Detection And Classification Of Android Malware Based On Key Traffic Images

Android operating system is the mobile intelligent device operating system with the largest number of installed devices and the most users in the world.Malware attacks on this system are frequent,which poses a great threat to the property and privacy security of Android users.Most Android malware needs to attack online,and network traffic with the malicious payload will be generated during the attack.Using the traffic generated during the running of software to detect Android malware has been proved to be an effective and worth exploring research direction.In this research direction,previous studies used more traditional machine learning methods such as Support Vector Machine and Random Forest,but these methods have the problem that the classification accuracy depends on the effect of feature engineering and the upper limit is low,and the classification ability of many models is difficult to meet the actual security requirements.Later,researchers used neural network models to process traffic,but these studies based on deep learning focused more on which neural network model to use and ignore the exploration of traffic.How to make efforts in the preprocessing process and neural network model,so that the whole deep learning scheme can more effectively use traffic data to detect and classify Android malware is a problem that needs to be solved.In order to solve the problems above,this thesis proposes an Android malware detection and classification scheme dedicated to traffic preprocessing and bi-dimensional feature mining.The scheme first uses a traffic preprocessing method called key traffic image generation,the method preprocesses the original traffic through the traffic cleaning algorithm and the key traffic image extraction algorithm.The method outputs the key traffic image that can effectively represent the key traffic features.The key traffic features can determine the character of the software in the perspective of network behavior,and the traffic samples can be more effectively Classified.The scheme then uses a convolutional neural network named 1.5-D TSCNN to process key traffic images to detect and classify Android malware.The neural network can learn more comprehensively about the key traffic features from the two dimensions of time and space,which further improves the classification ability of the model.The scheme achieves a 98.8% classification accuracy of Android malware on a dataset named CICAnd Mal2017.Compared with some traditional machine learning methods,the classification precision is improved by about 24.7 percentage points on average,and classification recall is improved by about 25.5 percentage points on average,the Android malware detection and classification capabilities of the scheme are greatly improved,and the scheme has the advantage of not requiring tedious feature engineering.Compared with other deep learning methods,the scheme has the best Android malware classification effect,which effectively shows that the 1.5-D TSCNN convolutional neural network can make good use of the key spatiotemporal traffic features in the key traffic images.The experimental results show that the scheme proposed in this thesis can effectively utilize traffic data,which is an excellent Android malware detection and classification scheme.