Android Malware Detection Method And System Based On Network Traffic

With the rapid development of the mobile Internet,more and more people use smartphones to communicate and work.Although the current mobile operating system has provided users with a safe online environment to the greatest extent possible,due to the open-source of Android,it still cannot completely prevent the massive infection and outbreak of Android malware.Code-based static detection and behavior-based dynamic detection are able to identify malware to a certain extent,but there are still many problems,such as unknown malicious variants detection and inefficient deployment.Surveys found that there are two main mechanisms for detecting malware on the market.The first is malware detection for server and cloud platforms,and the second is for malware detection of mobile intelligent terminals.It turns out that despite strict machine and manual detect,a large number of users are still infected by malicious variants.Most malware are aimed at property interests.In the process of malicious behavior,malware often exhibit obvious characteristics of network interaction.Therefore,this fact provides the possibility to explore the efficient and lightweight malware detection platform.This paper has done the following research work on the problem of Android malware detection:(1)The network traffic collection method of Anroid platform is studied.Using the VPNService class provided by the Android SDK development kit,the network traffic of the mobile terminal application is captured in the VPN channel built by the mobile phone locally,and the basic traffic data support is provided for the model construction.(2)The mapping between traffic and APP based on network connection information is implemented.Through the analysis of the Android system file /proc/net/tcp|tcp6 and the network traffic data port,the Android UID is used to distinguish the application source of the network traffic data packet,effectively filtering out the background traffic of the mobile terminal,and ensuring the further development of the data preprocessing work.(3)The Android malware detection model is built.On the basis of completing the data preprocessing,feature selection and packet sequence regularization are performed for each stream,and 94.65% of n detection accuracy is achieved by using the first 8 packet lengths and 4 statistical features of the TCP stream combined with the SVM algorithm.Finally,the offline malware detection model is deployed on the server side of the system,and is used to monitor the terminal's Android application.(4)Designed and implemented a set of Android malware detection system based on network traffic.The system is based on the analysis method of network traffic.In the real network environment,the network traffic of the Android terminal application is collected,the statistical characteristics of the effective network traffic are extracted,and the offline malware detection model deployed on the server is used to achieve the purpose of Android malware detection.This method not only makes up for the weak ability of static detection to discover new variants,but also solves the problems of large cost and difficult deployment of dynamic detection resources.