| With the popularity of smart phones and incoming of mobile internet area, mobile phone based mobile intelligent terminal has surpassed the traditional personal computer to become the most popular computing device. But meanwhile, the hackers and virus-writers who are driven by variety of interests are paying close attention to mobile terminals, mobile malware has begun to wanton flooding. If there is no effective control measures, it would bring serious loss to the state and society inevitably and would be hard to imagine consequences. Therefore, mobile security has been widely concerned by the academe and industries. Currently, although the network traffic analysis research has gradually been recognized could be used to identify the mobile malware, due to the lack of a largescale malware repository and a systematic analysis of network traffic features, the existing research mostly remain in theory. At the same time, very little research was focused on real time problems and imbalanced problems in practical applications. As a consequence, this article will start from the following three aspects of the above problems, based on different technological foundations, we proposed two malware detection models when the mobile devices access to the Internet.In the first place, in order to solve the lack of largescale malicious traffic problems for the mobile network traffic analysis, we designed an Android malware traffic behavior monitoring scheme to capture traffic data generated by malware samples in a real Internet environment, and completed the network traffic automatic collection platform. On this basis, we collected the traffic data generated by 5560 malware samples, completed the development of the mobile malicious network behavior data set with real class labels, meanwhile, we analyzed the basic network traffic features and verified some important conclusions, includes mobile malware would generate malicious behaviors in the first few minutes, the major components on the application layer, features of DNS and HTTP and so on. We believe our research provides an in-depth analysis into mobile malwares' network behaviors.Secondly, the real time characteristic is obvious when accessing to the Internet for malware detection, at the same time based on the above analysis of DNS and HTTP, we proposed a real time mobile malware detection model based distributed services, this method requires little computation and the detection rate could reach 41.18%.Eventually, in practical scenarios for mobile anomaly traffic detecion, as the number of benign applications is far greater than the number of malicious applications, so in the real Internet environment, the amount of normal traffic data is far greater than the malicious, which means that highly imbalanced characteristics existing between them. We reveal the universal existence of this phenomenon by experimental simulation and theoretical estimation. Moreover, based on the IDGC(Imbalanced Data Gravity Classification) model, we proposed the S-IDGC(Simplex Imbalanced Data Gravity Classification) model, which inherited the stability characteristics of the IDGC model, and the training time is greatly improved, it could be applied to real-time practice when accessing to the Internet. In addition, we designed a malware distributed detection model based on machine learning technology at the accessing time, this model detect malicious applications through the child server nodes deployed in the network access point, the central server node completed the classifier training and updated the child nodes regularly. |
PDF Full Text Request