Description-entropy-based intelligent detection method for big data mobile software similarity
The present invention relates to the field of software similarity determination, and in particular to a method for intelligent determination of similarity of big data mobile softwares based on descriptive entropy.
With the rapid development of the Internet and smart phones, mobile Internet softwares are rapidly popularized, especially the application softwares with mobile phone as the operating platform, resulting in a great number of released mobile Internet softwares every year. However, due to the open source and popularity of mobile Internet softwares, security issues have become increasingly prominent. Tens of thousands of malicious softwares are intercepted by various mobile application security platforms every day. Malicious mobile Internet softwares may expose the mobile phone to virus attack, steal account information, and even charge fees and acquire private user information beyond their authority. With challenges of severe mobile application security events and massive malwares, improving the efficiency of malware determination has become an issue worth exploring.
At present, most malicious attackers modify part of the source codes of a popular mobile application software, add malicious codes and obfuscations thereto, and release the application. Many users may mistakenly download and install the pirate application due to their trust and support for the original application. Similarity determination of applications is a breakthrough in mobile application security engineering.
The present invention is mainly intended to overcome the shortcomings and deficiencies in the prior art and to provide a method for determining the similarity of mobile softwares based on descriptive entropy distribution.
The purpose of the present invention is implemented through the following technical solutions:
Disclosed herein is a method for intelligent determination of similarity of big data mobile softwares based on descriptive entropy, comprising the following steps:
S1, acquiring a path for each of the mobile softwares to read the mobile softwares according to the paths;
S2, performing a preliminary reverse-engineering decompilation on each of the mobile softwares to acquire function characteristics for each of the mobile softwares;
S3, summarizing a descriptive entropy distribution for each of the mobile softwares through descriptive entropies in the function characteristics;
S4, integrating the descriptive entropies of the mobile softwares, comparing the descriptive entropy distributions of mobile software pairs based on the integrated descriptive entropy distributions, and calculating similarity scores of the mobile software pairs; and
S5, outputting the similarity scores of the mobile softwares to give a mobile software similarity result.
Furthermore, the function characteristics include: hash values, mobile software function compression codes, and descriptive entropies.
Furthermore, in step S2, the preliminary reverse-engineering decompilation specifically comprises: acquiring source codes for each of the mobile softwares using a decompilation tool, acquiring function compression codes for each of the mobile softwares through the source codes, and calculating a floating point number representing an amount of information of a function or class (i.e., the descriptive entropy) from each of the function compression codes by the following formula:
Hd(substri)=−Σi=0np(substri)log2 p(substri);
wherein, assuming that each of the function compression codes has n substrings, substri is the ith substring of the function compression code, and p(substri) is the occurrence probability of the ith substring; and
storing the function compression codes, descriptive entropies, and hash values for the mobile softwares in corresponding text files.
Furthermore, for the function or class, one function or class corresponds to one function compression code, one descriptive entropy and one hash value; one mobile software corresponds to a set of function compression codes, a set of descriptive entropies, and a set of hash values for corresponding functions.
Furthermore, the decompilation tool is Androguard.
Furthermore, step S3 specifically comprises: extracting, from each of the text files corresponding to each of the mobile softwares in step S2, a set of descriptive entropies:
Hd={hd
1
,hd
2
,hd
3
, . . . ,hd
n};
and a set of corresponding numbers of entropies:
N={n
1
,n
2
,n
3
, . . . ,n
n};
wherein, hd1 to hdn are the 1st to the nth unequal descriptive entropy values of the corresponding mobile software; n1 to nn are corresponding numbers of the 1st to the nth unequal descriptive entropy values.
Furthermore, step S4 specifically comprises: acquiring the sets of descriptive entropies for all the mobile softwares, and integrating the sets of descriptive entropies for all the mobile software in pairs to obtain a union of descriptive entropies for each pair of mobile softwares;
sets of descriptive entropies for mobile software A and mobile software B are as follows:
Hd
A
={hd
A1
,hd
A2
hd
A3
, . . . ,hd
Am};
Hd
B
={hd
B1
,hd
B2
,hd
B3
, . . . ,hd
Bn};
wherein, HdA is the set of descriptive entropies for mobile software A, HdB is the set of descriptive entropies for mobile software B, m is a number of descriptive entropy values of mobile software A, and n is a number of descriptive entropy values of mobile software B;
sets of numbers of descriptive entropy values of mobile software A and mobile software B are as follows:
N
A
={n
A1
,n
A2
,n
A3
, . . . ,n
Am};
N
B
={n
B1
,n
B2
,n
B3
, . . . ,n
Bn};
wherein, NA is the set of corresponding numbers of descriptive entropy values in HdA of mobile software A, and NB is the set of corresponding numbers of descriptive entropy values in HdB of mobile software B;
the union of descriptive entropies for the mobile software pair is as follows:
wherein, HdA∪B is the union of descriptive entropies of mobile software A and mobile software B, YA is the set of corresponding numbers of descriptive entropy values of mobile software A in the union HdA∪B, and YB is the set of corresponding numbers of descriptive entropy values of mobile software B in the union HdA∪B; x is a number of elements in the subtraction of HdA from the union HdA∪B, and y is a number of elements in the subtraction of HdB from the union HdA∪B; m+x and n+y are numbers of elements in the union HdA∪B;
calculating similarity scores:
taking the sets HdA∪B and YA as a set of discrete points DA, and the sets HdA∪B and YB as another set of discrete points DB, there are:
D
A={(xi,yi)|xi∈HdA∪B,yi∈YA};
D
B={(xi,yi)|xi∈HdA∪B,yi∈YB};
a region SA in a Cartesian coordinate system is defined by the set of discrete points DA and the X axis; a region SB in the Cartesian coordinate system is defined by the set of discrete points DB and the X axis; an intersection area SA∩B of the regions SA and SB is calculated, and a union area SA∩B of the regions SA and SB is calculated; finally the similarity scores are calculated:
assuming that the number of elements in the set is N, there is:
wherein,
wherein,
wherein,
wherein, (xi, yAi)∈DA, (xi, yBi)∈DB, and (xmid, ymid) are the coordinates of the intersection point of a straight line defined by points (xi, yAi) and (xi+1, yAi+1) and a straight line defined by points (xi, yBi) and (xi+i, yBi+i);
finally the similarity scores are calculated by:
Similarity score=SA∩B/SA∪B*100
Furthermore, m+x=n+y.
Furthermore, step S5 specifically comprises: outputting the similarity scores of all mobile softwares, and determining similarities between mobile softwares to obtain a result of mobile software similarity.
Compared with the prior art, the present invention has the following advantages and beneficial effects:
The present invention acquires the mobile software source codes through decompilation, and then acquires a corresponding mobile software function compression code by reading the source code of each function or class. Each function compression code is a character string formed by compressing statements of a corresponding function or class according to control flowchart. The descriptive entropy is a floating point number calculated intelligently according to the function compression code. One function or class corresponds to one function compression code and one descriptive entropy. Thus a mobile software corresponds to a set of function compression codes and a set of descriptive entropies, the numbers of which depend on the total number of functions or classes. Using descriptive entropy to represent an amount of information of an object for determining mobile software similarity greatly improves the speed of intelligent software similarity calculation.
The present invention will be further illustrated with reference to the following example and drawings, which, however, are not intended to limit the embodiments of the present invention.
Provided is a method for intelligent determination of similarity of big data mobile softwares based on descriptive entropy, as shown in
Step I, acquiring a path for each of the mobile softwares to read the mobile softwares according to the paths;
Step II, performing a preliminary reverse-engineering decompilation on each of the mobile softwares to acquire function characteristics for each of the mobile softwares;
wherein the preliminary reverse-engineering decompilation specifically comprises: acquiring source codes for each of the mobile softwares using a decompilation tool Androguard, acquiring function compression codes for each of the mobile softwares through the source codes, and calculating a floating point number representing an amount of information of a function or class (i.e., the descriptive entropy) from each of the function compression code; and storing the function compression codes, descriptive entropies, and hash values for the mobile softwares in corresponding text files; the descriptive entropy is calculated by the following formula:
Hd(substri)=−Σi=0np(substri)log2 p(substri);
wherein, assuming that each of the function compression codes has n substrings, substri is the ith substring of the function compression code, and p(substri) is the occurrence probability of the ith substring;
furthermore, for the function or class, one function or class corresponds to one mobile software function compression code, one descriptive entropy and one hash value; one mobile software corresponds to a set of function compression codes, a set of descriptive entropies, and a set of hash values for corresponding functions.
Step III, summarizing a descriptive entropy distribution for each of the mobile softwares through descriptive entropies in the function characteristics, specifically comprising:
extracting, from each of the text files corresponding to the mobile softwares in step II, a set of descriptive entropies:
Hd={hd
1
,hd
2
,hd
3
, . . . ,hd
n};
and a set of corresponding numbers of entropies:
N={n
1
,n
2
,n
3
, . . . ,n
n};
wherein, hd1 to hdn are the 1st to the nth unequal descriptive entropy values of the corresponding mobile software; n1 to nn are corresponding numbers of the 1st to the nth unequal descriptive entropy values;
Step IV, integrating the descriptive entropies of the mobile softwares, comparing the descriptive entropy distributions of mobile software pairs based on the integrated descriptive entropy distributions, and calculating similarity scores of the mobile software pairs; and
specifically: acquiring the sets of descriptive entropies for all the mobile softwares, and integrating the sets of descriptive entropies for all the mobile software in pairs to obtain a union of descriptive entropies for each pair of the mobile softwares;
in the present embodiment, mobile software A and mobile software B are selected for comparison:
sets of descriptive entropies for mobile software A and mobile software B are as follows:
Hd
A
={hd
A1
,hd
A2
,hd
A3
, . . . ,hd
Am};
Hd
B
={hd
B1
,hd
B2
,hd
B3
, . . . ,hd
Bn};
wherein, HdA is the set of descriptive entropies of mobile software A, and Ah1 to Ahm are the 1st to the mth unequal descriptive entropies; HdB is the set of descriptive entropies of mobile software B, and Bh1 to Bhn are the 1st to the nth unequal descriptive entropies; m is a number of descriptive entropies of mobile software A, and n is a number of descriptive entropies of mobile software B;
sets of numbers of descriptive entropy values of mobile software A and mobile software B are as follows:
N
A
={n
A1
,n
A2
,n
A3
, . . . ,n
Am};
N
B
={n
B1
,n
B2
,n
B3
, . . . ,n
Bn};
wherein, NA is the set of corresponding numbers of descriptive entropy values in HdA of mobile software A, and An1 to Anm are the number of the 1St to the mth descriptive entropies; NB is the set of corresponding numbers of descriptive entropy values in HdB of mobile software B, and Bn1 to Bnn, are the number of the 1st to the nth descriptive entropies;
integrating the descriptive entropy distributions of mobile software A and mobile software B:
wherein, HdA∪B is the union of descriptive entropies of mobile software A and mobile software B, YA is the set of corresponding numbers of descriptive entropy values of mobile software A in the union HdA∪B, and YB is the set of corresponding numbers of descriptive entropy values of mobile software B in the union HdA∪B; x is a number of elements in the subtraction of HdA from the union HdA∪B, and y is a number of elements in the subtraction of HdB from the union HdA∪B; m+x and n+y are numbers of elements in the union HdA∪B;
calculating similarity scores:
taking the sets HdA∪B and YA as a set of discrete points DA, and the sets HdA∪B and YB as another set of discrete points DB, there are:
D
A={(xi,yi)|xi∈HdA∪B,yi∈YA};
D
B={(xi,yi)|xi∈HdA∪B,yi∈YB};
a region SA in a Cartesian coordinate system is defined by the set of discrete points DA and the X axis; a region SB in the Cartesian coordinate system is defined by the set of discrete points DB and the X axis; an intersection area SA∩B of the regions SA and SB is calculated, and a union area SA∩B of the regions SA and SB is calculated; finally the similarity scores are calculated:
assuming that the number of elements in the set is N, there is:
wherein, (xi, yAi)∈DA, (xi, yBi)∈DB, and (xmid, ymid) are the coordinates of the intersection point of a straight line defined by points (xi, yAi) and (xi+1, yAi+1) and a straight line defined by points (xi, yBi) and (xi+1, yBi+1);
finally the similarity scores are calculated by:
Similarity score=SA∩B/SA∪B*100
Step V, outputting the similarity scores of the mobile softwares to give a mobile software similarity result, outputting the similarity scores of all mobile software pairs, calculating a time and storing in a text file.
The above example is a preferred embodiment of the present invention, which, however, is not intended to limit the embodiments of the present invention. Any other changes, modifications, substitutions, combinations, simplifications and the like can be made without departing from the spirit and principle of the present invention, and should be equivalent replacement and included in the protection scope of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
201910424145.7 | May 2019 | CN | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/CN2020/086052 | 4/22/2020 | WO | 00 |