Combining Static Permissions and Dynamic Packet Analysis to Improve Android Malware Detection Performance

• Main Authors: Yung-Ching Shyong, 熊永菁
• Other Authors: Yi-Ming Chen
• Format: Others
• Language: zh-TW
• Published: 2018
• Online Access: http://ndltd.ncl.edu.tw/handle/ze52k6

碩士 === 國立中央大學 === 資訊管理學系 === 106 === The popularity of Android smart mobile devices has become the main target of malware developers. How to detect and prevent mobile malware has become a major issue. At the same time, the mobile application's network traffic has grown rapidly, making it more feasible to use network packets as a data set to detect malicious applications. However, dynamic analysis has the disadvantage of collecting data and taking time, and the past literature only extracts a single kind of agreement feature from the network packet. In addition, it is not enough to distinguish application into malicious or benign. Based on this, this study proposes an Android malware analysis system combining static permissions and dynamic packet analysis. Firstly, static analysis is used to filter out benign applications through the application's announcement information permission, avoiding excessive data collection time and maliciously. The program network traffic extracts multiple types of features, improves the detection effect and reduces the false positive rate. Finally, the malware family is classified. Since the application under the same malicious family has similar malicious behavior, this classification method can provide sufficient information for the security personnel. To establish a prevention strategy. The experimental results show that the accuracy of static and dynamic models are 98.96% and 95.6%, respectively, and the dynamic analysis of network packets is higher than the accuracy of 94.33% of malicious family classification. Using the test data to verify the overall performance of the system, the accuracy rate was 89.1%. However, this experiment confirmed that the data collection time of the dynamic analysis was greatly improved, and only 47.5% of the applications required a five-minute dynamic network packet collection.