在這資訊快速發展的時代,市占率最高的作業系統—Android其開源特性成為駭客的攻擊目標,進而威脅到使用者的隱私。在惡意程式分析中的動態分析不受混淆及動態載入攻擊的影響,還可以了解到程式在執行時的行為,當中的系統呼叫(System calls)能實際呈現應用程式與內核(kernel)間的溝通,因此本研究以動態檢測方法進行,並以系統呼叫為特徵,來表示應用程式的行為。利用TF-IDF的特徵處理方法能將其系統呼叫特徵依據出現的次數以及在整體的關係給予不同重要程度的權 重分配,不過此方法以一個系統呼叫為一個單位,因此在計算時未有序列的前後關係,而在系統呼叫序列(System call sequences)中,前後關係有其重要性,因此本研究利用n-gram概念結合局部TF-IDF來讓序列型的資料能取得含有序列前後關係及重要程度的特徵。而在惡意程式檢測領域中,深度學習已有卓越的分類效果,因此本研究將動態序列特徵以提出的方法化為向量,並在深度學習的模型上分析Android應用程式。於本研究顯示利用本方法在應用程式的多元分類下能提高3%以上的準確率,而對於未知的2019年資料集準確率提升11%。;In this era of rapid development of information technology, Android has the highest market share in the operating system. However, its open source feature has been the target of hackers, which in turn threatens the privacy of users. Dynamic analysis in malware analysis is not affected by obfuscation and dynamic loading attacks, but also provides insight into the behavior of the program during execution. The system calls can actually represent the communication between the application and the kernel, so this research uses a dynamic detection method to analyze the system calls as a feature to represent the behavior of the application. The TF-IDF feature processing method can assign different weights to system call features according to the number of call occurrences and the overall relationship, but this method uses one system call as a unit, so there is no sequence relationship in the calculation. However, in System call sequences, the pre- and post-sequence relationships have their importance. Therefore, this research uses the concept of n-gram combined with local TF-IDF to enable sequence-based data to obtain features containing the pre- and post-sequence relationships and importance of sequences. In the field of malware detection, deep learning has excellent classification results, so in this research, dynamic sequence features are transformed into vectors by the proposed method and Android applications are analyzed on the deep learning model. In this research, it is shown that using this method can improve the accuracy by more than 3% for multiple classification of applications and 11 % for unknown 2019 dataset.
