Enhanced Feature-Based Approach to Identify and Classify Android Encrypted Malware Traffic
摘要
Android mobile devices are ubiquitous and vulnerable to malware threats. Existing research mainly focuses on static malware detection methods, which are limited in detecting dynamically manifested or obfuscated malicious activities. Dynamic malware detection based on traffic analysis is crucial for improving network service quality and ensuring effective security monitoring. However, the widespread use of encryption protocols, especially the Transport Layer Security (TLS) protocol, poses a significant challenge in identifying and classifying encrypted malware traffic. This paper proposes a novel approach that leverages enhanced features and ensemble learning to identify and classify encrypted malware traffic for Android devices effectively. By analyzing the TLS protocol, an enhanced feature set is proposed, combining TLS protocol-related features with session-based statistical features to extract robust fingerprints from mobile device traffic. Then, an ensemble learning strategy is employed to construct a voting classifier that integrates the prediction results of multiple base classifiers, thus improving the classification accuracy. Extensive experiments using the CICAndMal2017 dataset demonstrate that our approach consistently outperforms other classifiers in all six tasks, achieving the highest weighted F1-Scores and improving balanced accuracy by up to 47.46% compared to the baseline method.