Abstract
Mobile devices are everywhere nowadays, such as mobile phone, mobile tablets. Meanwhile, various malwares on mobile terminals are emerging one after another, especially on the open-source Android system. Traditional detection schemes are based on static method or dynamic method. In recent years, industry and academia have paid close attention to the detection mechanisms using network behaviors to identify the malware. In this paper, we design a real-time Android malware detection system based on network traffic analysis, which includes a training model and a real-time detection model. By training over the malware traffic using the training model, we find that 76.33 % DNS queries and 45.39 % HTTP requests are all malicious. We set up a real-time scanning service based on the malicious URLs that are captured in the training model, which is the core of the real-time detection model. By performing malware detection using the established real-time detection model, we show that the detection rate using the real-time scanning service is much higher than the integrated service. Meanwhile, the detection rate will further improve by integrating more third-party scanning services into our system.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Yajin, Z., Xuxian, J.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)
Becher, M., Freiling, F.C., Hoffmann, J., Holz T., Uellenbeck, S., Wolf, C.: Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In: 2011 IEEE Symposium on Security and Privacy (SP), pp. 96–111. IEEE (2011)
Daniel, A., Michael, S., Malte, H., Hugo, G., Konrad, R., Cert, S.: Effective and Explainable Detection of Android Malware in Your Pocket, DREBIN (2014)
Fang, Z., Han, W., Li, Y.: Permission based android security: issues and countermeasures. Comput. Secur. 43, 205–218 (2014)
Jesus, F.: Smali: An Assembler/Disassembler For Androids Dex Format, Google Project Hosting (2013). http://code.google.com/p/smali
Lok-Kwong, Y., Yin, H.: DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Usenix Security Symposium, pp. 569–584 (2012)
Falaki, H., Lymberopoulos, D., Mahajan, R., Kandula, S., Estrin, D.: A first look at traffic on smartphones. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, pp. 281–287. ACM, November 2010
Cheng, J., Wong, S.H.Y., Yang, H., Lu S.: Smartsiren: virus detection and alert for smartphones. In: Proceedings of the 5th International Conference on Mobile Systems, Applications and Services, pp. 258–271. ACM (2007)
Tenenboim-Chekina, L., Barad, O., Shabtai, A., Mimran, D., Shapira, B., Elovici, Y.: Detecting application update attack on mobile devices through network features. In: INFOCOM (2013)
Shabtai, A., Tenenboim-Chekina, L., Mimran, D., Rokach, L., Shapira, B., Elovici, Y.: Mobile malware detection through analysis of deviations in application network behavior. Comput. Secur. 43, 1–18 (2014)
Jin, R., Wang, B.: Malware detection for mobile devices using software-defined networking. In: 2013 Second GENI Research and Educational Experiment Workshop (GREE), pp. 81–88. IEEE (2013)
Antonakakis, M., Perdisci, R., Lee, W., Vasiloglou, N., Dagon, D.: Detecting malware domains at the upper DNS hierarchy. In: USENIX Security Symposium (2011)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M., Antipolis, S.: EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis, NDSS (2011)
Charles, L., Manos, A., Bradley, R., Patrick, T., Wenke, L.: The core of the matter: analyzing malicious traffic in cellular carriers. In: NDSS (2013)
Kanei, F., Yoshioka, K., Matsumoto, T.: Observing DNS Communication of Android Malware using Sandbox Analysis, Ieice Technical report Information and Communication System Security, 112 (2013)
Mockapetris, P.: Domain Names-Concepts andFacilities. RFC 1034. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol-OCSP. RFC 2560 (1987)
Mockapetris, P.: Domain names-implementation and specification, request for comments 1035. Usc Inf. Sci. Inst. Mar. 19(6), 697 (1987)
URLVoid. https://www.urlvoid.com
VirusTotal. https://www.virustotal.com
Micro, T.: http://global.sitesafety.trendmicro.com
Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Heidelberg (2014)
Acknowledgments
This work was supported by the National Natural Science Foundation of China under Grants No.61472164 and No.61203105,the Natural Science Foundation of Shandong Province under Grants No.ZR2014JL042 and No.ZR2012FM010.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Han, H., Chen, Z., Yan, Q., Peng, L., Zhang, L. (2015). A Real-time Android Malware Detection System Based on Network Traffic Analysis. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9530. Springer, Cham. https://doi.org/10.1007/978-3-319-27137-8_37
Download citation
DOI: https://doi.org/10.1007/978-3-319-27137-8_37
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27136-1
Online ISBN: 978-3-319-27137-8
eBook Packages: Computer ScienceComputer Science (R0)