Real-time Malicious Behavior Detection In Android Apps Based On Dynamic Behavior Analysis

In recent years, Android malware explosivly grows along with the popularization of Android devices, which poses a serious threat on user’s security and privacy. Therefore, malicious behavior detection and interception in Android apps is one of the hottest topics in smartphone security research at present.Currently, Android malware detection schemes are generally divided into two categories, i.e., static and dynamic analysis. Static analysis schemes cannot obtain the runtime context and might be deliberately evaded by malware developers. However, it is fairly effective for offline batch analysis at a market scale. Most of existing dynamic analysis sherries focus on either analyzing permission uses or API invocations. These technqiiies are difficult to be deployed on smart terminals to block malicious behavior in real time. To address these issues, in this thesis, a dynamic behavior sequence analysis based real-time malicious behavior detection approach is studied, and a malicious behavior detection system is implemented for Android platform. Specifically, the main work includes the following 3 aspects.1. The dynamic behavior inspection techniques for Android apps are studied, and an automated testing platform is developed for massive apps" deployment and data collection. The taint tracking technique is implemented to monitor API invocations by using the customized Android system, and the system permission uses in both Android framework and kernel are recorded for permission inspection purpose. The automated tesing platform is developed to automatically deploy and run a set of 1243 malware samples and 12582 benign apps from google play market by using the emulator and the Monkey tool, and then 13825 entries of behavior data are collected from these app samples2. Malware offline blind recognition and online real-time detection techniques are developed. An offline classification technique is designed based on string subsequence kernel without prior knowledge of malware behavioral features. On the basis of this, an online real-time malicious behavior detection technique is proposed. 24 sensitive behavior sequences are extracted by applying the trained model of offline blind recognition. Then the matched behavior subsequence from the original app behavior sequence by using these 24 behavior sequence, other dynamic behavioral, and user-relevant features are used as the attributes for classification.3. Integrating the dynamic behavior monitoring technique and online malicious behavior recognition technique, an Android malicious behavior detection system is designed and implemented to detect malicious behavior from apps and intercept them in real time.In summary, this thesis investigates a real-time inspection technique for system API invocations and permission uses in the Android system, and collects behavior data by developing an automated testing platform. Based on this, an intelligent recognition and response scheme is designed and implemented for Android app’s malicious behavior detection so as to enhance the security of Android system.