Drebin樣本的百度網盤下載鏈接我放在安卓惡意軟件分類那篇文章了,大家自行下載。本次實驗接上一次基於操作碼序列的安卓惡意軟件檢測實驗,這一次選取的特征是權限特征。即將apk文件反編譯后,在AndroidManifest.xml文件中可以看到這個軟件所需要的權限,如下圖,本次實驗的主要利用這些權限特征做二分類實驗
數據集
數據集基本與上一次基於操作碼序列的實驗相同,1000個來自drebin的惡意軟件,以及1000個上次實驗的良性軟件。由於這次調取權限特征采用了androguard庫中的get_permissions()方法,無需自己去正則匹配,不僅大大簡化了操作,而且大大縮短了特征提取的時間。
特征提取
本次實驗的特征提取方法:先遍歷良性軟件和惡意軟件集,計算出每個權限特征出現的次數,選取出現次數大於100的特征,共51個。則特征表是以個51列的表,一個軟件對應特征表中的一行,如果有這個特征,則這列置1,沒有則置0。代碼如下:
from androguard.core.bytecodes import apk, dvm #代碼比較粗糙,為了簡便,函數未作封裝
from androguard.core.analysis import analysis
from androguard.core.bytecodes.dvm import DalvikVMFormat
from collections import *
import re
import os
import pandas as pd
malware_dir = "D:\\android\\dataset\\drebin-1"
kind_dir = "D:\\android\\dataset\\Benign_2016\\"
map3gram_kind = defaultdict(Counter)
map3gram_mal = defaultdict(Counter)
count = 1
for file in os.listdir(malware_dir):
print ("counting the 3-gram of the {0} file...".format(str(count)))
print(file)
count+=1
apk_dir = os.path.join(malware_dir,file)
app = apk.APK(apk_dir)
map3gram_mal[file] = app.get_permissions()
count = 1
for file in os.listdir(kind_dir):
print ("counting the 3-gram of the {0} file...".format(str(count)))
print(file)
count+=1
apk_dir = os.path.join(kind_dir,file)
app = apk.APK(apk_dir)
map3gram_kind[file] = app.get_permissions()
cc = Counter([])
for d,lists in map3gram_kind.items():
for list in lists:
cc[list]+=1;
for d,lists in map3gram_mal.items():
for list in lists:
cc[list]+=1;
selectedfeatures = {}
tc = 0
for k,v in cc.items():
if v >= 100:
selectedfeatures[k] = v
print (k,v)
tc += 1
dataframelist = []
for fid,op3gram in map3gram_kind.items():
standard = {}
standard["Class"] = 0
for feature in selectedfeatures:
if feature in op3gram:
standard[feature] = 1
else:
standard[feature] = 0
dataframelist.append(standard)
for fid,op3gram in map3gram_mal.items():
standard = {}
standard["Class"] = 1
for feature in selectedfeatures:
if feature in op3gram:
standard[feature] = 1
else:
standard[feature] = 0
dataframelist.append(standard)
df = pd.DataFrame(dataframelist)
df.to_csv("D:\\android\\dataset\\permissions.csv",index=False)
提取后特征表如下
機器學習
機器學習算法采用隨機森林,同樣10交叉驗證,代碼如下
from sklearn.ensemble import RandomForestClassifier as RF
from sklearn.model_selection import cross_val_score
from sklearn.metrics import confusion_matrix
import pandas as pd
train_data = pd.read_csv('D:\\android\\dataset\\permissions.csv')
labels = train_data["Class"]
data = train_data.iloc[:,1:]
data = data.iloc[:,:].values
srf = RF(n_estimators=500, n_jobs=-1)
clf_s = cross_val_score(srf, data, labels, cv=10)
print(clf_s)
最終結果如下
array([0.97 , 0.985 , 0.985 , 0.96 , 0.975 ,0.965 , 0.9 , 0.965 , 0.91 , 0.95979899])
深度學習
繼續使用深度學習方法試一試。
from tensorflow import keras
from tensorflow.keras import layers
import numpy as np
import pandas as pd
import matplotlib.pyplot as plt
%matplotlib inline
import os
os.environ["CUDA_DEVICE_ORDER"] = "PCI_BUS_ID"
os.environ["CUDA_VISIBLE_DEVICES"] = "0"
from tensorflow.keras.preprocessing.text import Tokenizer
import tensorflow.keras.preprocessing.text as T
from tensorflow.keras.preprocessing.sequence import pad_sequences
from tensorflow.keras.utils import to_categorical
import numpy as np
train_data = pd.read_csv('D:\\android\\dataset\\permissions.csv')
labels = train_data["Class"]
data = train_data.iloc[:,1:]
train_data = data.iloc[:,:].values
from sklearn.model_selection import StratifiedKFold
seed = 7
np.random.seed(seed)
kfold = StratifiedKFold(n_splits=10, shuffle=True, random_state=seed)
cvscores = []
for train, test in kfold.split(train_data, labels):
model = keras.Sequential()
model.add(layers.Dense(50,input_dim = 51, activation = 'relu'))
model.add(layers.Dense(16, activation = 'relu'))
model.add(layers.Dense(16, activation = 'relu'))
model.add(layers.Dense(16, activation = 'relu'))
model.add(layers.Dense(16, activation = 'relu'))
model.add(layers.Dense(16, activation = 'relu'))
model.add(layers.Dense(1, activation = 'sigmoid'))
model.compile(
optimizer = 'adam',
loss='binary_crossentropy',
metrics=['acc']
)
model.fit(train_data[train],labels[train],epochs=60, batch_size=256,verbose = 0)
scores = model.evaluate(train_data[test], labels[test], verbose=0)
print(scores[1])
cvscores.append(scores[1])
print(cvscores)
最終結果:
[0.945, 0.935, 0.96, 0.97, 0.965, 0.95, 0.93, 0.945, 0.935, 0.959799]
特征結合
和上一次微軟惡意軟件檢測一樣,嘗試將操作碼特征和權限特征結合起來,代碼如下
from sklearn.ensemble import RandomForestClassifier as RF
from sklearn.model_selection import cross_val_score
from sklearn.metrics import confusion_matrix
import pandas as pd
import numpy as np
subtrainfeature1 = pd.read_csv("D:\\android\\dataset\\3_gram.csv")
subtrainfeature2 = pd.read_csv("D:\\android\\dataset\\permissions.csv")
clas = range(1,2000)
subtrainfeature1.insert(0,'num',clas)
subtrainfeature2.insert(0,'num',clas)
subtrain = pd.merge(subtrainfeature1,subtrainfeature2,on="num")
labels = subtrain["Class_x"]
subtrain.drop(["Class_x","num"], axis=1, inplace=True)
subtrain = subtrain.iloc[:,:].values
srf = RF(n_estimators=500, n_jobs=-1)
clf_s = cross_val_score(srf, subtrain, labels, cv=10)
10輪交叉驗證准確度如下:
array([0.985 , 0.995 , 0.99 , 0.96 , 0.9 ,0.975 , 0.96 , 0.985 , 0.985 , 0.98492462])
總結
權限特征准確度:
array([0.97 , 0.985 , 0.985 , 0.96 , 0.975 ,0.965 , 0.9 , 0.965 , 0.91 , 0.95979899])
3-gram分類准確度:
array([0.965 , 0.995 , 0.99 , 0.96 , 0.885 ,0.97 , 0.945 , 0.975 , 0.98 , 0.98994975])
特征結合准確度:
array([0.985 , 0.995 , 0.99 , 0.96 , 0.9 ,0.975 , 0.96 , 0.985 , 0.985 , 0.98492462])
深度學習+特征結合:
[0.99, 0.98, 0.985, 1.0, 0.995, 0.97, 0.98, 0.995, 0.97, 0.9849246]
比較圖如下
