一种基于系统行为序列特征的Android恶意代码检测方法

基于行为特征建立机器学习模型是目前Android恶意代码检测的主要方法，但这类方法的特征集中各行为特征相互独立，而行为特征间的顺序关系是反映恶意行为的重要因素。为了进一步提高检测准确率，提出了一种基于系统行为序列特征的Android恶意代码检测方法。该方法提取了程序运行发生的敏感API调用、文件访问、数据传输等系统活动的行为序列，基于马尔科夫链模型将系统行为序列转换为状态转移序列并生成了状态转移概率矩阵，将状态转移概率矩阵和状态发生频率作为特征集对SAEs模型进行了学习和训练，最后利用训练后的SAEs实现了对Android恶意代码的检测。实验结果证明，提出的方法在准确率、精度、召回率等指标上优于典型的恶意代码检测方法。

An android malware detection method based on system behavior sequences

At present, behavior features of machine learning based Android malicious code detecting approaches are independent from each other, whereas the sequential relationships between behavior features could indicate malicious behavior. In order to furtherly improve the detection accuracy, an Android malicious code detection method based on the features of system behavior sequence was proposed. Firstly, the sequences of system activities including sensitive API calls, file access, data transmission, etc. were extracted. Next, based on Markov chain model the system behavior sequences were transformed into state transition sequence, and state transition probability matrix were created. Then, the state transition probability matrix and the state occurrence frequency were used as feature sets to train the SAEs model. Finally, we examined the performance of the trained SAEs model on a dataset. The experimental results show that the proposed method performed better than the typical malicious code detection method on accuracy, precision and recall.