Capturing and characterizing network actions of mobile applications for behavior consistency

Abstract

Mobile application platform is emerging as a new and major battlefield for security specialists and malware authors. Past work shows that the open-source Android is not the only vulnerable target for mobile malware threat, other closed systems like iOS and minority systems can also be compromised by sophisticated malware. Most mobile malware need either cellular or network connection to conduct their malicious activities. We propose to collect an application's network behavior and interaction to characterize application behaviors. An integrated testbed system has been designed and prototyped for such network behavior collection, with a scenario simulator generating system and user events to trigger application behaviors. Statistical features are derived from application network traffic. The sequences of triggering events and network behavior features are further fed to a recurrent neural network to learn and construct one general model for each typical category of mobile applications. Experiments show that applications in each category with similar functionality exhibit consistent network behavior patterns. Malware behaviors, on the other hand, deviate apparently from the expected event-behavior patterns of the claimed categories. This finding is suitable for evaluating and measuring unknown mobile applications to predict risk and trustworthiness.