F2DC: Android malware classification based on raw traffic and neural networks

Abstract

Given the growing threat of Android malware, its family classification is important for identifying new variants, building robust signatures, assessing threat levels, and planning defenses. Since static and host-based dynamic classification techniques suffer from several limitations such as low adversarial capabilities, network-based dynamic techniques have been proposed as a complementary way. However, existing network-based approaches are heavily engineered on a specific application protocol (i.e., HTTP) and implement classification based on domain-expert driven features, rendering them hardly generalizable to many real-world classification scenarios (e.g., TLS encryption and unknown application protocols) and unable to keep pace with the rapid evolution of Android malware. To address these issues, we propose F2DC, a new Android malware classification method based on raw traffic and neural networks. F2DC characterizes Android malware from raw payload rather than application protocols and is therefore application-protocol independent and encryption-agnostic in principle. A novel traffic encoding scheme called F2D is designed to map the raw payload space into a flow-based latent feature space that facilitates convolutional neural networks (CNNs) to distill more discriminative features for effective classification. Experiments show that F2DC outperforms state-of-the-art methods and exhibits highly competitive performance against popular mobile antivirus (AV) tools. These results indicate that F2DC is a promising network-based Android malware classification solution complementary to existing alternatives.