A mobile malware detection method using behavior features in network traffic

Abstract

Android has become the most popular mobile platform due to its openness and flexibility. Meanwhile, it has also become the main target of massive mobile malware. This phenomenon drives a pressing need for malware detection. In this paper, we propose a lightweight framework for Android malware identification. Network traffic generated by mobile app is mirrored from the wireless access point to the server for data analysis. All data analysis and malware detection are performed on the server side, which consumes minimum resources on mobile devices with minimum impacts to user experience. Due to the difficulty in identifying disparate malicious behaviors of malware from the network traffic, our method performs a multi-level network traffic analysis, gathering as many features of network traffic as necessary. The proposed method combines network traffic analysis with machine learning algorithm (C4.5) that is capable of identifying Android malware with high accuracy. In an evaluation with 8,312 benign apps and 5,560 malware samples, our method performs better than other state-of-the-art approaches, and especially when combining two detection mechanisms, it achieves a detection rate of 97.89%. In addition, for the benefit of user, this framework not only displays the final detection results, but also analyzes the behind-the-curtain reason of malicious results. The result explanation also reveals insightful behavioral characteristics of mobile malware.