1,000 malicious apps in 19 malware families. Our results show that using a small portion of malicious applications as a training set can detect 95% of previously known malware with very low false positives and high accuracy at 96.88%. Our method can effectively and reliably pinpoint malicious applications that belong to certain malware families.

     

/

返回文章
返回