Please wait a minute...
浙江大学学报(工学版)
JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE)  2018, Vol. 52 Issue (6): 1097-1106    DOI: 10.3785/j.issn.1008-973X.2018.06.008
Computer and Communication Technolog     
Behavior consistency detection of Android APP with LSTM model
LUO Na, WEI Song-jie, SHI Zhao-wei, WU Gao-xiang
School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China
Download:   PDF(1072KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

The large quantity and numerous categories of Android APPs make it difficult to accurately validate the real category of APPs. Through analysis of the network behaviors of Android APPs, the idea of application behavior consistency theory was presented and a LSTM classification model based on network behaviors was proposed for consistency verification of APPs. The network behaviors of APPs in different functionality categories were thoroughly triggered by constructing various sequences of scenario events when APPs were running. Then, effective network features were extracted to construct a network event-behavior sequence. A LSTM recurrent neural network model with special input structure was designed to explore and model the underlying behavioral patterns in these network event-behavior sequences. The experimental results reflect that the existence of behavior consistency among the experimented APP samples; the proposed special LSTM model is effective in learning and summarizing the network event-behavior sequences of APPs in different functionality categories. The optimal model achieves an average classification accuracy of 92.58%, which is significantly higher than several widely used traditional machine learning classifiers.

Received: 18 March 2017      Published: 20 June 2018
CLC:  TP309  
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Cite this article:

LUO Na, WEI Song-jie, SHI Zhao-wei, WU Gao-xiang. Behavior consistency detection of Android APP with LSTM model. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2018, 52(6): 1097-1106.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2018.06.008     OR     http://www.zjujournals.com/eng/Y2018/V52/I6/1097


采用LSTM模型的Android应用行为一致性检测

针对Android应用数目庞大、功能多样而难以准确验证应用实际类别的情况,对Andriod应用的网络行为进行分析研究,提出应用的行为一致性理论,并实现一种基于网络行为一致性验证的LSTM分类模型.通过构造不同场景事件组合来触发不同功能类别应用运行时的网络行为,提取有效的网络特征构建成网络事件行为时序序列,并设计带有特殊输入结构的LSTM循环神经网络模型,对网络事件行为时序序列中潜在的行为模式进行学习与建模.实验验证结果表明,Android应用样本具有行为一致性;所提出的LSTM网络模型能有效地学习与归纳不同类别应用的网络行为模式;最优模型的平均分类准确性可达92.58%,优于常见的面向Android应用的机器学习分类模型.

[1] GHORBANZADENH M,CHEN Y,MA Z,et al. A neural network approach to category validation of Android applications[C]//International Conference on Computing,Networking and Communications. San Diego:IEEE,2013:740-744.
[2] HAO H, LI Z, YU H. An effective approach to measuring and assessing the risk of Android application[C]//International Symposium on Theoretical Aspects of Software Engineering. Nanjing:IEEE,2015:31-38.
[3] 魏松杰,杨铃.基于分层API调用的Android恶意代码静态描述方法[J].计算机科学,2015,42(1):155-158. WEI Song-jie,YANG Ling. Android malware characterization based on static analysis of hierarchical API usage[J]. Computer Science,2015,42(1):155-158.
[4] CHUANG H Y, WANG S D. Machine learning based hybrid behavior models for Android malware analysis[C]//IEEE International Conference on Software Quality, Reliability and Security. Vancouver:IEEE,2015:201-206.
[5] WANG H, GUO Y, TANG Z, et al. Reevaluating Android permission gaps with static and dynamic analysis[C]//2015 IEEE Global Communications Conference. San Diego:IEEE,2015:1-6.
[6] KURNIAWAN H,ROSMANSYAH Y,DABARSYAH B. Android anomaly detection system using machine learning classification[C]//International Conference on Electrical Engineering and Informatics. Denpasar:IEEE, 2015:288-293.
[7] TENENBOIM-CHEKINA L,BARAD O,SHABTAI A,et al. Detecting application update attack on mobile devices through network features[C]//INFOCOM. Turin:IEEE,2013:91-92.
[8] HAM H S, CHOI M J. Analysis of Android malware detection performance using machine learning classifiers[C]//International Conference on ICT Convergence. Jeju:IEEE,2013:490-495.
[9] 王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012,23(2):378-393. WANG Rui,FENG Deng-guo,Yang Yi,et al. Semantics-Based malware behavior signature extraction and detection method[J]. Journal of Software,2012,23(2):378-393.
[10] SU X,ZHANG D,LI W,et al. Android app recommendation approach based on network traffic measurement and analysis[C]//IEEE Symposium on Computers & Communication. Larnaca:IEEE,2015:988-994.
[11] HOCHREITER S,SCHMIDHUBER J. Long short-term memory[J]. Neural Computation,1997,9(8):1735-1780.
[12] STAUDEMEYER R C,OMLIN C W. Evaluating performance of long short-term memory recurrent neural networks on intrusion detection data[C]//South African Institute for Computer Scientists and Information Technologists Conference. East London:ACM,2013:218-224.
[13] KIM J,KIM J,THU H L T,et al. Long short term memory recurrent neural network classifier for intrusion detection[C]//International Conference on Platform Technology and Service. Jeju:IEEE,2016:1-5.
[14] BURGUERA I, ZURUTUZA U, NADJM-TEHRANI S. Crowdroid:behavior-based malware detection system for Android[C]//ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. Chicago:ACM,2011:15-26.
[15] BLASING T,BATYUK L,SCHMIDT A D,et al. An Android application sandbox system for suspicious software detection[C]//International Conference on Malicious and Unwanted Software. Nancy:IEEE,2010:55-62.
[16] SANZ B,SANTOS I,LAORDEN C,et al. On the automatic categorization of Android applications[C]//9th IEEE Consumer Communications and NETWORKING Conference. Las Vegas:IEEE,2012:149-153.
[17] XIAO X,LI Q,JIANG Y,et al. Back-propagation neural network on Markov chains from system call sequences:a new approach for detecting Android malware with system call sequences[J]. Iet Information Security, 2016, 11(1):8-15.
[18] WEI S,WU G,ZHOU Z,et al. Mining network traffic for application category recognition on Android platform[C]//2015 IEEE International Conference on Progress in Informatics and Computing (PIC). Nanjing:IEEE,2015:409-413.
[19] WU G,WEI S,LUO N,et al. Capturing and characterizing network actions of mobile applications for behavior consistency[C]//2015 International Conference on Computing and Network Communications (CoCoNet). Trivandrum:IEEE,2015:898-905.
[20] 魏松杰,吴高翔,罗娜,等.DroidBet:事件驱动的Android应用网络行为的自动检测系统[J].通信学报,2017,38(5):84-95. WEI Song-jie,WU Gao-xiang,LUO Na,et al. DroidBet:event-driven automatic detection of network behaviors for Android applications[J]. Journal on Communications,2017,38(5):84-95.
[1] MA Yun-fei, WANG Tao, CHEN Hao, ZHANG Fan, LOU Xiao-xuan, XU Lu-min, YANG Wen-bing. Fault-cube attack on SIMON family of lightweight block ciphers[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2017, 51(9): 1770-1779.
[2] ZHANG Bao-Jun, BO Xue-Ceng, WANG Jie-Bing, et al. Multi-agent based hybrid Intrusion detection system[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2009, 43(6): 987-993.
[3] BEI Yi-Jun, CHEN Gang, DONG Jin-Xiang. Mining access patterns of Web active user based on tree structure[J]. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2009, 43(6): 1005-1013.