Abstract
Android becomes the most popular operating system for smart phones today. However, malicious application proposes a huge threat on Android platform. Many malware are designed to steal personal information of user or control the device of user through the network. In this paper, we show how to efficiently cluster network behavior by analyzing the statistical information of HTTP flow at the network level. To do so, we observe the specific statistical information on HTTP flow generated by more than 8,000 malware. In the end, we separate malware’s malicious network into seven different clusters using clustering technology. Our evaluation experiments show that HTTP flows in the same cluster have similar network behavior and there are big differences between the different clusters. This similarity and variability are manifested at some specific network-level statistical characteristics. In addition, in order to show the results of the study more intuitively, we reduce the dimensionality of the original features, and show the final clustering results in two-dimensional space.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Google play: number of available apps 2009–2016. http://www.statista.com/statistics/266210/
Report: 2016 saw 8.5 million mobile malware attacks, ransomware and IoT threats on the rise. http://www.techrepublic.com/article/report-2016-saw-8-5-millionmobile-malware-attacks-ransomware-and-iot-threats-on-the-rise/
Enck, W., et al.: On lightweight mobile phone application certification (2009)
Felt, A.P., Chin, E., Hanna, S., et al.: Android permissions demystified. In: ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)
Grace, M., Zhou, Y., Zhang, Q., et al.: RiskRanker: scalable and accurate zero-day android malware detection. In: International Conference on Mobile Systems, Applications, and Services, pp. 281–294. ACM (2012)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Conference on Computer Security Applications, ACSAC 2007, pp. 421–430. IEEE Xplore (2008)
Enck, W., Gilbert, P., Han, S., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Usenix Symposium on Operating Systems Design and Implementation, OSDI 2010 Proceedings, 4–6 October 2010, Vancouver, BC, Canada, pp. 393–407. DBLP (2010)
Zhou, Y., Wang, Z., Zhou, W., et al.: Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of Annual Network & Distributed System Security Symposium (2012)
Yan, L.K., Yin, H.: DroidScope: seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In: Usenix Security Symposium, pp. 569–584 (2012)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Security and Privacy, pp. 95–109. IEEE (2012)
Cao, D., Wang, S., Li, Q., Cheny, Z., Yan, Q., Peng, L., Yang, B.: Droidcollector: a high performance framework for high quality android traffic collection. In: 2016 IEEE Trustcom/BigDataSE/ISPA, August 2016, pp. 1753–1758 (2016)
Arora, A., Garg, S., Peddoju, S.K.: Malware detection using network traffic analysis in android based mobile devices. In: Eighth International Conference on Next Generation Mobile Apps, Services and Technologies, pp. 66–71. IEEE (2014)
Virusshare.com. https://virusshare.com/
Bailey, M., Oberheide, J., Andersen, J., et al.: Automated classification and analysis of internet malware. In: International Conference on Recent Advances in Intrusion Detection, pp. 178–197. Springer-Verlag (2007)
Bayer, U., Comparetti, P.M., Hlauschek, C., et al.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium, NDSS 2009, February 2009, San Diego, California, USA. DBLP (2009)
Li, Z., Sanghi, M., Chen, Y., et al.: Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience, p. 47 (2006)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security & Privacy, pp. 226–241. IEEE (2005)
Xie, Y., Yu, F., Achan, K., et al.: Spamming botnets: signatures and characteristics. In: ACM SIGCOMM Computer Communication Review, pp. 171–182 (2008)
Xu, Q., Liao, Y., Miskovic, S., et al.: Automatic generation of mobile app signatures from traffic observations. In: Computer Communications, pp. 1481–1489. IEEE (2015)
Aresu, M., Ariu, D., Ahmadi, M., et al.: Clustering android malware families by http traffic. In: International Conference on Malicious and Unwanted Software, pp. 128–135 (2015)
TSNE. http://scikit-learn.org/stable/modules/generated/sklearn.manifold.TSNE.html
Luan, S., Kong, X., Wang, B., et al.: Silhouette coefficient based approach on cellphone classification for unknown source imagee. In: IEEE International Conference on Communications, pp. 6744–6747. IEEE (2012)
Acknowledgement
This work was supported by the National Natural Science Foundation of China under Grants No. 61672262, No. 61573166, No. 61472164 and No. 61572230, the Natural Science Foundation of Shandong Province under Grants No. ZR2014JL042 and No. ZR2012FM010, the Shandong Provincial Key R&D Program under Grants No. 2016GGX101001.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wang, S., Chen, Z., Li, X., Wang, L., Ji, K., Zhao, C. (2017). Android Malware Clustering Analysis on Network-Level Behavior. In: Huang, DS., Bevilacqua, V., Premaratne, P., Gupta, P. (eds) Intelligent Computing Theories and Application. ICIC 2017. Lecture Notes in Computer Science(), vol 10361. Springer, Cham. https://doi.org/10.1007/978-3-319-63309-1_71
Download citation
DOI: https://doi.org/10.1007/978-3-319-63309-1_71
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-63308-4
Online ISBN: 978-3-319-63309-1
eBook Packages: Computer ScienceComputer Science (R0)