第13卷第2期 智能系统学报 Vol.13 No.2 2018年4月 CAAI Transactions on Intelligent Systems Apr.2018 D0:10.11992/tis.201609016 网络出版地址：http:/kns.cnki.net/kcms/detail/23.1538.TP.20170317.1937.004.html 依特征频率的安卓恶意软件异常检测的研究 张玉玲，尹传环 (北京交通大学计算机与信息技术学院，北京100044) 摘要：Android系统由于开源性和可移植性等优点，成为市场占有率最高的移动操作系统。针对Android的各种攻 击也层出不穷，面向Android的恶意软件检测已成为近些年移动安全领域非常重要的一个环节。面临的问题包括恶 意软件收集困难.异常样本和正常样本比例不平衡。为了有效应对上述问题，提出了Droid-Saf框架，框架中提出了 一种挖掘数据隐含特征的数据处理方案；把样本特征包含的隐藏信息当作新的特征：建模时将样本特征融入算法当 中，建立动态的松弛变量。应用静态分析方法反编译pk,用改进的svdd单分类器分类，克服了恶意软件检测系统中 非正常软件收集困难的不足，降低了异常检测的漏报率和误判率。实验结果验证了该算法的有效性和适用性。 关键词：安卓系统；恶意软件；数据挖掘：异常检测；svdd:隐含特征；单分类器；特征频率 中图分类号：TP391文献标志码：A 文章编号：1673-4785(2018)02-0168-06 中文引用格式：张玉玲，尹传环.依特征频率的安卓恶意软件异常检测的研究.智能系统学报，2018,13(2：168-173 英文引用格式：ZHANG Yuling,YIN Chuanhuan..Android malware outlier detection based on feature frequency J.CAAI transac- tions on intelligent systems,2018,13(2):168-173. Android malware outlier detection based on feature frequency ZHANG Yuling,YIN Chuanhuan (School of Computer and Information Technology,Beijing Jiaotong University,Beijing 100044,China) Abstract:Due to the advantages of open source and portability,Android has become a mobile OS with the largest mar- ket share.Various attacks toward Android also emerge in endlessly,the Android-oriented detection for malwares has be- come a quite important link recently in the field of mobile safety.The problems to be faced include difficult collection of malicious software,imbalanced proportion of the abnormal samples and normal samples.In order to effectively over- come the above difficulties,Droid-Saf framework was proposed,a data processing scheme revealing the implicit charac- teristics of data was proposed in the framework;the hidden information contained in the sample was treated as a new feature;in modeling,the sample features were integrated into the algorithm and dynamic slack variables were estab- lished.Static analytic method was applied to decompile apk,the improved svdd single classifier was used for classifica- tion,the deficiency of difficult collection of abnormal software in the system for detecting malicious software was over- come,the rate of missing report and the misjudgment rate of abnormal detection were lowered.The Experimental res- ults verified the effectiveness and applicability of the algorithm. Keywords:Android system;malware;data mining;abnormal detection;svdd;implicit characteristics;single classifier; feature frequency 美国信息技术研究和顾问公司Gartner于 长了14.4%。Gartner预计2016年全球手机出货量 2016年2月公布了2015年全球智能手机销售量"。 将达到19.59亿部，高于2015年的19.10亿部，而 2017年将达到19.83亿部。德国网络安全公司 2015年全球智能手机销量达14亿部，较2014年增 GDATA最新公布的调查报告显示，2015年底，An- 收稿日期：2016-09-14.网络出版日期：2017-03-17 基金项目：国家自然科学基金项目(61105056) droid恶意软件文件数量多达230万。Android恶意 通信作者：尹传环.E-mail:chhyin @bitu.edu.cn 软件数量众多，已成为移动安全的重灾区四。移动DOI: 10.11992/tis.201609016 网络出版地址: http://kns.cnki.net/kcms/detail/23.1538.TP.20170317.1937.004.html 依特征频率的安卓恶意软件异常检测的研究 张玉玲，尹传环 （北京交通大学 计算机与信息技术学院，北京 100044） 摘 要：Android 系统由于开源性和可移植性等优点，成为市场占有率最高的移动操作系统。针对 Android 的各种攻 击也层出不穷，面向 Android 的恶意软件检测已成为近些年移动安全领域非常重要的一个环节。面临的问题包括恶 意软件收集困难，异常样本和正常样本比例不平衡。为了有效应对上述问题，提出了 Droid-Saf 框架，框架中提出了 一种挖掘数据隐含特征的数据处理方案；把样本特征包含的隐藏信息当作新的特征；建模时将样本特征融入算法当 中，建立动态的松弛变量。应用静态分析方法反编译 apk，用改进的 svdd 单分类器分类，克服了恶意软件检测系统中 非正常软件收集困难的不足，降低了异常检测的漏报率和误判率。实验结果验证了该算法的有效性和适用性。 关键词：安卓系统；恶意软件；数据挖掘；异常检测；svdd；隐含特征；单分类器；特征频率 中图分类号：TP391 文献标志码：A 文章编号：1673−4785(2018)02−0168−06 中文引用格式：张玉玲, 尹传环. 依特征频率的安卓恶意软件异常检测的研究[J]. 智能系统学报, 2018, 13(2): 168–173. 英文引用格式：ZHANG Yuling, YIN Chuanhuan. Android malware outlier detection based on feature frequency[J]. CAAI transac￾tions on intelligent systems, 2018, 13(2): 168–173. Android malware outlier detection based on feature frequency ZHANG Yuling，YIN Chuanhuan (School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China) Abstract: Due to the advantages of open source and portability, Android has become a mobile OS with the largest mar￾ket share. Various attacks toward Android also emerge in endlessly, the Android-oriented detection for malwares has be￾come a quite important link recently in the field of mobile safety. The problems to be faced include difficult collection of malicious software, imbalanced proportion of the abnormal samples and normal samples. In order to effectively over￾come the above difficulties, Droid-Saf framework was proposed, a data processing scheme revealing the implicit charac￾teristics of data was proposed in the framework; the hidden information contained in the sample was treated as a new feature; in modeling, the sample features were integrated into the algorithm and dynamic slack variables were estab￾lished. Static analytic method was applied to decompile apk, the improved svdd single classifier was used for classifica￾tion, the deficiency of difficult collection of abnormal software in the system for detecting malicious software was over￾come, the rate of missing report and the misjudgment rate of abnormal detection were lowered. The Experimental res￾ults verified the effectiveness and applicability of the algorithm. Keywords: Android system; malware; data mining; abnormal detection; svdd; implicit characteristics; single classifier; feature frequency 美国信息技术研究和顾问公司 Gartne r 于 2016 年 2 月公布了 2015 年全球智能手机销售量[1]。 2015 年全球智能手机销量达 14 亿部，较 2014 年增 长了 14.4%。Gartner 预计 2016 年全球手机出货量 将达到 19.59 亿部，高于 2015 年的 19.10 亿部，而 2017 年将达到 19.83 亿部。德国网络安全公司 GDATA 最新公布的调查报告显示，2015 年底，An￾droid 恶意软件文件数量多达 230 万。Android 恶意 软件数量众多，已成为移动安全的重灾区[2]。移动 收稿日期：2016−09−14. 网络出版日期：2017−03−17. 基金项目：国家自然科学基金项目 (61105056). 通信作者：尹传环. E-mail：chhyin@bjtu.edu.cn. 第 13 卷第 2 期 智 能 系 统 学 报 Vol.13 No.2 2018 年 4 月 CAAI Transactions on Intelligent Systems Apr. 2018