Android Application Network Traffic Analysis And Malicious Behaviors Detection Technology Study

Android application(or app)is developed based on Android operate system,which is applied on various kinds of mobile device,such as smartphone,tablet,etc.Android app provides various functionalities for mobile users' daily life.Android smartphone develops rapid,and the number of Android apps grow exponentially.Network traffic generated by Android smartphones increase sharply.The network traffic generated by Android smartphone become a reasearch topic which receives much concern.Meanwhile,Android app is opensource program,and many malware writers embed malicious code into Android app to execute malicious activities for their illeage purposes.How to analyze Android app network traffic and detect malicious behaviors of Android app become a hotspot research.In this dissertation,we make deep research on Android app network traffic analysis and malicious behaviors detection,and describe main contributions and creatives as follows:(1)Android app network traffic generation system based on automatic execution.Network traffic data is the basement for Android app network traffic analysis.However,network traffic data from carriers contain users' privacy data which is hard to obtain.Collect network traffic by manual execution cannot scale to a large number of Android apps.To address these limitations,we design and implement Andro Generator,which is an Android app network traffic generation system based on Android app automatic execution.To implement this system,we first design an automatic execution approach to run a large number of Android apps,and collect the generated network traffic.Then,we extract network traffic features,such as number of packets,number of bytes,etc.After feature extraction,we simulate characteristics and patterns of the collected network traffic to generate network traffic of Android app.The results of experiment show two conclusions.First,the automatic execution approach of Andro Generator can trigger majority of network behaviors of Android app.Second,Andro Generator can simulate generate Android app network traffic which is high similarity with Android app network traffic in real-world,which can provide network traffic data for other Android app network traffic analysis and research works.(2)Android app recommendation approach research based on network traffic cost.Majority of Android apps need to access Internet and generate network traffic to fulfill their functionalities which would cost users' mobile data plan.The current Android app markets recommend Android apps based on popularity(e.g.,rating scores),and ignore network traffic cost of Android apps.Therefore,how to recommend an Android app with high popularity and low network traffic cost is the problem need to be addressed by this work.In this work,we first downloaded top popular 100 apps from each 22 popular app categories from Google Play.Then we collect network traffic when these apps ran,and measure network traffic cost of each app based on measurement metrics such as network traffic cost rate,different categories of network traffic cost,proportion of different category network traffic,etc.Based on results of measurement,we propose an Android app recommendation algorithm based on the results of network traffic measurement.This algorithm not only recommends Android apps with high popularity,but also recommends Android apps with low network traffic cost.(3)Android app identification approach based on HTTP signature.In order to improve identification accuracy and comprehensive of previous identification approaches.In this work,we propose an identification approach based on extracting signatures from HTTP flows.Different to traditional network signatures,HTTP signature includes signatures with unique strings and common strings.This approach first identifies HTTP flows with unique strings,then use time window and content restore to correlate HTTP flows with common strings.Finally,we extract HTTP signatures from these HTTP flows to identify Android apps,and statistic size of generated network traffic.The results of experiment show that our approach can achieve higher identification accuracy than previous approaches,which improves 35%-81%.(4)Android malware and unsafe advertisement library detection based on HTTP flow mining.Based on previous research works,we found that majority of Android apps and advertisement libraries communicate with remote servers by HTTP protocol.Based on this finding,we propose a HTTP flow mining approach to detect Android malware and unsafe advertisement library.This approach first analyzes the differences between Android benign app and malware,safe advertisement library and usafe advertisement library based on HTTP flow features(e.g.,number of packets,number of flows),and also analyzes relationship between HTTP flow features and malicious behaviors.Next,we apply data mining algorithms(e.g.,J.48)to build classification model to detect Android malware and unsafe advertisement library based on HTTP flow features.Finally,we extract HTTP fingerprint from the detected Android malware and unsafe advertisement library to categorize them.The results of experiment show that our approach can achieve 97.67% and 95.86% accuracy when it detects Android malware and unsafe advertisement library,respectively.Our approach also can categorize the detected Android malware and unsafe advertisement library successfully.(5)Mobile Botenet detection approach.Mobile botnet is a new network attack way develop from traditional botnet.Mobile botnet can provide stealthy,flexable and efficiency one-to-many command and control(C&C)channel mechanism,and control a large number of bots to achieve several kinds of attack methods,such as information threft,DDo S and spam.In this work,we propose a mobile botenet detection approach which independent on mobile botenet network structure,protocol of C&C channel,does not need to analyze payload of packets.This approach first defines pre-filter rules to filter captured network traffic,removes network traffic do not belong to mobile botnet.Then,extracts network traffic features which genearated by C&C channel.When we obtain these features,we use two steps clustering algorithm based on unmerged X-means algorithm to cluster a mixed network traffic dataset to detect mobile botnet.This dataset consists of network traffic generated by C&C channel and other normal network traffic.The results of experiment show that this approach can achieve 98.34% accuracy.In summary,this dissertation first designs Andro Generator to generate Android app network traffic.Then,exploits a series of research works based on these network traffic,such as Android app identification,Android app network traffic cost measurement,Android malware and unsafe advertisement detection,mobile botnet detection.Our work can provide more visible information for Android users to understand network behaviors of Android app,and guarantees Android app safe for Android users.