行動裝置的普及與Android作業系統的開放性,使得層出不窮的惡意軟體嚴重影響使用者資訊安全,面對變化多端的攻擊手法與躲避偵測方法,如何更準確的偵測出惡意軟體並加以防護已成為重要議題。雖然目前已有研究提出透過分析應用程式實際執行過程,能有效避免程式碼混淆等躲避偵測問題。但是面對此方法所提取的序列型特徵,如何更詳細地得知特徵之間的關聯性,藉以提升分類模型的分辨準確率,為許多研究所努力的方向。基於應用程式執行過程所呼叫的系統呼叫序列(System Call Sequence),具有可以真實呈現應用程式實際執行為的特性。本研究提取系統呼叫序列作為特徵,並透過長短期記憶(Long Short-Term Memory, LSTM)深度學習模型架構提取系統呼叫前後相互關聯。然而,為了避免隨著系統調用序列的長度增長,降低模型分類準確率,於分類模型中加入注意力機制(Attention),透過計算LSTM神經元的短期記憶專注分數並加權平均於分類決策演算法中,達到增強分類不同惡意攻擊類型的判斷能力。經實驗結果證實,通過兩層的雙向LSTM架構並加入Attention機制的深度神經網路,在分類良性與惡意程式的分辨能力達93.5%,而在詳細分類良性程式與另外兩種惡意種類程式的分類結果則具有93.1%的準確率,展現優良的分類能力。;With the popularity of Android mobile devices, detecting and protecting malicious software has become an important issue. Although there have been studies proposed that dynamic analysis can overcome the shortcomings of avoidance detection problems such as code obfuscated. However, how to learn more detail of correlation between the sequence-type features extracted by dynamic analysis to improve the resolution accuracy of the classification model is the direction of many research efforts. This study extracts the system call sequence as a feature, and extracts the system call correlation through the Long Short-Term Memory (LSTM) deep learning model. In addition, in order to avoid the increase of the length of the system call sequence and reduce the accuracy of the model classification, the attention mechanism is added to the classification model. The experimental results show that through the two-layer of Bi- LSTM architecture and the deep neural network of the Attention mechanism, the resolution of benign and malicious programs is 93.5%, and the classification of benign programs and two other malicious types is detailed. The result is an accuracy of 93.1%, showing excellent classification ability.
