使用智慧型手機尤其是 android 這作業系統在市面上已經占了 80% 的市占率，也因此成為攻擊者的首要目標，手機裡越來越多私有資料以及低安全度的防護措施足以讓惡意程式製造商想竊取那些私有資訊，他們可以用多種方法來進行攻擊，像是用不同編碼技巧來混淆惡意程式檢測軟體來入侵存有私有資料的行動裝置。
　　現存的android 惡意程式檢測方法用了多數的特徵，其中特徵像是安全感應的 API、system call、控制流結構以及資訊流等等，再用機械學習演算法去看哪些是惡意，哪些是善意的程式。這些特徵集提供了 app 獨特的觀點，從防禦的角度來看，可能某些防禦措施對某幾種攻擊會很適合，但對其他攻擊就會不適合，大多現存的惡意程式檢測方法會用單一個前述提到的特徵，去判斷是否為惡意程式，且這些方法大多是藉由偵測及分析 code 。然而面臨著惡意程式所使用的 code confusion 以及zero-day attack常常會造成誤判，所以得去設計一個有效的技術來分析這些上述的惡意威脅。
　　這篇用到方法是以深度學習為基底的將程式碼找出字裡面的重要性，因為 code confusing 有些字單單只是重新命名，若採用一般靜態分析方法將看不出來，所以本篇論文將字按照重要性高低排，取多組，每組含一定數量的字的重要性，並將這多組字的重要性經過一定程序轉換成圖片，再將圖片利用卷積神經網路去判斷是否為惡意軟體。

Using smartphone especially android platform has already got eighty percent market shares, due to aforementioned report, it becomes attacker’s primary goal. There is a growing number of private data onto smart phones and low safety defense measure, attackers can use multiple way to launch and to attack user’s smartphones.(e.g. Using different coding style to confuse the software of detecting malware).
Existing android malware detection methods use multiple features, like safety sensor API, system call, control flow structure and data information flow, then using machine learning to check whether its malware or not. These feature provide app’s unique property and limitation, that is to say, from some perspectives it might suit for some specific attack, but wouldn’t suit for others. Nowadays most malware detection method use only one aforementioned feature, and these methods mostly analysis to detect code, but facing the influence of malware’s code confusion and zero-day attack, aforementioned feature extraction method may cause wrong judge. So, it’s necessary to design an effective technique analysis to prevent malware.
In this paper, we use the importance of code from apk, because of code confusion, some malware attackers only rename variables, if using general static analysis wouldn’t judge correctly, then use these importance value to go through our proposed method to generate picture, finally using convolutional neural network to see whether the apk file is malware or not.

Contents i
List of Figures ii
Chapter 1 Introduction 1
Chapter 2 Background 3
2.1 Apk structure 3
2.2 Convolutional neural networks 4
2.2.1 Layers of convolutional neural network 4
2.2.2 Architecture of convolutional neural network 6
2.3 General method for malware detection 6
2.3.1 Static analysis 6
2.3.2 Dynamic analysis 7
Chapter 3 Related work 9
3.1 Current research of visualizing application 9
Chapter 4 Design Framework 10
4.1 Algorithm used in this thesis 10
4.1.1 SimHash 10
4.1.2 Djb2 11
4.2 Color format 12
4.2.1 Grayscale 12
4.2.2 RGB 13
4.3 System architecture 13
4.3.1 Apk file to code 13
4.3.2 Using code to generate image 15
4.3.3 TF-IDF 16
4.4 Implementation 17
Chapter 5 Experimental Result 21
Chapter 6 Conclusion 24
Reference 25

[1] IDC: Smartphone OS Market Share 2016, 2015, retrieved from http://www.idc.com/promo/smartphone-market-share/os
[2] M. La Polla, F. Martinelli, and D. Sgandurra, “A Survey on Security for Mobile Devices,” IEEE Commun. Surv. Tutorials, vol. 15, no. 1, pp. 446–471, 2013.
[3] Cheng, Chien-Wen, “Identifying potentially malicious behavior inside android malware by static code analysis”, 2013, retrieved from http://handle.ncl.edu.tw/11296/ndltd/44175699278460400644
[4] Artificial neural network-Wikipedia, https://en.wikipedia.org/wiki/Artificial_neural_network
[5] CS231n Convolutional Neural Networks for Visual Recognition, retrieved from http://cs231n.github.io/convolutional-networks/
[6] Overfitting-Wikipedia, retrieved from https://en.wikipedia.org/wiki/Overfitting
[7] Rectifier(neural networks)-Wikipedia, retrieved from https://en.wikipedia.org/wiki/Rectifier_(neural_networks)
[8] G. Suarez-Tangil, J. E. Tapiador, P. Peris-Lopez, and J. B. Alis, “Dendroid: A text mining approach to analyzing and classifying code structures in android malware families,” Expert Systems with Applications, 2013, in Press.
[9] Q. Li and X. Li. Android malware detection based on static analysis of characteristic tree. In Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 2015 International Conference on, pages 84–91. IEEE, 2015
[10] D. Arp, M. Spreitzenbarth, H. Malte, H. Gascon, and K. Rieck, “Drebin: Effective and Explainable Detection of Android Malware in Your Pocket,” Symp. Netw. Distrib. Syst. Secur., pp. 23–26, 2014.
[11] H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck, “Structural detection of android malware using embedded call graphs,” Proc. 2013 ACM Work. Artif. Intell. Secur. - AISec ’13, pp. 45–54, 2013.
[12] Y. J. Ham and H.-W. Lee, “Detection of Malicious Android Mobile Applications Based on Aggregated System Call Events,” Int. J. Comput. Commun. Eng., vol. 3, no. 2, pp. 149–154, 2014
[13] G. Suarez-Tangil, J. E. Tapiador, P. Peris-Lopez, and J. Blasco, “Dendroid: A text mining approach to analyzing and classifying code structures in Android malware families,” Expert Syst. Appl., vol. 41, no. 4 PART 1, pp. 1104–1117, 2014.
[14] SimHash-Wikipedia, retrieved from https://en.wikipedia.org/wiki/SimHash
[15] DJB2-Wikipedia, retrieved from https://en.wikipedia.org/wiki/DJB2
[16] djb2-hashfunction, retrieved from http://www.cse.yorku.ca/~oz/hash.html
[17] Rabin fingerprint-Wikipedia, retrieved from https://en.wikipedia.org/wiki/Rabin_fingerprint
[18] “ColourFormats.” [Online]. Available: http://www.equasys.de/colorformat.html. [Accessed: 12-Aug-2015].
[19] K. Han, J. H. Lim, and E. G. Im, “Malware analysis method using visualization of binary files,” Proc. 2013 Res. Adapt. Converg. Syst., pp. 317–321, 2013.
[20] L. Nataraj, S. Karthikeyan, G. Jacob, and B. S. Manjunath, “Malware images: visualization and automatic classification,” Proc. 8th Int. Symp. Vis. Cyber Secur., p. 4, 2011.
[21] K. Kancherla and S. Mukkamala, “Image visualization based malware detection,” Proc. 2013 IEEE Symp. Comput. Intell. Cyber Secur. CICS 2013 - 2013 IEEE Symp. Ser. Comput. Intell. SSCI 2013, pp. 40–44, 2013.
[22] K. S. Han, J. H. Lim, B. Kang, and E. G. Im, “Malware analysis using visualized images and entropy graphs,” Int. J. Inf. Secur., pp. 1–14, 2014.
[23] S. Z. M. Shaid and M. A. Maarof, “Malware Behavior Image for Malware Variant Identification,” 2014 Int. Symp. Biometric Secur. Technol., pp. 238–243, 2014.
[24] Apktool, retrieved from https://ibotpeaches.github.io/Apktool/
[25] sourceforge-dex2jar, retrieved from https://sourceforge.net/p/dex2jar/wiki/Home/
[26] JAR(file format)-Wikipedia, retrieved from https://en.wikipedia.org/wiki/JAR_(file_format)
[27] Ajit Kumar, K Pramod Sagar, K. S. Kuppusamy, and G. Aghila, “Machine learning based malware classification for Android applications using multimodal image representations”, Intelligent Systems and Control (ISCO), 2016 10th International Conference on, 2016
[28] Decision tree-Wikipedia, retrieved from https://en.wikipedia.org/wiki/Decision_tree
[29] Random forest-Wikipedia, retrieved from https://en.wikipedia.org/wiki/Random_forest
[30] k-nearest neighbors-Wikipedia, retrieved from https://en.wikipedia.org/wiki/K-nearest_neighbors_algorithm
[31] Caffe-Deep Learning Framework, retrieved from http://caffe.berkeleyvision.org/