| Due to the large number of third-party Android applications market and the lack of unified audit and supervision of application security,the number of malicious software for Android mobile devices increased dramatically.Personal privacy information leakage,malicious deductions and other security issues emerge endlessly.Therefore,the research on malware detection and protection technology of Android platform is of great significance.The main contents of this thesis are as follows:(1)In the aspect of static detection of Android malware,there are many studies using Naive Bayesian classification algorithm,but the existing research does not consider the deficiencies of Naive Bayesian classification algorithm,which considers that the weight of each feature attribute is consistent,and the various attributes are independent of each other.Therefore,this thesis presents a detection scheme based on improved Naive Bayesian classification algorithm.Firstly,acquire the application's permission features and sensitive API call features and signature features by decompiling the APK files.Then,calculate the weight of features by TF-IDF algorithm to improve the accuracy of Naive Bayesian classifier.Finally,calculate the similarity between features by the method based on information entropy,and then the redundant features with high correlation are clustered for better performance of the classifier.The experimental results show that this scheme has higher malware detection rate and overall detection accuracy than the traditional Naive Bayesian algorithm,which verify the effectiveness of this scheme in malware detection.(2)As more and more normal software will require the user's personal information,such as location information,address book information and so on in order to complete complex business functions,these behaviors are similar to malware led to,so the existing static detection methods show lower performance with a high error detection rate of about 20%.Therefore,this thesis presents a dynamic detection scheme based on user behavior features.Combining the newly added user behavior features with the commonly used dynamic features,and using an improved SVM algorithm based on KNN for model training and class detection.The user behavior features in this scheme refers to allow the user to decide whether to apply for a sensitive system service authorization for a third-party application.Emphasis is placed on the analysis of techniques related to the acquisition of user behavior features,including process injection on the Android platform,realization of system function HOOK,and interception and analysis of Binder IPC data.At the same time,combined with the KNN algorithm,some defects in the traditional SVM algorithm are improved.Finally,the experimental results show that this scheme improves the detection performance,especially the normal software misdetection rate decreases significantly,which verify the effectiveness of this scheme in malware detection.(3)In view of the fact that the false detection rate of the static detection scheme is relatively high,a set of dynamic and static combination detection system is designed and implemented in this thesis.The Naive Bayesian classification model in static detection scheme is improved from dichotomous model to three-class model.Introduce suspicious software result sets in the preliminary test results,and continue the dynamic detection of suspicious software.The two detection methods are complementary to each other to further improve the system detection performance.Finally,an auto-blocking module was added to sensitive system service invocation behaviors that have been identified as malware.Therefore,the system has played an effective role in detection and protection of malicious software on the Android platform. |