現今的行動惡意程式數量增長的越來越快,分析大量的應用程式為現今學者專注的項目,本研究依照惡意程式家族對應用程式進行分類,以增進整個分析的過程的效率。檢測惡意程式分為靜態分析與動態分析兩種方法,靜態分析不需要執行程式,直接反編譯程式即可取得所有資源,分析上較有效率且程式覆蓋率高;動態分析需執行取得分析特徵,分析上較為耗時,且無法保證會觸發所有惡意行為,程式覆蓋率較低且耗時,因此本研究針對靜態分析進行探討。現代程式的功能非常多元,許多良性應用程式的行為與惡意應用程式的行為越來越接近,使用早期靜態特徵提取容易造成誤判,因此基於圖型、流向和操作碼的特徵興起,但依然有所限制,容易提取到無意義的特徵,因此本研究結合調整過的操作碼與控制流作為主要靜態分析特徵作為研究。本研究提出一個應用程式檢測系統,結合操作碼與控制流作為主要特徵來分類應用程式,使其對應到所屬的家族,並使用相似度計算,檢測該應用程式除了分類出來的家族特性之外,是否含有其他家族的特性。本研究使用Drebin資料集訓練出的模型F-measure達98%且偵測未知應用程式的準確率達94.86%。;Nowadays, the number of mobile malware is growing faster and faster, analyzing enor-mous malware is one of the goal for the specialist. This study classifies applications accord-ing to malware family in order to improve the efficiency of the entire analysis process. The detection of malware is divided into two methods: dynamic analysis and static analysis. Dynamic analysis needs to execute the application to get analysis feature, which is time-consuming and cannot guarantee that all malicious behavior will be triggered. Besides, the program coverage is low in dynamic analysis. Without executing program, static analysis can obtain all resources by decompiling the application directly. Static analysis is more effi-cient and the program coverage is higher than dynamic analysis. In summary, this study fo-cuses on static analysis for further discussion. The functions of modern application are very diverse; the behavior of benign applica-tions is closer to the behavior of malware. Thus, the use of early static feature is easy to cause misjudgment. In recent year, using the graph-based feature, flow-based feature and opcode as analysis feature is becoming more and more popular, but still have some re-strictions such as extracting meaningless features easily. This study proposes a system that combines the adjusted opcode and control flow as the main features to classify the application to correspond to the family it belongs to, and uses the similarity calculation to detect the application whether it contains other family charac-teristics. In this study, the model F-measure trained using the Drebin data set was 98% and the accuracy of detecting unknown applications was 94.86%.
