论文信息 - A First Look at Android Malware Traffic in First Few Minutes

A First Look at Android Malware Traffic in First Few Minutes

With the advent of mobile era, mobile terminals are going through a trend of surpassing PC to become the most popular computing device. Meanwhile, the hackers and viruswriters are paying close attention to the mobile terminals, especially the Android platform. The growing of malwares on the Android system has drawn attentions from both the academia and security industry. Recently, mobile network traffic analysis has been used to identify the malware. But due to the lack of a large-scale malware repository and a systematic analysis of network traffic features, the existing research mostly remain in theory. In this paper, we design an Android malware traffic behavior monitoring scheme to capture traffic data generated by malware samples in a real Internet environment. We capture the network traffic from 5560 malware samples in the first 5 minutes, and analyze the major compositions of the traffic data. We discover that HTTP and DNS traffic are accounted for more than 99% on the application layer traffic. We then present an analysis of related network features: DNS query, HTTP packet length, ratio of downlink to uplink traffic amount, HTTP request and Ad traffic feature. Our statistical results illustrate that: (1) more than 70% malwares generate malicious traffic in the first 5 minutes, (2) DNS query and HTTP request can be used to identify the malware, and the detection rate reaches 69.55% and 40.89% respectively, (3) Ad traffic can greatly affect the malware detection. We believe our research provides an in-depth analysis into mobile malwares' network behaviors.

[1] Yingjiu Li,et al. Permission based Android security: Issues and countermeasures , 2014, Comput. Secur..

[2] Yajin Zhou,et al. Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[3] Michalis Faloutsos,et al. ProfileDroid: multi-layer profiling of android applications , 2012, Mobicom '12.

[4] Heng Yin,et al. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[5] Konrad Rieck,et al. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[6] L. Tenenboim-Chekina,et al. Detecting application update attack on mobile devices through network featur , 2013, 2013 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[7] Lior Rokach,et al. Mobile malware detection through analysis of deviations in application network behavior , 2014, Comput. Secur..

[8] Dawn Xiaodong Song,et al. NetworkProfiler: Towards automatic fingerprinting of Android apps , 2013, 2013 Proceedings IEEE INFOCOM.

[9] Songwu Lu,et al. SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[10] Deborah Estrin,et al. A first look at traffic on smartphones , 2010, IMC '10.