Mining network traffic for application category recognition on Android platform

Signature-based static mobile malware detection is fragile when facing code obfuscation and transformation attacks. Behavior based malware detection mechanisms have been widely studied and experimented. So far only the application's running behaviors, such as API calls and resource consumption are used, which can also be easily concealed and obfuscated with various coding tricks. Most mobile malware need either cellular or network connection to conduct their malicious activities. We propose to monitor an application's network behavior and interaction to characterize application behaviors. An integrated testbed system has been designed and prototyped for such network behavior collection. Statistical features are derived from application network traffic, which are further fed to a machine-learning based classifier to build one general model for each typical category of mobile applications. Experiments show that applications in each category with identical functionality exhibit similar network behaviors, which makes it possible to use the derived category model of network behaviors to evaluate future unknown application for its trustworthiness.

[1]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[2]  Win Zaw,et al.  Permission-Based Android Malware Detection , 2013 .

[3]  Ling Yang,et al.  Unveiling Inheritance of Android Malware APKs Based on Code Hierarchical API Usage , 2014 .

[4]  Arun Lakhotia,et al.  Static verification of worm and virus behavior in binary executables using model checking , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[5]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[6]  Fan Yang,et al.  Detection of Android Malicious Apps Based on the Sensitive Behaviors , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[7]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[8]  Katerina Goseva-Popstojanova,et al.  Using Multiclass Machine Learning Methods to Classify Malicious Behaviors Aimed at Web Systems , 2012, 2012 IEEE 23rd International Symposium on Software Reliability Engineering.

[9]  Tao Guo,et al.  Network behavior based mobile virus detection , 2012, 2012 IEEE 14th International Conference on Communication Technology.

[10]  Yuan Zhang,et al.  Vetting undesirable behaviors in android apps with permission use analysis , 2013, CCS.

[11]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[12]  Xiangliang Zhang,et al.  Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection , 2014, IEEE Transactions on Information Forensics and Security.

[13]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[14]  Cengiz Acartürk,et al.  The analysis of feature selection methods and classification algorithms in permission based Android malware detection , 2014, 2014 IEEE Symposium on Computational Intelligence in Cyber Security (CICS).

[15]  Kuai Xu,et al.  Behavior Analysis of Internet Traffic via Bipartite Graphs and One-Mode Projections , 2014, IEEE/ACM Trans. Netw..