Please wait a minute...
浙江大学学报(工学版)  2018, Vol. 52 Issue (6): 1097-1106    DOI: 10.3785/j.issn.1008-973X.2018.06.008
计算机与通信技术     
采用LSTM模型的Android应用行为一致性检测
罗娜, 魏松杰, 时召伟, 吴高翔
南京理工大学 计算机科学与工程学院, 江苏 南京 210094
Behavior consistency detection of Android APP with LSTM model
LUO Na, WEI Song-jie, SHI Zhao-wei, WU Gao-xiang
School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China
 全文: PDF(1072 KB)   HTML
摘要:

针对Android应用数目庞大、功能多样而难以准确验证应用实际类别的情况,对Andriod应用的网络行为进行分析研究,提出应用的行为一致性理论,并实现一种基于网络行为一致性验证的LSTM分类模型.通过构造不同场景事件组合来触发不同功能类别应用运行时的网络行为,提取有效的网络特征构建成网络事件行为时序序列,并设计带有特殊输入结构的LSTM循环神经网络模型,对网络事件行为时序序列中潜在的行为模式进行学习与建模.实验验证结果表明,Android应用样本具有行为一致性;所提出的LSTM网络模型能有效地学习与归纳不同类别应用的网络行为模式;最优模型的平均分类准确性可达92.58%,优于常见的面向Android应用的机器学习分类模型.

Abstract:

The large quantity and numerous categories of Android APPs make it difficult to accurately validate the real category of APPs. Through analysis of the network behaviors of Android APPs, the idea of application behavior consistency theory was presented and a LSTM classification model based on network behaviors was proposed for consistency verification of APPs. The network behaviors of APPs in different functionality categories were thoroughly triggered by constructing various sequences of scenario events when APPs were running. Then, effective network features were extracted to construct a network event-behavior sequence. A LSTM recurrent neural network model with special input structure was designed to explore and model the underlying behavioral patterns in these network event-behavior sequences. The experimental results reflect that the existence of behavior consistency among the experimented APP samples; the proposed special LSTM model is effective in learning and summarizing the network event-behavior sequences of APPs in different functionality categories. The optimal model achieves an average classification accuracy of 92.58%, which is significantly higher than several widely used traditional machine learning classifiers.

收稿日期: 2017-03-18 出版日期: 2018-06-20
CLC:  TP309  
基金资助:

国家自然科学基金资助项目(61472189);空中交通管理系统与技术国家重点实验室开放基金资助项目(SKLATM201703);赛尔网络下一代互联网技术创新资助项目(NGⅡ20160105).

通讯作者: 魏松杰,男,副教授.orcid.org/0000-0003-0571-5737.     E-mail: swei@njust.edu.cn
作者简介: 罗娜(1992-),女,硕士生,从事网络流量安全、机器学习研究.orcid.org/0000-0003-4086-1334.E-mail:luona@njust.edu.cn
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  

引用本文:

罗娜, 魏松杰, 时召伟, 吴高翔. 采用LSTM模型的Android应用行为一致性检测[J]. 浙江大学学报(工学版), 2018, 52(6): 1097-1106.

LUO Na, WEI Song-jie, SHI Zhao-wei, WU Gao-xiang. Behavior consistency detection of Android APP with LSTM model. JOURNAL OF ZHEJIANG UNIVERSITY (ENGINEERING SCIENCE), 2018, 52(6): 1097-1106.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2018.06.008        http://www.zjujournals.com/eng/CN/Y2018/V52/I6/1097

[1] GHORBANZADENH M,CHEN Y,MA Z,et al. A neural network approach to category validation of Android applications[C]//International Conference on Computing,Networking and Communications. San Diego:IEEE,2013:740-744.
[2] HAO H, LI Z, YU H. An effective approach to measuring and assessing the risk of Android application[C]//International Symposium on Theoretical Aspects of Software Engineering. Nanjing:IEEE,2015:31-38.
[3] 魏松杰,杨铃.基于分层API调用的Android恶意代码静态描述方法[J].计算机科学,2015,42(1):155-158. WEI Song-jie,YANG Ling. Android malware characterization based on static analysis of hierarchical API usage[J]. Computer Science,2015,42(1):155-158.
[4] CHUANG H Y, WANG S D. Machine learning based hybrid behavior models for Android malware analysis[C]//IEEE International Conference on Software Quality, Reliability and Security. Vancouver:IEEE,2015:201-206.
[5] WANG H, GUO Y, TANG Z, et al. Reevaluating Android permission gaps with static and dynamic analysis[C]//2015 IEEE Global Communications Conference. San Diego:IEEE,2015:1-6.
[6] KURNIAWAN H,ROSMANSYAH Y,DABARSYAH B. Android anomaly detection system using machine learning classification[C]//International Conference on Electrical Engineering and Informatics. Denpasar:IEEE, 2015:288-293.
[7] TENENBOIM-CHEKINA L,BARAD O,SHABTAI A,et al. Detecting application update attack on mobile devices through network features[C]//INFOCOM. Turin:IEEE,2013:91-92.
[8] HAM H S, CHOI M J. Analysis of Android malware detection performance using machine learning classifiers[C]//International Conference on ICT Convergence. Jeju:IEEE,2013:490-495.
[9] 王蕊,冯登国,杨轶,等.基于语义的恶意代码行为特征提取及检测方法[J].软件学报,2012,23(2):378-393. WANG Rui,FENG Deng-guo,Yang Yi,et al. Semantics-Based malware behavior signature extraction and detection method[J]. Journal of Software,2012,23(2):378-393.
[10] SU X,ZHANG D,LI W,et al. Android app recommendation approach based on network traffic measurement and analysis[C]//IEEE Symposium on Computers & Communication. Larnaca:IEEE,2015:988-994.
[11] HOCHREITER S,SCHMIDHUBER J. Long short-term memory[J]. Neural Computation,1997,9(8):1735-1780.
[12] STAUDEMEYER R C,OMLIN C W. Evaluating performance of long short-term memory recurrent neural networks on intrusion detection data[C]//South African Institute for Computer Scientists and Information Technologists Conference. East London:ACM,2013:218-224.
[13] KIM J,KIM J,THU H L T,et al. Long short term memory recurrent neural network classifier for intrusion detection[C]//International Conference on Platform Technology and Service. Jeju:IEEE,2016:1-5.
[14] BURGUERA I, ZURUTUZA U, NADJM-TEHRANI S. Crowdroid:behavior-based malware detection system for Android[C]//ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. Chicago:ACM,2011:15-26.
[15] BLASING T,BATYUK L,SCHMIDT A D,et al. An Android application sandbox system for suspicious software detection[C]//International Conference on Malicious and Unwanted Software. Nancy:IEEE,2010:55-62.
[16] SANZ B,SANTOS I,LAORDEN C,et al. On the automatic categorization of Android applications[C]//9th IEEE Consumer Communications and NETWORKING Conference. Las Vegas:IEEE,2012:149-153.
[17] XIAO X,LI Q,JIANG Y,et al. Back-propagation neural network on Markov chains from system call sequences:a new approach for detecting Android malware with system call sequences[J]. Iet Information Security, 2016, 11(1):8-15.
[18] WEI S,WU G,ZHOU Z,et al. Mining network traffic for application category recognition on Android platform[C]//2015 IEEE International Conference on Progress in Informatics and Computing (PIC). Nanjing:IEEE,2015:409-413.
[19] WU G,WEI S,LUO N,et al. Capturing and characterizing network actions of mobile applications for behavior consistency[C]//2015 International Conference on Computing and Network Communications (CoCoNet). Trivandrum:IEEE,2015:898-905.
[20] 魏松杰,吴高翔,罗娜,等.DroidBet:事件驱动的Android应用网络行为的自动检测系统[J].通信学报,2017,38(5):84-95. WEI Song-jie,WU Gao-xiang,LUO Na,et al. DroidBet:event-driven automatic detection of network behaviors for Android applications[J]. Journal on Communications,2017,38(5):84-95.

[1] 马云飞, 王韬, 陈浩, 张帆, 楼潇轩, 许鲁珉, 杨文兵. SIMON系列轻量级分组密码故障立方攻击[J]. 浙江大学学报(工学版), 2017, 51(9): 1770-1779.
[2] 张宝军, 潘雪增, 王界兵, 等. 基于多代理的混合式入侵检测系统模型[J]. J4, 2009, 43(6): 987-993.
[3] 贝毅君, 陈刚, 董金祥. 面向Web活跃用户的树型访问模式挖掘算法[J]. J4, 2009, 43(6): 1005-1013.