CN109753801B - Intelligent terminal malicious software dynamic detection method based on system call - Google Patents

Abstract

The invention relates to a system call-based intelligent terminal malicious software dynamic detection method. The method comprises the steps of extracting system calling characteristics of a sample to be tested in the automatic installation and operation processes of software, carrying out data dimension reduction, vectorization processing and redundancy removal processing on log information of dynamic behaviors, carrying out machine learning classification processing based on a support vector machine model, constructing a Markov matrix of a system calling sequence before learning, converting a result into a format which can be recognized by a Support Vector Machine (SVM), and finally carrying out effectiveness experiment training by taking a mixed training set of normal software and malicious software as the input of the SVM to obtain a trained classification model for judgment. The invention breaks through the traditional safety detection mode, designs the malicious software detection system into a special form by using the Markov matrix to reconstruct the system calling sequence, can realize the automatic detection of malicious codes, can greatly reduce the dimensionality of the trained data, and has simple implementation process and wide application range.

Description

Dynamic detection method of intelligent terminal malware based on system call

technical field

The invention relates to the technical field of information security processing, in particular to a dynamic detection method for intelligent terminal malware based on system calls.

Background technique

With the rapid growth and continuous innovation of the global mobile Internet, various new smart terminals including sensors, processing chips and software systems with data collection, processing and communication capabilities emerge in an endless stream, gradually entering consumers' daily lives. Intelligent terminal equipment refers to the product equipment with the ability to access the Internet. They are usually equipped with various operating systems and can customize various functions according to different user needs. The development of new smart terminals in various fields has driven changes from application services to industrial ecology and business models. While the types of functions are constantly enriched, the number of new smart terminals is also growing rapidly. According to the Internet Data Center (IDC), by 2020, 28 billion devices will be connected to the Internet of Things. According to the "2018 Global Mobile Phone Tracking Quarterly Report", Android mobile phone sales accounted for about 85% of the global market in 2018. It is not difficult to see that the market share of Android smart terminals is far ahead of other smart terminals.

The high market share of Android smart terminals is mainly due to the following factors: First, the openness of Android smart terminals. Developers can customize the system according to the needs of users, and users can also write their favorite application software through self-learning programming languages, which is the most important factor for the high market share of Android smart terminals; second, high hardware compatibility and strong cross-platform features . Android manufacturers continue to launch a variety of Android products to attract customers, such as smart bracelets, tablets, TVs, and even various smart home and auto accessories, and their upper-level applications can also be directly transplanted to various devices, and the user experience is constantly enriched ; Third, cost-effective. Compared with smart terminals of other operating systems, at the same price, Android smart terminals have absolute cost-effectiveness advantages; fourth, rich applications. Application is an important link in the development of the operating system. The threshold for Android application development is low, and the colorful and diverse application software is also one of the factors that make Android smart terminals widely popular.

However, the quality problems of intelligent terminal products are frequently reported. They appear in the form of executable files, program modules or program fragments. They are installed and run without the user's knowledge or authorization, and the implementation of violations of relevant national laws and regulations. behaviors, to achieve illegitimate purposes such as stealing privacy and stealing money, which greatly affects consumers' confidence in smart terminal products. According to the survey, due to various quality problems of product software and hardware, the loss of users is relatively high, which seriously restricts the development of the industry. In July 2017, security firm Palo Alto Networks reported a new malicious Android app, SpyDealer, prevalent in China and targeting Chinese users. The controlled wireless network is infected. This malicious application can steal user sensitive information from more than 40 popular applications such as WeChat and Weibo, causing serious loss of privacy to users. In 2017, a ransomware virus called WannaCry broke out worldwide. According to statistics, the number of mobile phone ransomware malware captured by 360 Fiberhome Labs exceeded 500,000 in just 9 months, and the monitoring data from 360 It shows that in the past year, the number of ransomware attacks in China was nearly 5 million, and the economic losses caused by it were conservatively estimated to exceed 300 million yuan. According to the "Mobile Security Report for the First Half of 2018" released by Tencent Mobile Manager and Tencent Security Joint Lab, in the first half of 2018, Android added 4.687 million virus packages, of which nearly 27,000 payment virus packages were added. The number of infected users is nearly 61.0684 million. Although the trend of new Trojan viruses has slowed down, due to its large base, the harm cannot be underestimated.

In recent years, the detection technology and means for intelligent terminal malware have been continuously developed. For example, a patent application for a method and device for detecting malicious applications on the Android platform, calling the FlowDroid tool, extracting the static data flow characteristics of the Android application to be tested, and using the SUSI technology to be tested The static data stream features of the Android application are processed to generate the feature vector of the data stream of the Android application to be tested, and the generated feature vector of the data stream of the Android application to be tested is input into the pre-trained deep belief network detection model to obtain the Android application to be tested. A detection result of whether the app is a malicious app. It can accurately detect malicious applications on the Android platform, avoid the path coverage problem of dynamic taint tracking, and overcome the need for accurate modeling of the application running process and accurate acquisition of target components for communication between components in static data flow analysis technology. However, this technology has high computational complexity and needs to process a large amount of useless and redundant information.

The name of the patent applied by Guangdong University of Technology on March 16, 2018 is a deep learning-based Android platform malware detection method, which obtains the bytecode file corresponding to the application software APK through decompilation; extracts and generates from the bytecode file The corresponding instruction sequence, the information of each instruction is represented in the form of a vector, and the time sequence of the instruction sequence is obtained; the time sequence of the instruction sequence is used as the input value of the cyclic neural network, and the output value of the cyclic neural network is a one-hot vector. , through the training of a large number of input and output pairs of the recurrent neural network, the malware identifier is obtained; the malware identifier is used to detect and identify the malware. The neural network can be continuously trained, and the recognition model can be obtained more quickly. This implementation method can obtain a fast malware identifier. The malware identifier has a high detection accuracy and speed after being trained with a large number of samples, which improves the malware detection rate. Detection accuracy and speed. However, this method is based on static environment debugging and is not suitable for dynamic system operating environment.

SUMMARY OF THE INVENTION

The technical problem to be solved by the present invention is that, aiming at the above problems existing in the prior art, using the Support Vector Machine (SVM) SVM algorithm to learn and detect Android applications, reduce the complexity of malicious application detection, save system resource consumption, and In solving the problem of high-dimensional features and automatic classification and detection, the detection accuracy of malware is further improved.

The technical solution of the present invention to solve the above technical problems is to propose a dynamic detection method for intelligent terminal malware based on system calls, establish a sandbox testing environment for dynamic information through feature extraction, install and run samples to be detected, and automatically simulate and stimulate Measure the dynamic behavior of the sample, and use the detection tool to record the log of the dynamic behavior, and extract the information of the sample to be tested; feature selection, preprocess the log information of the dynamic behavior, including data dimensionality reduction, vectorization processing and de-redundancy processing; The machine learning classification process, constructs the Markov matrix of the system call sequence, converts the results into a format that SVM can recognize, and uses the mixed training set of normal software and malware as the input of SVM for effective experimental training. After training the classification model, finally perform sample detection, and use the trained model to detect and judge the mixed set of malicious samples and normal samples, so as to obtain the detection result.

Specifically, a method for dynamic detection of intelligent terminal malware based on system calls includes the following steps: a feature extraction module uses a detection tool to record a log of dynamic behavior, extracts dynamic behavior log information of a sample to be tested, and outputs a sequence of system calls in chronological order; The feature selection module preprocesses the dynamic behavior log information, including data dimensionality reduction, vectorization processing and de-redundancy. The data dimensionality reduction part quantifies and scores system calls according to their importance, and assigns scores to system calls from high to low. The sequence is processed; the machine learning module builds the Markov matrix of the system call sequence, converts the result into a format that can be recognized by the support vector machine (SVM), and uses the mixed training set of normal software samples and malware samples as the SVM's The input is subjected to validity training to obtain a trained classification model; the trained classification model is used to detect the mixed set of malware samples and normal software samples, and the detection results are output.

The present invention further includes that the feature extraction module obtains the super administrator (Root) authority to open the super administrator mode, obtains the process identity number PID of the software sample to be tested, extracts the dynamic characteristics of the system call, simulates the operation of the sample software, and analyzes the sample software for each sample software. Kill the process after running for a predetermined time, record and save the sample log file in text (TXT) format, remove the garbled part, remove the time and parameter information of the system call, and obtain the system call sequence output in chronological order.

In data dimensionality reduction, the Information Gain (IG) method is used to quantitatively score the system call sequence. In terms of the threshold selection of system calls, according to the score, select the number from high to low for vectorized processing of system calls, and the unselected parts are not processed, but are classified according to different attributes, and "useless" commands are combined. , and select a reasonable threshold for system calls through experiments.

The data dimensionality reduction specifically includes, according to the entropy of the set to be classified and the conditional entropy of the system call, the calling formula: IG(T)=H(C)-H(C|T) to calculate the information gain IG(T), IG(T) The larger the value is, the more important the classification result is. The system calls are vectorized according to the IG(T) value, the sample software is divided into "important" and "useless" parts, and the "important" part is directly eigenvectorized, while The "useless" parts are merged according to attributes, resulting in a vectorized call sequence.

计算动态行为日志d_i中子序列t_j出现的频率，其中n_i,j为子序列t_j在动态行为日志d_i中出现的次数；其次根据公式

计算子序列t_j的反文档频率IDF_j，其中|D|为样本库中的动态行为日志总数；|i:t_j∈d_i|为出现子序列j的日志总数；t_j∈d_i表示子序列t_j在动态行为日志d_i中出现；+1是为了防止分母变为0。去除冗余部分的信息并保留“重要数据”后，对子序列进行合并，得到去冗余后的系统调用序列。The removal of redundant information in the software specifically includes, performing N-gram (language model) processing on the vectorized call sequence in the log, as the basis for quantitative scoring, using the TF-IDF algorithm to perform the subsequence in the N-gram. Quantitative scoring, first according to the formula

Calculate the frequency of occurrence of subsequence t _j in dynamic behavior log d _i , where n _i,j is the number of occurrences of subsequence t _j in dynamic behavior log d _i ; secondly, according to the formula

Calculate the inverse document frequency IDF _j of the subsequence t _j , where |D| is the total number of dynamic behavior logs in the sample library; |i:t _j ∈ d _i | is the total number of logs that appear in the subsequence j; t _j ∈ d _i means The subsequence _{tj appears} in the dynamic behavior log di; +1 is to prevent the denominator from becoming 0. After removing redundant information and retaining "important data", the subsequences are merged to obtain the de-redundant system call sequence.

The present invention also proposes a system call-based intelligent terminal malware dynamic detection system, including: a feature extraction module, a feature selection module, and a machine learning classification module. Behavior log information, output the sequence of system calls in chronological order; the feature selection module preprocesses the dynamic behavior log information, including data dimensionality reduction, vectorization processing and de-redundancy, and the data dimensionality reduction part quantifies system calls according to their importance. Score, and process the system call sequence from high to low; the machine learning classification module builds the Markov matrix of the system call sequence, and converts the result into a format that can be recognized by the support vector machine (SVM), and the normal The mixed training set of software samples and malware samples is used as the input of SVM for effective training to obtain a trained classification model; the trained classification model is used to detect the mixed set of malware samples and normal software samples, and the detection results are output.

The present invention extracts the system call characteristics of the sample to be tested during the automatic installation and operation of the software, performs data dimension reduction, vectorization processing and de-redundancy processing on the log information of dynamic behavior, and performs machine learning classification based on the support vector machine model. Processing, build the Markov matrix of the system call sequence before learning, convert the result into a format that can be recognized by the support vector machine SVM, and use the mixed training set of normal software and malware as the input of the SVM for effective experimental training, and obtain The trained classification model is used for judgment. The invention breaks through the traditional security detection mode, and designs the malware detection system into a special form by using the Markov matrix to reconstruct the system call sequence, which can not only realize the automatic detection of malicious code, but also greatly reduce the training data dimension. reduce, its realization process is simple, and its application range is wide.

Description of drawings

Figure 1 is a schematic diagram of a malware dynamic detection model;

Figure 2 is a flowchart of a malware feature extraction module;

3 is a schematic diagram of a specific implementation of the N-gram algorithm provided by the present invention;

FIG. 4 is a schematic diagram of the principle of the SVM algorithm provided by the present invention.

Detailed ways

The specific implementation process of the present invention will be described in detail below with reference to the accompanying drawings.

FIG. 1 is a schematic diagram of the application detection system model of the present invention. In order to realize the detection of malicious applications in the Android system, a dynamic detection method of intelligent terminal malware based on system calls is proposed, and an Android malicious application detection system is proposed. The model includes a feature extraction module, a feature processing module and an SVM classification algorithm module.

The feature extraction module performs batch simulation operations on the collected normal software and malware samples, records the behavior log of the software during the running process, removes the garbled part of the log file of the sample to be tested, and records and saves it in text (TXT) format. At the same time, all the time and parameters of the system call are removed to obtain the system call sequence output in time order; the feature processing module performs feature processing on the samples, including: feature dimension reduction processing, feature vectorization processing and de-redundancy processing; SVM The classification algorithm module uses the SVM algorithm to train and classify it to detect Android malicious applications.

Figure 2 shows the flow chart of the malware feature extraction module, which specifically includes: obtaining super administrator (Root) permissions for the Android system emulator or Android device. The root user is the only super administrator in the system, and it has the same permission. You can use the Root Wizard or other third-party tools to achieve the one-click Root function.

Download the super administrator software (Android Debug Bridge Device, ADBD), and enable the super administrator mode after the installation is completed on the mobile phone, otherwise the device will warn and prompt that permission is not granted (PermissionNotAllowed) when starting the system user space tracer (Strace) command ).

The present invention uses a programming language (Python) script to extract features, and the feature extraction steps are as follows: first, obtain super administrator (Root) authority for an emulator or Android device, download and install super administrator software and enable super administrator mode, and secondly obtain The process identity number (Personal ID, PID) of the sample to be tested, and use the Strace command to extract the dynamic characteristics of the system call; then use the simulated manual operation tool (Monkey) to simulate the manual operation of the sample software, and wait for the program to automatically run for a period of time. To kill the process, it is necessary to ensure that the running time of each sample to be tested is consistent; finally, the sample to be tested will record and save the log file in text (TXT) format, and remove the garbled part, and at the same time save the time and parameters of the system call, etc. Parts are completely removed, and then the system call sequence output in chronological order is obtained.

Obtain the process identification number PID (Personal ID) of the sample to be tested. Specifically, decompile the file package, obtain a list of the decompiled Android manifest files (AndroidManifest.xml), obtain the package name of the software, and obtain the PID of the sample through the package name (Android Debug Bridge (Android Debug Bridge) can be used. Bridge, ADB) tool acquisition). To extract the dynamic characteristics of system calls, for example, you can use the Strace command, or use the ADB tool command to place the corresponding version of the Strace executable file in the device system assembly cache (bin). Use the simulated manual operation tool (Monkey) to operate the sample software, and ensure that the running time of each sample to be tested is consistent, and kill the process. The sample log file is recorded and saved in text (TXT) format, and the garbled part is removed. At the same time, the time and parameters of the system call are all removed, and the system call sequence is output in chronological order.

The feature processing module includes a data dimension reduction part, a feature vectorization part and a de-redundancy part. The general steps are as follows: first, quantify and score the system call features through the information gain algorithm, perform data dimensionality reduction to eliminate useless features and obtain useful features, then perform vectorization processing on the retained features, and finally remove redundancy for the feature vectors. operation, in order to get a more accurate SVM classification model.

Data dimensionality reduction part: Malware detection is based on feature extraction, and the type and dimension of the extracted features play a decisive role. Too many feature dimensions will lead to too long detection time, and less feature extraction will lead to a decrease in detection accuracy. In order to improve detection However, researchers have to sacrifice efficiency and try to extract a variety of multi-dimensional features, so how to screen and reduce the dimensionality of these large-scale features is one of the difficulties.

The data dimensionality reduction part first quantifies and scores the system calls according to the degree of importance, and then retains the "important" system calls and removes the "useless" system calls according to the score of each system, so as to achieve the purpose of dimensionality reduction.

)时的条件熵，表示为

因此

其中P(t)和

分别代表系统调用T出现和不出现的概率。在计算IG(T)的具体值时，首先根据公式

计算系统调用集合C的信息熵，其中P(C_m)代表系统调用集合C中第m个系统调用出现的概率，K代表集合C中系统调用的总数量；然后根据公式

和公式

分别计算系统调用T出现时和不出现时的条件熵，其中P(C_m|t)和

分别代表系统调用T出现和不出现的情况下，集合C中第m个系统调用出现的概率。整理上述公式可以计算得到信息增益值IG(T)，IG(T)值越大，表示系统调用T对分类结果越重要。对集合C中的所有系统调用进行上述计算，可得到每个系统调用的信息增益值，作为相应系统调用的评分。The present invention uses the information gain method to score the system call, and the greater the information gain, the better the selectivity of the system call. Define the difference between the entropy H(C) of the system call set C to be classified and the conditional entropy H(C|T) of a system call T as the information gain IG(T) brought by the system call T to the system, namely IG(T) =H(C)-H(C|T), where C represents the system call set, T represents a system call in it; H(C|T) represents the uncertainty of the system call T in the set C, including two One is the conditional entropy when the system call T appears (marked as t), expressed as H(C|t); the other is when the system call T does not appear (marked as

), the conditional entropy is expressed as

therefore

where P(t) and

Represent the probability of the system call T appearing and not appearing, respectively. When calculating the specific value of IG(T), first according to the formula

Calculate the information entropy of the system call set C, where P(C _m ) represents the probability of the occurrence of the mth system call in the system call set C, and K represents the total number of system calls in the set C; then according to the formula

and formula

Calculate the conditional entropy with and without the occurrence of system call T, respectively, where P(C _m |t) and

Represents the probability of the occurrence of the mth system call in the set C when the system call T appears and does not appear, respectively. The information gain value IG(T) can be obtained by arranging the above formula. The larger the value of IG(T), the more important the system call T is to the classification result. The above calculation is performed on all system calls in the set C, and the information gain value of each system call can be obtained as the score of the corresponding system call.

Regarding the selection of the classification threshold when the system calls are divided into "important" and "useless", the present invention selects an appropriate threshold through simulation. First, 20, 40, 60, 80, 100, 120, and 140 system calls are selected for feature vectorization according to the system call scores from high to low, and then the Markov matrix is constructed and the result is converted into a format that SVM can recognize. Using machine learning, the detection rates were obtained when 20, 40, 60, 80, 100, 120, and 140 system calls were reserved, respectively. According to the detection rate trend graph obtained by the simulation, an appropriate threshold was selected, and the part larger than the threshold was classified as "important" The system calls that are smaller than the threshold are classified as "useless" system calls. Since the system call contains various system call attributes of the application software, the unselected parts are not processed, but are classified according to the attributes of the system call, and the "useless" commands are combined, and the "important" parts are directly eigenvectorized. processing, and the "useless" part is combined and processed according to the properties of the system call to complete the data vectorization.

After the threshold is selected, the feature is vectorized to generate the corresponding vector space. Use information gain to reduce the dimension of the data to obtain useful system calls. At this time, the number of system calls is relatively large. Therefore, a de-redundancy method is used to eliminate the features of redundant parts. In this embodiment, TF-IDF (word frequency inverse text frequency) can be used. The combination of the index) algorithm and the N-gram model performs screening and elimination operations on redundant information in the software, as described below:

个系统调用子序列，其中D代表样本库。进一步，采用TF-IDF算法对每一个系统调用子序列量化评分，具体为，根据公式

计算动态行为日志d_i中子序列t_j出现的频率，其中n_i,j为子序列t_j在动态行为日志d_i中出现的次数；其次根据公式

计算子序列t_j的反文档频率IDF_j，其中|D|为样本库中的动态行为日志总数；|i:t_j∈d_i|为出现子序列t_j的日志总数；t_j∈d_i表示子序列t_j在动态行为日志d_i中出现；+1是为了防止分母变为0。最后通过实验仿真选取合适的阈值，去除冗余部分的信息，在保留“重要数据”后对子序列进行合并，从而得到包含重要数据的系统调用向量，进行SVM算法学习和分类。An N-gram language model (N represents a parameter value in the N-gram language model) is used in the de-redundancy processing, and FIG. 3 is a schematic diagram of a specific implementation of the N-gram language model algorithm of this embodiment. Assuming that the dynamic behavior log d _i contains four types of system calls (denoted as S1, S2, S3, S4), the length of the system call sequence in the dynamic behavior log d _i is _Li . The general process is as follows: first, according to the research, a sliding window with a fixed length of N=3 (the value of which is detected as the best N value) is selected, that is, three system calls are used as the size of the sliding window, and each time is smoothed by 1 unit length, until the end of the system call sequence, to obtain L _i -N+1 system call subsequences. Using the N-gram algorithm for the dynamic behavior logs corresponding to all samples, we can get

system call subsequence, where D represents the sample library. Further, the TF-IDF algorithm is used to quantify the score of each system call subsequence, specifically, according to the formula

Calculate the frequency of occurrence of subsequence t _j in dynamic behavior log d _i , where n _i,j is the number of occurrences of subsequence t _j in dynamic behavior log d _i ; secondly, according to the formula

Calculate the inverse document frequency IDF _j of the subsequence t _j , where |D| is the total number of dynamic behavior logs in the sample library; |i:t _j ∈ d _i | is the total number of logs that appear in the subsequence t _j ; t _j ∈ d _i Indicates that the subsequence _{tj appears} in the dynamic behavior log di; +1 is to prevent the denominator from becoming 0. Finally, the appropriate threshold is selected through experimental simulation, the redundant information is removed, and the subsequences are merged after retaining the "important data", so as to obtain the system call vector containing the important data for SVM algorithm learning and classification.

Before the machine learning training test, the present invention constructs the normal software and malware samples into a Markov matrix, converts the result into a format that can be recognized by SVM, and uses it as the input of the SVM for classification model training for subsequent testing. Proceed as follows.

First of all, after the feature processing module obtains the system call sequence after feature processing, because the direct training of the samples is too complex, other processing methods cannot restore the relationship between the system calls well, so the Markov matrix is used to construct the system call sequence to restore the original structure of the system call sequence to the greatest extent, in which the system call sequence of each application is a discrete Markov chain, and finally convert the result into a format that SVM can recognize.

Since the detection results are divided into two categories: normal samples and malicious samples, the detection of malware is essentially a binary classification problem. According to the existing research, the SVM algorithm is very suitable for solving the small sample binary classification problem, and the algorithm has advantages in solving the problem of small sample size and high-dimensional identification, and is suitable for the field of software detection. Therefore, the present invention uses the obtained Markov chain. , using the SVM classification algorithm to achieve classification.

The specific principle of detection using the SVM algorithm is shown in Figure 4. The black and white dots represent malicious samples and normal samples, respectively. All hyperplanes between the two dotted lines can be classified, but only the hyperplane represented by the solid line can be obtained. The maximum discrimination interval enables the classifier to achieve the optimal classification purpose, that is, the hyperplane represented by the solid line is the optimal hyperplane for decision-making. The three samples on the two dotted lines are the boundaries of the samples and are an important basis for finding the optimal classification hyperplane, which is called the support vector. The purpose of using the SVM algorithm is to find this optimal hyperplane.

In the present invention, the following method can be adopted specifically. First, the mixed sample set of normal software and malicious software is divided into training set and test set according to the ratio of 3:1; secondly, the mixed training set of normal software and malicious software is imported into the feature The extraction module, after extracting the system call features, performs the above data dimensionality reduction, de-redundancy and Markov matrix construction; further, for each application software in the mixed training set, according to the real attributes of its normal or malicious samples, the They are labelled separately. The normal samples are marked as "0" and the malicious samples are marked as "1". The SVM algorithm finds an optimal dividing line according to the 2-dimensional distribution of the training set in the plane, and finds an optimal dividing line through straight line segmentation. The training of the model, and finally the test set is used as the input of SVM for detection, and the detection result of normal or malware can be obtained.

The specific implementation process of the system call-based intelligent terminal malware dynamic detection method of the present invention can be summarized as follows: obtaining administrator authority; automatically installing software; simulating operation through Monkey tool; obtaining software behavior log through Strace; Preprocessing: data dimensionality reduction, feature vectorization, de-redundancy; build Markov chain of system call sequence; use SVM to train malicious samples and normal samples separately; test.

Claims (4)

1. The intelligent terminal malicious software dynamic detection method based on system call is characterized by comprising the following steps: the characteristic extraction module records a log of the dynamic behavior by using a detection tool, extracts log information of the dynamic behavior of the sample to be detected, and outputs a system calling sequence according to a time sequence; the characteristic selection module preprocesses the dynamic behavior log information, including data dimension reduction, vectorization processing and redundancy removal, wherein the data dimension reduction part quantificationally scores the system call according to different importance degrees and processes the system call sequence from high to low according to the scores, and after the information of the redundancy part is removed and the important part is reserved, the subsequence is merged to obtain the redundancy-removed system call sequence; a machine learning module constructs a Markov (Markov) matrix of a system calling sequence, converts a result into a format which can be recognized by a Support Vector Machine (SVM), and takes a mixed training set of a normal software sample and a malicious software sample as the input of the SVM to carry out effectiveness training to obtain a trained classification model; detecting a mixed set of the malicious software sample and the normal software sample by adopting a trained classification model, and outputting a detection result;

specifically, the data dimensionality reduction comprises the following steps of calling a formula according to the entropy H (C) of a system call set to be classified and the conditional entropy H (C | T) of the system call: IG (T) ═ H (C) — H (C | T) calculates an information gain IG (T), and hence IG values for all system calls can be obtained; the larger the IG (T) value is, the more important the classification result is, vectorizing the system call according to the IG (T) value, selecting a threshold value through simulation, dividing the system call into an important part and a useless part, directly performing characteristic vectorization on the important part, combining the useless part according to attributes, and performing vectorization, and finally obtaining a system call sequence after each dynamic behavior log is vectorized;

specifically, the method for removing the redundant information in the software comprises the steps of carrying out language model N-gram processing on a vector quantization system call sequence to obtain a plurality of subsequences of system call, using the subsequences as objects of quantitative scoring, and carrying out quantitative scoring on the subsequences in the N-gram according to a formula

Computing dynamic behavior logs d_iNeutron sequence t_jFrequency of occurrence of wherein n_i,jIs a subsequence t_jIn dynamic behavior Log d_iThe number of occurrences in (a); according to the formula

Calculating a subsequence t_jInverse document frequency IDF of_jWherein | D | is the total number of dynamic behavior logs in the sample library; i: t_j∈d_iI is the occurrence subsequence t_jThe total number of logs; t is t_j∈d_iDenotes the subsequence t_jIn dynamic behavior Log d_i(iii) is present; +1 is to prevent the denominator from becoming 0, remove the redundant information and keep the "important" part, then merge the subsequences to get the system call sequence after removing redundancy.

2. The method as claimed in claim 1, wherein the feature extraction module obtains Root authority of the super administrator to open a super administrator mode, obtains a process identity number PID of a software sample to be tested, extracts dynamic features of system call, simulates operation sample software, kills a process after running each sample software for a preset time, records and saves a sample log file in a text TXT format, removes a messy code part, and time and parameter information of system call to obtain a system call sequence output according to a time sequence.

3. Intelligent terminal malicious software dynamic detection system based on system call is characterized by comprising: the system comprises a feature extraction module, a feature selection module and a machine learning classification module, wherein the feature extraction module records a log of dynamic behaviors by using a detection tool, extracts log information of the dynamic behaviors of a sample to be detected, and outputs a system calling sequence according to a time sequence; the characteristic selection module preprocesses the dynamic behavior log information, including data dimension reduction, vectorization processing and redundancy removal, wherein the data dimension reduction part quantificationally scores the system call according to different importance degrees and processes the system call sequence from high to low; a machine learning classification module constructs a Markov matrix of a system calling sequence, converts a result into a format which can be recognized by a Support Vector Machine (SVM), and takes a mixed training set of a normal software sample and a malicious software sample as the input of the SVM to carry out effectiveness training to obtain a trained classification model; detecting a mixed set of the malicious software sample and the normal software sample by adopting a trained classification model, and outputting a detection result;

specifically, for a dynamic behavior log generated when the APK runs in the simulator, recording all system calls appearing in all logs as a set C, and calling a formula according to the entropy H (C) of the system call set to be classified and the conditional entropy H (C | T) of the system calls: calculating information gains IG (T) by using IG (T) ═ H (C | T), wherein the larger the value of IG (T) is, the more important the classification result is, carrying out vectorization processing on the system call according to the value of IG (T), dividing the sample software into an important part and a useless part, directly carrying out feature vectorization processing on the important part, and carrying out merging processing on the useless part according to attributes to obtain a vectorized call sequence;

removing redundant information in sample software, specifically, carrying out N-gram processing on a vectorized system call sequence in a log to obtain a plurality of subsequences of system call, using the subsequences as objects of quantitative scoring, and carrying out quantitative scoring on the subsequences in the N-gram according to a formula

Computing dynamic behavior logs d_iNeutron sequence t_jFrequency of occurrence of wherein n_i,jIs a subsequence t_jIn dynamic behavior Log d_iThe number of occurrences in (a); according to the formula

Calculating a subsequence t_jInverse document frequency IDF of_jWherein | D | is the total number of dynamic behavior logs in the sample library; i: t_j∈d_iL is the total number of logs with the sub-sequence j; t is t_j∈d_iDenotes the subsequence t_jIn dynamic behavior Log d_i(iii) is present; +1 is to prevent the denominator from becoming 0, remove the redundant information and keep the "important" part, then merge the subsequences to get the system call sequence after removing redundancy.

4. The system of claim 3, wherein the feature extraction module obtains Root authority of the hypervisor to open a hypervisor mode, obtains a process identity number PID of a software sample to be tested, extracts dynamic features of system calling, simulates operation sample software, kills a process after running each sample software for a predetermined time, records and stores a sample log file in a text TXT format, removes a messy code part, and removes time and parameter information of system calling to obtain a system calling sequence output according to a time sequence.

Images