Android mobile devices are ubiquitous and vulnerable to malware threats. Existing research mainly focuses on static malware detection methods, which are limited in detecting dynamically manifested or obfuscated malicious activities. Dynamic malware detection based on traffic analysis is crucial for improving network service quality and ensuring effective security monitoring. However, the widespread use of encryption protocols, especially the Transport Layer Security (TLS) protocol, poses a significant challenge in identifying and classifying encrypted malware traffic. This paper proposes a novel approach that leverages enhanced features and ensemble learning to identify and classify encrypted malware traffic for Android devices effectively. By analyzing the TLS protocol, an enhanced feature set is proposed, combining TLS protocol-related features with session-based statistical features to extract robust fingerprints from mobile device traffic. Then, an ensemble learning strategy is employed to construct a voting classifier that integrates the prediction results of multiple base classifiers, thus improving the classification accuracy. Extensive experiments using the CICAndMal2017 dataset demonstrate that our approach consistently outperforms other classifiers in all six tasks, achieving the highest weighted F1-Scores and improving balanced accuracy by up to 47.46% compared to the baseline method.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Enhanced Feature-Based Approach to Identify and Classify Android Encrypted Malware Traffic

  • Jiaqi Gao,
  • Yaru He,
  • Mingrui Fan,
  • Yueming Lu,
  • Yaojun Qiao

摘要

Android mobile devices are ubiquitous and vulnerable to malware threats. Existing research mainly focuses on static malware detection methods, which are limited in detecting dynamically manifested or obfuscated malicious activities. Dynamic malware detection based on traffic analysis is crucial for improving network service quality and ensuring effective security monitoring. However, the widespread use of encryption protocols, especially the Transport Layer Security (TLS) protocol, poses a significant challenge in identifying and classifying encrypted malware traffic. This paper proposes a novel approach that leverages enhanced features and ensemble learning to identify and classify encrypted malware traffic for Android devices effectively. By analyzing the TLS protocol, an enhanced feature set is proposed, combining TLS protocol-related features with session-based statistical features to extract robust fingerprints from mobile device traffic. Then, an ensemble learning strategy is employed to construct a voting classifier that integrates the prediction results of multiple base classifiers, thus improving the classification accuracy. Extensive experiments using the CICAndMal2017 dataset demonstrate that our approach consistently outperforms other classifiers in all six tasks, achieving the highest weighted F1-Scores and improving balanced accuracy by up to 47.46% compared to the baseline method.