KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

De-cloaking Malicious Activities in Smartphones Using HTTP Flow Mining

  • Su, Xin (Hunan Provincial Key Laboratory of Network Investigational Technology, Hunan Police Academy) ;
  • Liu, Xuchong (Hunan Provincial Key Laboratory of Network Investigational Technology, Hunan Police Academy) ;
  • Lin, Jiuchuang (Key Lab of Information Network Security, Ministry of Public Security) ;
  • He, Shiming (School of Computer and Communication Engineering, Hunan Provincial Key Laboratory of Intelligent Processing of Big Data on Transportation, Changsha University of Science and Technology) ;
  • Fu, Zhangjie (School of Computer and Software, Nanjing University of Information Science and Technology) ;
  • Li, Wenjia (Department of Computer Sciences, New York Institute of Technology)
  • Received : 2016.11.26
  • Accepted : 2017.03.21
  • Published : 2017.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Android malware steals users' private information, and embedded unsafe advertisement (ad) libraries, which execute unsafe code causing damage to users. The majority of such traffic is HTTP and is mixed with other normal traffic, which makes the detection of malware and unsafe ad libraries a challenging problem. To address this problem, this work describes a novel HTTP traffic flow mining approach to detect and categorize Android malware and unsafe ad library. This work designed AndroCollector, which can automatically execute the Android application (app) and collect the network traffic traces. From these traces, this work extracts HTTP traffic features along three important dimensions: quantitative, timing, and semantic and use these features for characterizing malware and unsafe ad libraries. Based on these HTTP traffic features, this work describes a supervised classification scheme for detecting malware and unsafe ad libraries. In addition, to help network operators, this work describes a fine-grained categorization method by generating fingerprints from HTTP request methods for each malware family and unsafe ad libraries. This work evaluated the scheme using HTTP traffic traces collected from 10778 Android apps. The experimental results show that the scheme can detect malware with 97% accuracy and unsafe ad libraries with 95% accuracy when tested on the popular third-party Android markets.

Keywords

References

  1. McAfee. http://www.mcafee.com, 2012.
  2. Antonio Bianchi Christopher Kruegel Sebastian Poeplau, Yanick Fratantonio and Giovanni Vigna, "Execute this! analyzing unsafe and malicious dynamic code loading in android applications," in Proc. of Network & Distributed System Security Symposium, 1-16, 2014.
  3. Malte Hubner Hugo Gascon Daniel Arp, Michael Spreitzenbarth and Konrad Rieck, "Drebin: Effective and explainable detection of android malware in your pocket," in Proc. of Network & Distributed System Security Symposium, 2014.
  4. X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, "Profiledroid: Multilayer profiling of android applications," in Proc. of the 18th annual international conference on Mobile computing and networking, 11(1): 137-148, 2012.
  5. C. Lever, M. Antonakakis, B. Reaves, P. Traynor, and W Lee, "The core of the matter: Analyzing malicious traffic in cellular carriers," in Proc. of Network & Distributed System Security Symposium, 2013.
  6. N. Vallina-Rodriguez, J. Shah, A. Finamore, H. Haddadi, and et al., "Breaking for commercials: Characterizing mobile advertising," in Proc. of the 2012 Internet Measurement Conference, 343-356, 2012.
  7. T.T.T. Nguyen and G. Armitage, "A survey of techniques for internet traffic classification using machine learning," Communications Surveys Tutorials, IEEE, 10(4):56-76, 2008. https://doi.org/10.1109/SURV.2008.080406
  8. W. Cui, J. Kannan, and H. J. Wang, "Discoverer: automatic protocol reverse engineering from network traces," in Proc. of 16th USENIX Security Symposium on USENIX Security Symposium, 2007.
  9. P. Royal, "Analysis of the kraken botnet," Technical report, Damballa Labs, 2008.
  10. S. Hao, N. Feamster, and R. Pandrangi, "An internet wide view into dns lookup patterns," Technical report, Verisign Labs, 2010.
  11. J. Jung, E. Sit, H. Balakrishnan, and R. Morris, "Dns performance and the effectiveness of caching," IEEE/ACM Trans. Netw., 10(5):589-603, 2002. https://doi.org/10.1109/TNET.2002.803905
  12. Xin Su, Dafang Zhang, Wenjia Li, and Kai Zhao, "A Deep Learning Approach to Android Malware Feature Learning and Detection," in Proc .of Trustcom 2016: 244-251, 2016.
  13. K. Zhao, D.F. Zhang, X. Su, and W.J. Li, "Fest: A feature extraction and selection tool for android malware detection," in Proc .of 2015 IEEE Symposium on Computers and Communication, 714-720, 2015.
  14. Bin Gu and Victor S. Sheng, "A Robust Regularization Path Algorithm for $\nu$-Support Vector Classification," IEEE Transactions on Neural Networks and Learning Systems, 1:1-8, 2016.
  15. Yuhui Zheng, Byeungwoo Jeon, Danhua Xu, Q.M. Jonathan Wu, and Hui Zhang, "Image segmentation by generalized hierarchical fuzzy C-means algorithm," Journal of Intelligent and Fuzzy Systems, 28(2): 961-973, 2015.
  16. Xuezhi Wen, Ling Shao, Yu Xue, and Wei Fang, "A rapid learning algorithm for vehicle classification," Information Sciences, 295(1): 395-406, 2015. https://doi.org/10.1016/j.ins.2014.10.040
  17. Bin Gu, Victor S. Sheng, Zhijie Wang, Derek Ho, Said Osman, and Shuo Li, "Incremental learning for $\nu$-Support Vector Regression," Neural Networks, 67: 140-150, 2015. https://doi.org/10.1016/j.neunet.2015.03.013
  18. Gu Bin, Victor S. Sheng, and Shuo Li, "Bi-parameter space partition for cost-sensitive SVM," in Proc. of the 24th International Conference on Artificial Intelligence, 3532-3539, 2015
  19. M. C. Grace, W. Zhou, X. Jiang, and A. Sadeghi, "Unsafe exposure analysis of mobile in-app advertisements," in Proc. of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, 101-112, 2012.
  20. H. Haddadi, P. Hui, and L. Brown, "Mobiad: private and scalable mobile advertising," in Proc. of MobiArch, 2010.
  21. S. Guha, A. Reznichenko, K. Tang, H. Haddadi, and P. Francis, "Serving ads from localhost for performance, privacy, and profit," in Proc. of Hot Topics in Networking, 2009.
  22. Monkeyrunner. http://developer.android.com/tools/help/monkeyrunnerconcepts.html, 2012.
  23. Hierarchy Viewer. http://developer.android.com/tools/help/hierarchy-viewer.html, 2010.
  24. Y. Zhou and X. Jiang, "Dissecting android malware: Characterization and evolution," in Proc. of the 2012 IEEE Symposium on Security and Privacy, 95-109, 2012.
  25. Zhangjie Fu, Xingming Sun, Qi Liu, Lu Zhou, and Jiangang Shu, "Achieving Efficient Cloud Search Services: Multi-keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing," IEICE Transactions on Communications, E98-B(1): 190-200, 2015. https://doi.org/10.1587/transcom.E98.B.190
  26. A. Andoni and P. Indyk, "Near-optimal hashing algorithms for approximate nearest neighbor in high dimensions," Commun. ACM, 51(1):117-122, 2008. https://doi.org/10.1145/1327452.1327494
  27. AnserverBot. "Security alert: Anserverbot," new sophisticated android bot found in alternative android markets, 2012.
  28. DroidKungFu, http://www.fortiguard.com/encyclopedia/virus/android droidkungfu.a!tr.html, 2012.
  29. MDL. http://www.malwaredomainlist.com/mdl.php.
  30. Weka. http://www.cs.waikato.ac.nz/ml/weka/.
  31. Q. Xu, J. Erman, A. Gerber, Z.Q Mao, J. Pang, and S. Venkataraman, "Identifying diverse usage behaviors of smartphone apps," in Proc. of the 2011 ACM SIGCOMM conference on Internet measurement conference, 329-344, 2011.

Cited by

  1. An Informative and Comprehensive Behavioral Characteristics Analysis Methodology of Android Application for Data Security in Brain-Machine Interfacing vol.2020, pp.None, 2017, https://doi.org/10.1155/2020/3658795