Android Malware Detection Based On Network Flow Analysis

With the development of the smartphone industry,people are increasingly dependent on smartphones in their daily work and study lives.As one of the most popular smart phone systems,the security of Android system is attracting more and more attackers and security researchers.According to researches of Zhou,Sarma and Yerima,93.8% of Android malware's attack process need to access the network,and it is feasible to detect Android malware based on network traffic features.In recent years,this field has attracted much attention.The current researches are mainly based on machine learning,this thesis find two main shortcomings of such methods.First of all,the current researches of Android malware traffic detection are mainly based on earlier public data sets,such as Android Malware Genome in 2012.According to the research of Pendlebury,the continuous update of Android malware will cause the detection to decrease in efficiency gradually over time,so we need to collect the latest data set to verify how the method works.It is necessary to research and develop an automated Android network traffic analysis method.Secondly,there are problems that feature selection is difficult,they can't make full use of traffic context information,and the recognition accuracy is low.For the first problem,this article constructed a network traffic analysis method to automate the process.The experiment proves that the collected traffic of this scheme is effective,and the filtering scheme works right without destroying the data.For the second problem,this article constructed a method based on spatio-temporal features.Analyzing the structural features of network traffic,the structure of the Pcap file makes it a twodimensional matrix,and the sequence of network traffic makes it a long text.Based on this,this thesis proposes an Android malware traffic detection scheme based on spatiotemporal features.Combining spatio-temporal features,CNN and an improved multilayer bidirectional LSTM were used.On the data set based on the data set CICAndMal2017 and data collected through the automatic acquisition method of this article,a comparative study,this thesis studies the detection methods of single adoption of CNN And LSTM models,random forest,decision tree,KNN,and statistical features.Data shows that the proposed method has improved accuracy,precision,true positive rate,and F1 score.