高级检索

  • ISSN 1006-3080
  • CN 31-1691/TQ

基于LSTM-SVM模型的恶意软件检测方法

赵敏 张雪芹 朱唯一 朱世楠

赵敏, 张雪芹, 朱唯一, 朱世楠. 基于LSTM-SVM模型的恶意软件检测方法[J]. 华东理工大学学报(自然科学版). doi: 10.14135/j.cnki.1006-3080.20210517005
引用本文: 赵敏, 张雪芹, 朱唯一, 朱世楠. 基于LSTM-SVM模型的恶意软件检测方法[J]. 华东理工大学学报(自然科学版). doi: 10.14135/j.cnki.1006-3080.20210517005
ZHAO Min, ZHANG Xueqin, ZHU Shinan, ZHU Weiyi. Malware Detection Method Based on LSTM-SVM Model[J]. Journal of East China University of Science and Technology. doi: 10.14135/j.cnki.1006-3080.20210517005
Citation: ZHAO Min, ZHANG Xueqin, ZHU Shinan, ZHU Weiyi. Malware Detection Method Based on LSTM-SVM Model[J]. Journal of East China University of Science and Technology. doi: 10.14135/j.cnki.1006-3080.20210517005

基于LSTM-SVM模型的恶意软件检测方法

doi: 10.14135/j.cnki.1006-3080.20210517005
详细信息
    作者简介:

    赵敏:赵 敏(1996—),女,河南镇平人,硕士生,主要研究方向为安卓恶意软件检测。E-mail:zm_ynu@163.com

    通讯作者:

    张雪芹,E-mail:zxq@ecust.edu.cn

  • 中图分类号: TP399

Malware Detection Method Based on LSTM-SVM Model

  • 摘要: 为了提高Android恶意软件的检测精度,提出了一种基于LSTM-SVM(Long Short-Term Memory-Support Vector Machine)模型的Android恶意软件静态检测方法。通过反编译Android软件的APK(Android Package)文件,提取出采用权限、组件、意图3类信息构成XML特征;通过分析API(Application Programming Interface)调用情况构成API特征。考虑恶意软件运行的时序性、特征维度等,基于XML特征构建LSTM异常检测模型,基于API特征构建SVM异常检测模型,两个模型采用并联模式,基于概率差融合算法得到最终的检测结果。在CICAndMal2017数据集上的实验结果表明,本文方法的检测精度可以达到98%以上。

     

  • 图  1  API特征列表构建

    Figure  1.  Construction of API feature list

    图  2  基于LSTM-SVM的恶意软件检测框架

    Figure  2.  Malware detection framework based on LSTM-SVM

    图  3  LSTM单元标准结构

    Figure  3.  LSTM unit standard construction

    图  4  3类特征和XML特征检测结果比较

    Figure  4.  Comparison of detection results of three types of features and XML features

    表  1  XML特征示例

    Table  1.   Examples of XML features

    TypeFeature
    Permissionandroid.permission.WRITE_ SMS,
    android.permission.ACCESS_FINE_LOCATION,
    android.permission.ACCESS_WIFI_STATE,…
    ComponentMenuAboutActivity,TrashClearActivity,
    BoostMainActivity,AppManagerActivity,…
    IntentACTION_GOSTATICSDK,REGISTRATION,
    ValentinesMessages,inigoandroid,foursquared,…
    下载: 导出CSV

    表  2  数据集划分

    Table  2.   Data set partition

    Training setValidation setTesting set
    BenignMaliciousBenignMaliciousBenignMalicious
    10202553408534086
    下载: 导出CSV

    表  3  特征类别及其数量

    Table  3.   Category and quantity of features

    API feature XML feature
    PermissionComponentIntent
    2253414206532826
    下载: 导出CSV

    表  4  基本评价指标

    Table  4.   Basic evaluation index

    Real classificationForecast classificationTotal
    MaliciousBenign
    MaliciousTNFPN
    BenignFNTPP
    下载: 导出CSV

    表  5  不同API特征子列表长度检测结果对比

    Table  5.   Comparison of detection results of different API feature sublist lengths

    nACC/%TPR/%FPR/%
    70094.1397.9420.93
    100094.697.6517.44
    150094.1396.4715.12
    200096.0197.6510.47
    250095.7797.6511.63
    300096.4898.5311.63
    350096.7198.8211.63
    下载: 导出CSV

    表  6  不同特征融合方式检测结果比较

    Table  6.   Comparison of detection results of different feature fusion methods

    MethodACC/%TPR/%FPR/%
    XML96.4897.356.98
    XML+API97.4299.7111.63
    XML-API97.8999.126.98
    下载: 导出CSV

    表  7  基于XML特征的不同模型检测结果比较

    Table  7.   Comparison of detection results of different models based on XML features

    ModelACC/%TPR/%FPR/%
    SVM95.7797.069.3
    RF96.7197.948.14
    LSTM96.4897.356.98
    MLP96.0196.766.98
    CNN96.4897.658.14
    下载: 导出CSV

    表  8  基于API特征的不同模型检测结果比较

    Table  8.   Comparison of detection results of different models based on API features

    ModelACC/%TPR/%FPR/%
    SVM(Linear)96.0197.6510.47
    SVM(RBF)92.2596.1823.26
    SVM(Poly)93.1993.246.98
    RF94.8497.6516.28
    LSTM95.5498.2415.12
    MLP94.3797.6518.6
    CNN95.0797.9416.28
    下载: 导出CSV

    表  9  并联模型的对比实验结果

    Table  9.   Comparison of parallel models experiments

    ModelACC/%TPR/%FPR/%
    baseline96.4897.356.98
    LSTM-SVM98.1299.416.98
    LSTM-RF97.4298.536.98
    LSTM-LSTM97.8999.126.98
    LSTM-MLP97.4298.828.14
    LSTM-CNN97.6599.419.3
    下载: 导出CSV
  • [1] PAN Y, GE X T, FANG C R, et al. A systematic literature review of Android malware detection using static analysis[J]. IEEE Access, 2020, 8: 116363-116379. doi: 10.1109/ACCESS.2020.3002842
    [2] LI L, BISSYANDE T F, PAPADAKIS M. Static analysis of Android apps: A systematic literature rreview[J]. Information and Software Technology, 2017, 88: 67-95. doi: 10.1016/j.infsof.2017.04.001
    [3] YAN P, YAN Z. A Survey on dynamic mobile malwdetection[J]. Software Quality Journal, 2018, 26(3): 891-919. doi: 10.1007/s11219-017-9368-4
    [4] REHMAN Z, KHAN S N, MUHAMMAD K. Machine learning-assisted signature and heuristic-based detection of malwares in Androidevices[J]. Computers & Electrical Engineering, 2018, 69: 828-841.
    [5] KAUSHIK P, YADAV P K. A noapproach for detecting malware in Android applications using deep learning[C]//11th International Conference on Contemporary Computing(IC3). India: IEEE, 2018: 59-62.
    [6] LI D F, WANG Z G, XUE Y B. Fine-grained Android malware detection based on deep learning[C]//6th IEEE Conference on Communications and Network Security(CNS). China: IEEE, 2018: 1-2.
    [7] FCIZOLLAH A, ANUAR N B, SDLLEH R, et al. AndroDialysis: Analysis of Android intent effectiveness in malware detection[J]. Computers & Security, 2017, 65: 121-134.
    [8] LI J, SUN L C, YAN Q B, et al. Significant permission identification for machine learning-based Android malware detection[J]. IEEE Transactions on Industrial Informatics, 2018, 14(7): 3216-3225. doi: 10.1109/TII.2017.2789219
    [9] ALOTAIBI A. Identifying malicious software using deep residual Long-short term memory[J]. IEEE Access, 2019, 7: 163128-163137. doi: 10.1109/ACCESS.2019.2951751
    [10] XU K, LI Y J, ROBERT H. DENG, et al. DeepRefiner: Multi-layer Android malware detection system applying deep neural networks[C]//3rd IEEE European Symposium on Security and Privacy(Euro S&P). England: IEEE Computer Soc, 2018: 473-487.
    [11] 孙志强, 万良, 丁红卫. 基于深度自编码网络的Android恶意软件检测方法[J]. 计算机科学, 2020, 47(4): 298-304. doi: 10.11896/jsjkx.190700132
    [12] JUNG J, LIM K, KIM B, et al. Detecting malicious Android apps using the popularity and relations of APIs[C]//2nd IEEE International Conference on Artificial Intelligence and Knowledge Engineering(AIKE). Italy: IEEE Computer Soc, 2019: 309-312.
    [13] PEYNIRCI G, EMINAGAOGLU M, KARABULUT K. Feature selection for malware detection on the Android platform based on differences of IDF values[J]. Journal of Computer Science and Technology, 2020, 35(4): 946-962. doi: 10.1007/s11390-020-9323-x
    [14] YUAN Z L, LU Y Q, XUE Y B. DroidDetector: Android malware characterization and detection using deep learning[J]. Tsinghua Science and Technology, 2016, 21(1): 114-123. doi: 10.1109/TST.2016.7399288
    [15] ZHANG X Q, CHEN J H. Deep learning based intelligent intrusion detection[C]//9th IEEE International Conference on Communication Software and Networks(ICCSN). China: IEEE, 2017: 1133-1137.
    [16] LI Z J, FENG X J, WU Z Q, et al. Classification of atrial fibrillation recurrence based on a convolution neural network with SVM architecture[J]. IEEE Access, 2019, 7: 77849-77856. doi: 10.1109/ACCESS.2019.2920900
    [17] 付仔蓉, 吴胜昔, 吴潇颖, 等. 基于空间特征的BI-LSTM人体行为识别[J]. 华东理工大学学报(自然科学版), 2021, 47(2): 225-232.
    [18] LASHKARI A H, KADIR A F A, TAHERI L, et al. Toward developing a systematic approach to generate benchmark Android malware datasets and classification[C]//52nd Annual IEEE International Carnahan Conference on Security Technology(ICCST). Canada: IEEE, 2018: 242-248.
  • 加载中
图(4) / 表(9)
计量
  • 文章访问数:  90
  • HTML全文浏览量:  44
  • PDF下载量:  15
  • 被引次数: 0
出版历程
  • 收稿日期:  2021-05-17
  • 网络出版日期:  2021-07-22

目录

    /

    返回文章
    返回