基于深度学习的类别不平衡条件下移动恶意应用在线检测

Malicious mobile apps collecting mobile users’ private records and sensitive data have become the major threat to the mobile ecosystem. Despite numerous research efforts in recent years, mobile malware detection is still a challenging task, which attracts extensive attentions from the academia, network service providers and law enforcement. Meanwhile, the methods that utilize static features or dynamic system call sequences to detect malicious apps will consume excessive resources, affect user experience, and also fall short in discovering unknown malware. This project tries to tackle this challenge by developing a novel online detection method to identify malicious apps based on network traffic analysis. In particular: (1) the project builds a large-scale network traffic data collection framework with a careful control of network security boundary; (2) due to the poor performance of traditional network behavioral features, as well as the stringent requirement of expert knowledge in developing new features, the project proposes the concept of an interactive network traffic map to characterize network traffic data, which is inspired by grayscale image concept; (3) the project will apply deep learning techniques to learn malware network behavior features automatically, in order to discover unknown malware network behavior; (4) the project will investigate and evaluate the robustness and real-time efficiency of the proposed system for classifying imbalanced streaming data in the real world setting; (5) after designing and verifying the system design with a large-scale real world implementation, we will deploy the mobile malware online detection mechanism at the network access point. The research result will be significant, as it provides efficient defense mechanisms for mobile devices to detect privacy leakage and security threats, and it also helps reduce the malware detection costs on the mobile terminals.

以获取隐私信息和敏感数据为主要目标的恶意应用是移动智能终端用户面临的主要威胁，移动恶意应用检测已成为学术界、网络安全企业和国家有关部门普遍关心的问题。现有以静态特征和动态系统调用特征为基础的检测方法存在终端资源消耗大、用户依赖度高、未知恶意应用发现能力不足等缺陷。项目研究一种移动恶意应用在线检测方法：（1）在确保网络安全可控前提下实现大规模恶意应用网络交互流量采集；（2）在新特征发现严重依赖专家知识的背景下，类比灰度图像提出恶意应用网络交互流量图谱用于表征流量样本；（3）基于深度学习模型在恶意应用网络行为特征自动学习及未知恶意应用行为发现方面寻求突破；（4）面向真实网络环境解决类别不平衡条件下流式数据样本智能分类的鲁棒性和实时性问题；（5）集成以上内容最终实现在网络接入点实施移动恶意应用在线智能检测的目标。研究成果对于尽早发现移动终端隐私和安全威胁，降低恶意应用检测终端开销具有重要意义。

基于网络行为的移动恶意应用发现近年来作为一种新兴的恶意应用检测方法受到密切关注。项目针对真实网络环境中移动恶意应用的检测需求，开展移动恶意应用在线智能化检测研究。项目完善了已有的流量自动化采集平台，并研制了大规模的恶意应用网络行为样本集；在采集的流量数据集基础上，对网络流量的语义特征和行为特征的提取开展研究，并基于深度学习算法实现恶意行为的智能化检测；针对互联网流量类别不平衡特性，研究多种非平衡流量检测的过采样模型；在数据流量不断增加的条件下，研究基于增量学习的在线恶意应用智能化检测，方法和系统在真实环境下应用测试取得较好的时间鲁棒性和在线检测性能；针对真实网络环境下的移动恶意变种问题，研究基于迁移学习的未知移动恶意变种识别方法。项目的研究对保护移动用户的终端安全和隐私具有重要意义，项目成果已转化给华为技术有限公司使用，具有良好的使用前景和应用价值。