%0 Journal Article %T 采用函数调用关系的注入型Android恶意应用检测<br>A Detection Method of Injected Android Malicious Applications Using Function Calling Graphs %A 王欢 %A 来欢 %A 李国栋 %A 田达 %A 梁博 %J 西安交通大学学报 %D 2015 %R 10.7652/xjtuxb201510014 %X 针对注入型Android恶意应用日益泛滥、传统检测方法依赖大量已知特征的问题,提出了采用函数调用关系的注入型Android恶意应用检测方法。该方法无须依赖大量已知特征,仅通过分析注入型Android恶意应用的自身结构特征即可实现对该类恶意应用的有效检测,并能够实现对未知恶意代码家族的识别。所提方法在smali代码的基础上构建函数调用关系图,并进一步进行子图划分,通过判定各子图威胁度确定是否存在恶意行为。检测过程无需动态行为分析辅助,因此分析检测时间短、效率高。该方法不仅可以检测出Android应用是否存在恶意行为,还可根据子图威胁度确定包含恶意行为的具体代码。经过对1 260个Android恶意应用和1 000个正常应用的实验分析发现:所提方法能够很好地检测注入型Android恶意应用,当误报率为8 90%的时候,检测率达到95 94%,相对于主流Android恶意应用检测系统Androguard,检测效果有显著提升。<br>The number of injected Android malicious applications is increasing, and the traditional detection method heavily relies on lots of extracted characteristics. A static analysis method based on function calling graph is proposed to detect injected Android malicious applications. The method can efficiently detect injected Android malicious applications only by analyzing the application’s structure, and there is no need for known characteristics. The method constructs a function calling graph based on decompiled smali code, and sub??graphs will be further processed to tell whether the Android application is malicious or not. The period of analysis is much shorter than that of any other dynamic detection method. The detection method not only detects whether the Android application is malicious or not, but also has the ability to tell which part of the Android application contains malicious code. The approach is tested on 1 260 Android malicious applications and 1 000 Android normal applications, and the test results show that the approach is effective in detecting injected Android malicious applications. The detection rate of the method for the injected Android malicious applications is 95??94% when the false positive rate is 8??90%. A comparison with the mainstream Android malware detection system Androguard shows that the detection performance of the proposed method has a remarkable promotion %K Android %K 恶意代码 %K 静态分析 %K 函数调用关系< %K br> %K Android %K malware %K static analysis %K function calling graph %U http://zkxb.xjtu.edu.cn/oa/DArticle.aspx?type=view&id=201510014