A Fast and Effective Detection of Mobile Malware Behavior Using Network Traffic

  • Anran Liu
  • Zhenxiang ChenEmail author
  • Shanshan Wang
  • Lizhi Peng
  • Chuan Zhao
  • Yuliang Shi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11337)


Android platform has become the most popular smartphone system due to its openness and flexibility. Similarly, it has also become the target of numerous attackers because of these. Various types of malware are thus designed to attack Android devices. All these cases prompted amounts of researchers to start studying malware detection technologies and some of the groups applied network traffic analysis to their detection models. The majority of these models have considered the detection primarily on network traffic statistical features which can distinguish malicious network traffic from normal one. However, when faces a large amount of network traffic on the detection stage, especially some of the network flows are quite huge as a result of containing too many packets, feature extraction can be extremely time consuming. Therefore, we propose a malware detection approach based on TCP traffic, which can quickly and effectively detect malware behavior. We first employ the traffic collection platform to collect network traffic generated by various apps. After preprocessing (filtering and aggregating) the collected network traffic data, we get a large number of TCP flows. Next we extract early packets’ sizes as features from each TCP flow and then send it to detection model to get the detection result. In our method, the time it takes to extract features from 53108 network flows is reduced from 39321 s to 18041 s, which is a reduction of 54%. Meanwhile, our method achieves a detection rate of 97%.


Malware detection Network traffic Machine learning 


  1. 1.
  2. 2.
    Gartner: Q1 worldwide smartphone sales growth 9% (2017).
  3. 3.
    Number of available applications in the google play store from December 2009 to March 2018 (2018).
  4. 4.
    Arora, A., Garg, S., Peddoju, S.K.: Malware detection using network traffic analysis in android based mobile devices. In: 2014 Eighth International Conference on Next Generation Mobile Apps, Services and Technologies (NGMAST), pp. 66–71. IEEE (2014)Google Scholar
  5. 5.
    Arora, A., Peddoju, S.K.: Minimizing network traffic features for android mobile malware detection. In: Proceedings of the 18th International Conference on Distributed Computing and Networking, p. 32. ACM (2017)Google Scholar
  6. 6.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.: DREBIN: effective and explainable detection of android malware in your pocket. In: Ndss, vol. 14, pp. 23–26 (2014)Google Scholar
  7. 7.
    Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. ACM SIGCOMM Comput. Commun. Rev. 36(2), 23–26 (2006)CrossRefGoogle Scholar
  8. 8.
    Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefGoogle Scholar
  9. 9.
    Chen, Z., et al.: A first look at android malware traffic in first few minutes. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 206–213. IEEE (2015)Google Scholar
  10. 10.
    Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
  11. 11.
    Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 235–245. ACM (2009)Google Scholar
  12. 12.
    Este, A., Gringoli, F., Salgarelli, L.: On the stability of the information carried by traffic flow features at the packet level. ACM SIGCOMM Comput. Commun. Rev. 39(3), 13–18 (2009)CrossRefGoogle Scholar
  13. 13.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)Google Scholar
  14. 14.
    Lizhi, P., Bo, Y., Yuehui, C., Tong, W.: How many packets are most effective for early stage traffic identification: an experimental study. China Commun. 11(9), 183–193 (2014)CrossRefGoogle Scholar
  15. 15.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: 2007 Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 421–430. IEEE (2007)Google Scholar
  16. 16.
    Opitz, D.W., Maclin, R.: Popular ensemble methods: an empirical study. J. Artif. Intell. Res. (JAIR) 11, 169–198 (1999)CrossRefGoogle Scholar
  17. 17.
    Shabtai, A., Tenenboim-Chekina, L., Mimran, D., Rokach, L., Shapira, B., Elovici, Y.: Mobile malware detection through analysis of deviations in application network behavior. Comput. Secur. 43, 1–18 (2014)CrossRefGoogle Scholar
  18. 18.
    Wang, S., et al.: TrafficAV: an effective and explainable detection of mobile malware behavior using network traffic. In: 2016 IEEE/ACM 24th International Symposium on Quality of Service (IWQoS), pp. 1–6. IEEE (2016)Google Scholar
  19. 19.
    Wang, S., Yan, Q., Chen, Z., Yang, B., Zhao, C., Conti, M.: Detecting android malware leveraging text semantics of network flows. IEEE Trans. Inf. Forensics Secur. 13(5), 1096–1109 (2018)CrossRefGoogle Scholar
  20. 20.
    Wei, T.E., Mao, C.H., Jeng, A.B., Lee, H.M., Wang, H.T., Wu, D.J.: Android malware detection via a latent network behavior analysis. In: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1251–1258. IEEE (2012)Google Scholar
  21. 21.
    Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)Google Scholar
  22. 22.
    Zaman, M., Siddiqui, T., Amin, M.R., Hossain, M.S.: Malware detection in android by network traffic analysis. In: 2015 International Conference on Networking Systems and Security (NSysS), pp. 1–5. IEEE (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Anran Liu
    • 1
    • 2
  • Zhenxiang Chen
    • 1
    • 2
    Email author
  • Shanshan Wang
    • 1
    • 2
  • Lizhi Peng
    • 1
    • 2
  • Chuan Zhao
    • 1
    • 2
  • Yuliang Shi
    • 3
  1. 1.School of Information Science and EngineeringUniversity of JinanJinanChina
  2. 2.Shandong Provincial Key Laboratory of Network Based Intelligent ComputingJinanChina
  3. 3.School of SoftwareShandong UniversityJinanChina

Personalised recommendations