Android Malware Family Classification Research And System Implementation Based On Network Traffic

With the development of technology,smart devices have entered an era of unprecedented rapid development.Smart phone applications are both good and bad.While mobile phone application software is used for our study,work,and entertainment,some software quietly produces malicious behaviors such as stealing privacy,remote control,malicious deductions,and mass texting are quietly generated.Malware with similar malicious behavior constitutes a kind of malware family.These malware applications infringe on the privacy and property of users,and even harm our safety.Malware detection and behavior analysis for smart terminals have become a common concern of academia,network security vendors,and relevant national departments.Therefore,this paper focuses on the problem of malware behavior detection,proposes a multi-classification method of malware family based on network traffic and conducts application-level development of the real-time online detection system,and finally achieves a set of simple deployment,good user interaction,high performance and low powerconsuming real-time detection platform for mobile malware families.The main research contents are as follows:(1)Detection technology analysis and data analysis.By referring to the literature,this paper understands the current academic and practical developments at home and abroad,analyzes mobile malware detection technology,obtains network traffic data sets,analyzes network traffic protocols.This determined that this paper focuses on the network traffic protocol types as HTTP protocol and TLS protocol,which lays a solid foundation for subsequent research.(2)Proposing a malware family multi-classification method based on non-encrypted HTTP protocol header text vector mapping,named DLBGM model.This method uses TCP statistical features and HTTP protocol header information features,uses One-hot encoding to vectorize text vocabulary into numeric types,chi-square test to construct word bags,variance filtering and mutual information method and other feature selection algorithms for dimensionality reduction.The DNN algorithm maps high-dimensional sparse vectors to lowdimensional non-sparse vectors to reduce tree model attribute correlation and overfitting.Combined with LightGBM for multi-classification,the accuracy of the model reaches 99.47%.(3)Proposing a malware family multi-classification method based on the spatiotemporal characteristics of the encrypted flow TLS protocol,named CNN-LSTM model.The model also considers the spatial and temporal characteristics of network traffic,uses the byte distribution of the TCP layer bytecode to avoid information loss caused by the feature input convolutional neural network for clipping,and uses one-dimensional convolution to automatically extract the spatial features of the data packet.Connect the LSTM to extract the timing characteristics between the data packets,use the Dropout algorithm to reduce overfitting,and connect the Softmax classifier for multi-classification.Finally,the model achieves a 98.67% recall rate.(4)Building a real-time online detection system for mobile malware family,named YoursGuard.The mobile terminal of the system is responsible for obtaining Android Linux file information and page display.The server captures real-time traffic,maps traffic and application names,deploys an offline model for detection feedback,and finally realizes a user-friendly and interpretable mobile application detection service.In summary,this paper proposes an innovative malware family multi-classification method.The mobile malware family detection platform based on network traffic is highly effective and scalable,and has certain practical value in industrial enterprises.