一种基于传感器的Android应用行为分析技术

大多数针对恶意软件识别的研究都是基于应用程序接口(Application Program Interface,API)调用来实现的,但是目前基于API的研究大都没有考虑到设备的状态,设备状态能够直接体现程序运行的外部环境,这对分析应用的行为有着重要作用。本文提出一种基于传感器的应用行为识别技术,首先,通过传感器数据来判断设备实时状态;然后,结合API调用时序和图形用户界面(Graphic User Interface,GUI)首屏时序产生的多元时序数据,设计算法识别应用行为的恶意性;最后,设计实现包括静态打桩、动态行为监控和传感器实时状态采集的恶意行为分析原型系统,选取典型案例验证了本文提出方法的准确性,并通过黑盒测试验证了本文恶意应用识别方法的有效性。

An analysis technology of Android application behavior based on sensors

Most of the research on malware identification is based on the application program interface (API) call, but most of the current API based research does not consider the state of the device. However, the device state can directly reflect the running environment of the program, such as human operation or program automation, and it plays an important role in the analysis of application behavior. In this paper, a sensor based application behavior recognition technology is proposed. Firstly, the real time status of the device is judged by the sensor data. Secondly, the algorithm is designed to identify the malicious application behavior using the multiple time series data generated by combining the API call time series and the first screen time series of graphical user interface (GUI). Finally, the malicious behavior analysis prototype system is designed and implemented, and it includes the functions of static piling, dynamic behavior monitoring and real time status collection of sensors. Typical cases were selected to verify the accuracy of the proposed method, and the black box test was performed to verify the effectiveness of the malicious application identification method in this paper.