|
1. A method of detecting Android malware based on a heterogeneous graph, comprising: acquiring an application to be tested, and constructing a target heterogeneous graph according to entities and entity relationship information extracted from the application to be tested by decoding and/or decompiling the application to be tested to obtain a smali file and an AndroidManifest.xml configuration file; based on a preset regular matching strategy, extracting Application Programming Interface (API) entities and information of packages to which each API entity belongs from the smali file, and extracting hardware entity information and permission entity information declared by software from the AndroidManifest.xml configuration file by matching uses-feature and uses-permission; constructing the target heterogeneous graph based on the API entities, the information of packages to which each API entity belongs, the hardware entity information and the permission entity information; determining a Kullback-Leibler (KL) distance between any two meta-paths based on the target heterogeneous graph, and taking the meta-paths in which the KL distance between any two meta-paths is greater than a preset threshold as a plurality of finally selected meta-paths; carrying out, by Restricted Boltzmann Machine (RBM), feature fusion on the plurality of meta-paths, and adjusting, by an automatic encoder, fusion parameters of initial fusion vectors to meet a predetermined condition to obtain a plurality of fusion feature vectors; inputting the plurality of fusion feature vectors into a trained Deep Neural Network (DNN) for classification to obtain a final classification result, and determining whether the application to be tested is Android malware according to the final classification result.
|
