Research of Android Malware Detection Based on

Network Traffic Monitoring

Jun Li1, 2, Lidong Zhai2 Xinyou Zhang1, Daiyong Quan2

1 1
School of Information Science and Technology School of Information Science and Technology
Southwest Jiaotong University, Chengdu, China Southwest Jiaotong University, Chengdu, China
2 2
Institute of Information Engineering Institute of Information Engineering
Chinese Academy of Sciences, Beijing, China Chinese Academy of Sciences, Beijing, China
1
[email protected], [email protected] 1
[email protected], [email protected]

Abstract—With Android terminal into the life of people, the industrial control systems. People is the core of the APT
spread of Android malware seriously affected people's life. As a attacks target, through the invasion of the contact person (such
result of the Android security flaws, attackers can easily collect as Android device) for industrial control or mobile Internet
private information of users, and the information can be utilized penetration attack; APT attack architecture is shown in figure 1,
in APT attacks. It is not only a threat to the end user, but also APT attack purposes can be divided into two main aspects:
poses a threat to industrial control systems and mobile Internet. information espionage, namely steal of the attacker's need
In this paper, we propose a network traffic monitoring system information; Interference, which interfere with the normal
used in the detection of Android malware. The system consists of behavior of the attacker[6]. Android malware attacks to
four components: traffic monitoring, traffic anomaly recognition,
smartphone users caused serious damage, including affecting
response processing and cloud storage. The system parses the
protocol of data packets and extracts the feature data, then use
normal use, monitoring users’ action, stealing users’ privacy
SVM classification algorithm for data classification, determine information, consumption rates, and it’s without prompting the
whether the network traffic is abnormal, and locate the user connected to the Internet to download the software and
application that produced abnormal through the correlation uninstall software, spreading malware [7], etc.
analysis.

The system not only can automatic response and process the
malicious software, but also can generate new security policy
from existing information and training data; When training data
is reaching a certain amount, it will trigger a new round of
training to improve the ability of detection. Finally, we
experiment on the system, the experimental results show that our
system can effectively detect the Android malware and control
the application.

Keywords—Android; Network traffic monitoring; Malware;

SVM
Fig. 1. APT attack architecture.
I. INTRODUCTION
With the rapid development of the Android mobile terminal, With the growing number of available Wi-Fi hotspots, it is
in view of the Android platform showed a trend of the outbreak more convenient to networking for the malware. Malicious
of the number of malicious software. In July 2013, Tencent software has a strong demand for network, Because the
mobile security laboratory July intercepting virus package malicious software to use Wi-Fi network for malicious
94029, among them, the Android system intercepting virus operation is not easy to detect by user, such as “tracking
pack 90989, it’s accounting for 96.7% of the total package invisible man” malware , it send SMS and access to the
Android virus, and Symbian system intercepting virus pack network in the background; DroidKungFu phone zombie virus
3040[1]. by using a HTTP Post ways to send data to a remote servers,
and mobile botnets may also launch denial of service attacks
As a result of the Android open source code, and user's and other cyber-attacks, It will cause the clogging in
frequent flash Android system, it make Android more communication network, thus affect the normal use of the
vulnerable to all sorts of malicious attacks, such as mobile phone[6]. Therefore, we developed a network traffic
botnet, Trojans[2, 3, 4], etc. With the emergence of APT monitoring systems to defend these attacks.
(Advanced Persistent Threat), smart phones are more likely to
be used by the APT attacks. It is found that the three typical In this paper ˈwe propose a network traffic monitoring
malicious code Stuxnet, Duqu and Flame, their main threat to system used in the detection of Android malware. The system
This paper is supported by 863 Program (Grant No.2011AA01A103).

978-1-4799-4315-9/14/$31.00 2014
c IEEE 1739
parses the protocol of data packets and extracts the feature data, III. ANDROID MALWARE DETECTION BASED ON NETWORK
then use SVM classification algorithm for data classification, TRAFFIC MONITORING SYSTEM
determine whether the network traffic is abnormal, and locate
the application that produced abnormal through the correlation A. Android malware detection based on network traffic
analysis. monitoring system structure
This paper is organized as follows: In section II, we present The Android system is based on Linux open source
the background of Android malware detection and related work. operating system. As an open source framework, it provides a
In section III, we present details of the detection system. In lot of software and hardware components of the API, bring it to
Section IV, we will present the experimental results of third party application software developers convenient, but also
detection system. In Section V, we summarize our work. bring convenience to the malicious software developers. Not
only that, they can achieve what you want to modify the kernel
function, this brought a serious security threat to the
II. RELATED WORKS
smartphone platform. Android basic safety mechanism: it
We are going to expound the malware detection technology inheritance of Linux kernel security mechanism to realize the
based on smart phone related work. Researchers have made security system, and realize the application code through
some related smartphone anomaly detection and the application sandbox isolation, and use access mechanism to realize the
of SVM, APT threat detection and protection, these work laid a mandatory access control to the data; But in the face of more
solid foundation for our study. and more advanced security threats, relying only on Android's
Zhai Lidong and Li Yue[6] and others through the analysis security mechanisms for protection of Android users is not
of APT attack process, them found that the attacker using a enough.
large amount of social engineering, and use a variety of To provide maximum protection for Android users, we
business for penetration from different angles to connect design a network traffic monitoring system used in the
through the network. They decided to through the terminal detection of Android malware, it help users find their malware
level, network level and business level and social level to study and suspicious software on the phone. The system framework
the APT attacks. Their analysis pointed out the direction of the is shown in figure 2.
focus for us, our direction is to provide safety protection for
Android terminal users
Zhou Yajin and Jiang Xuxian and others[7] compiled
android malware, and analyze the characteristics of the
Android malware; these malicious software data set is divided
into 49 family a total of 1260 samples, the research to provide t
adequate testing software for ours system.
Hong Yunfeng and others[8] summarizes the Smart Phone
viruses’ characteristic and harm and proposes a Smart Phone
anomaly data flow and application detection method based on
statistical fit, which collects the dataflow and compare them to
the fitting curve in real time, but their experimental simulation
only detect abnormal traffic, and did not show that use of
malicious software and defense.
Mo Yuxiang and others[9] using the SVM classification
algorithm, the Android OS permissions mechanism, the role of
the user-defined strategy safety testing model, as the core
implements the Android OS platform Trojan detection system;
But their SVM model is obtained on the PC, it easy to cause
error and lag, and the role of the classification is not very
reasonable; this method is easy to cause missing and damage Fig. 2. Nnetwork traffic monitoring system framework
the user experience.
The network traffic monitoring system consists of four
Chih-Chung Chang and Chih-Jen Lin[10] realize the SVM
components: traffic monitoring, traffic anomaly recognition,
libraries, which provide convenience for us in the Android
response processing and cloud storage. Traffic monitoring
platform to realize the SVM. Through the implementation code
module is responsible for Android feature extraction, and the
of the standard C - SVC is optimized, and the embedded Linux
network traffic information flow data is divided into training
kernel to improve efficiency and reduce energy consumption.
data and testing data; Traffic anomaly identification module is
used to identify malicious software, it including abnormal
findings engine and traffic correlation analysis, and the
abnormal findings module is divided into training mode and
test mode; Response processing module is responsible for
malicious software, which including automatic processing

1740 2014 IEEE 9th Conference on Industrial Electronics and Applications (ICIEA)
strategy of malicious software library and permissions control; training to obtain the model parameters. The second one is
Cloud storage module is used to store data and security policy, testing mode, the traffic monitoring module extracted data
and it can be generate a new security policy with user's directly into abnormal found engine are analyzed. Abnormal
submissions process information. found engine by machine learning methods to identify the
existence of the network traffic anomaly. Traffic correlation
B. Traffic monitoring analysis module uses abnormal flow of information and
Traffic monitoring module parses the protocol of data software information anomaly correlation analysis to determine
packets and extracts the feature data. Under the normal the flow of the software.
conditions using of Android mobile phone, its network flow 1) Abnormal found engine
will maintain a relatively stable state. Once a virus or malicious SVM(support vector machine) is a machine learning
code attacks, it showed different degrees of abnormal flow method based on statistical learning theory, by seeking
state. Zhou Yajin and Jiang Xuxian collected 1260 samples of structured minimum risk to improve the generalization ability
malicious software is divided into 49 family, which need to and learning machine, minimizing empirical risk and
network communication has 27 family, a total of 1171 confidence limit, so as to achieve under the condition of the
samples[7]. In order to discover the Android malware and to statistical sample size is less, also can obtain good statistical
distinguish the malicious software flow of anomaly, we need law[13].
accurate image description of the Android system normal
network traffic outline, and effective feature selection and Under the condition of nonlinear, treat classification data
extraction. by using nonlinear characteristic of the kernel function
definition mapping , and map it to a higher dimensional space
Traffic monitoring module is mainly to extract the network E, and structure the optimal classification plane in space E, and
traffic data. According to the characteristics of the smart phone derived the optimal classification on the original space Rn,
and malicious software for Android system flow, we which form sample decision rules. The core of abnormal found
constructed a set of feature vector to reflect the characteristics engine algorithm is C-SVC, and its decision function
of the Android system network traffic, as shown in table I, the construction process is as follows:
extracted features as follows: process ID, network connection
start and end time, upward and downward flow, source and Given a training set
destination IP address, protocol type, source and destination
T = {( x1 , y1 ),..., ( xl , y l )} ∈ ( R × Y ) , xi ∈ R , yi ∈ R l ,
n l n
port number.
The system needs two times extractions of training data. yi ∈ Y = {1, −1}, i = 1,..., l ;
First, Google native system under normal uses traffic
information extraction, and marked as 1, indicating that the 1
The largest classification interval focused on ,
normal flow of information software. Second, a malicious ||ω||
2

application traffic information extraction, and marked as -1,

which means that malware traffic information. We use a week 1 1 2

maximizing is the same thing as minimizing ||ω|| .

for traffic information extracted and the extracted information ||ω||
2

2
is stored in the traffic information database.
Previously, we posed the following optimization problem for
finding the optimal margin classifier:
TABLE I. THE ANDROID SYSTEM NETWORK TRAFFIC CHARACTERISTICS
l
1
min & ω &
2
Feature
T_PID
Feature description
ID of process
+C ¦ξ i
(1)
2 i =1
T _Start Start of the network connection time
subject to yi (ω φ ( xi ) + b} ≥ 1 − ξi , ξi ≥ 0, i = 1,..., l
T
T _End End of the network connection time
T _Up Upward flow
T _Down Downward flow The ξ i is called slack variable, and corresponding data
T _SIP Packet source IP address
T _DIP Packet destination IP address
points xi is allowed to deviate the functional margin. C is a
T _Type Protocol type parameter that is used to control the target function of "looking
T _SP Packet source port for the biggest margin hyperplane" and "ensure that data point
T _DP Destination port number deviation minimum" between the weights.
C. Traffic anomaly recognition a) For the original objective function with Lagrange
Traffic identification module mainly includes abnormal method dual problem, use the radial basis kernel function
found engine and traffic correlation analysis, the core of the || x + y ||
2

abnormal founding engine is C-SVC[10, 11, 12], ant it through K ( x , y ) = exp( − ) instead of Φ ( x ) , and import the
σ
2
the traffic data classification and correlation analysis to
determine abnormal software. KKT conditions have the following conclusion:
There are two kinds of abnormal found engine model. The l
1 l l

first one is training mode, through the traffic monitoring max ω ( a ) = ¦α j − ¦¦ y y K ( x , x )a a i j i j i j

(2)
module to extract the feature data sets, and then use it to j =1 2 i =1 j =1

2014 IEEE 9th Conference on Industrial Electronics and Applications (ICIEA) 1741
 l locate the application that produced abnormal through the
subject to ¦ yα i i
= 0, 0 ≤ α i ≤ C , i = 1, ..., l correlation analysis.
i =1

D. Response processing
Using the primal-dual relationship, and
Response processing module is detected corresponding
K (x x ) ≡ φ(x ) φ(x ) is the kernel function, the ω optimal
T

i, j i j processing software, including security policy database and

satisfies: access control modules. Response processing module
according to the security policy database to automatically
l
execute malware corresponding processing operation, you can
ω = ¦ y α φ(x ) i i i
(3) also use access control module to disabled malware networking,
i =1
accessing contact, send SMS, read SMS and positioning
The decision function is: information, and the software settings will be automatically
l
saved to generate the appropriate security policy. Same time,
f ( x ) = sgn (ω φ ( x ) + b ) = sgn ( ¦ yi ai K ( xi , x ) + b)
T
(4) the processing of information to inform the user, and they can
i =1
upload the information and response processing suspicious
software information to cloud storage for the monitoring
We store support vectors, label names, and kernel system further analysis.
parameters in the model for prediction.
2) Analysis of abnormal network traffic E. Cloud Storage
The anomaly found engine is divided into training and test Cloud storage module is used to store the training data and
two stages; The training data set can be updated, and the testing data, abnormal traffic data, security strategy. it can
system according to the requirements in terms of retraining generate new security policy from existing information and
study concluded that more accurate model parameters. In the training data. When training data is reaching a certain amount,
training phase, first of all, we extract a set of training samples; it will trigger a new round of training to improve the ability of
then, we use the sample set training our abnormal found engine, detection.
and generating an abnormal found engine can be normal use. In
the testing phase, the abnormal traffic monitoring module to IV. SYSTEM TESTING AND ANALYSIS
extract data import abnormal found engine directly for
identification. This section is mainly to test the system. This experiment
chooses Samsung mobile phone as test machine, the
Steps are as follows:
configuration parameters are shown in table II.
a) Extract the network traffic characteristic vector. To
extract the traffic data si with traffic monitoring module, and TABLE II. SAMSUNG MOBILE PHONE CONFIGURATION PARAMETERS
automatic extraction of feature vector si( i = 1, ..., l ): Feature Parameter
G Model I9100G I9300 I9103
xi = (T_ PIDi ,T_ Starti ,T_ End1 ,T_Upi ,T_ Downi ,T_ SIPi ,T_ DIPi ,T_Typei ,T_ SPi ,T_ DPi ), CPU Dual-core, Quad-Core, Dual-core ,
G Exynos 4210 Exynos 4412 Nvidia Tegra2
the x i consists of ten characteristic values.
GPU Mali-400MP Mali-400MP -
b) Mark the candidate samples. For each si marked its Operating Android OS 2.3.5 Android OS 2.3.5 Android OS 2.3.5
system
classification results m = −1 and m = 1 , then every sample is
1 2
Kernel Linux kernel Linux kernel Linux kernel
composed of eigenvalue vector and class variables, it can be version 2.6.35 2.6.35 2.6.35
Internal 16 GB storage, 1 16 GB storage, 1 8 GB storage, 1
represented as binary group ( X , m ) and ( X , m ) . 1 2 memory GB RAM GB RAM GB RAM
Wlan Wi-Fi 802.11 Wi-Fiˈ 802.11 Wi-Fiˈ 802.11
c) To construct the training sample set. Random a/b/g/n n/b/g n/b/g
samples of normal and abnormal samples, constitute the
G G JG G 2G GSM GSM GSM
3G WCDMA WCDMA WCDMA
training sample set: D = {(x , m ),(x , m ),...,(x , m ),(x , m )},
1 1 2 2 m−1 1 m 2
m = −1䯸
1
Before malware detection, we have used malware software
m = 1.
2 sets and normal software(shown in table III) for training on
the system, and storage the kernel parameters of model. The
d) Store the model parameter from training.
parameters of model in this experiment is downloaded from
e) Feature vector is extracted from the test data. cloud storage server.
f) According to the model parameters are obtained from In order to test the detection results of the monitoring
the training to judge whether the network traffic anomaly. system, it is necessary to construct a set of test data. In
These methods can be found by malicious software to malicious software selection of 27 need access to the network
network traffic anomaly of Android system, in order to further of malicious software (27 families, each family a random) [7],
analysis result in abnormal software, also need the network and we collected normal software(23) from the Android
traffic anomaly information and software information, and Market (shown in table III), a total of 50 applications. In each
goup, we randomly selected from these candidate software for

1742 2014 IEEE 9th Conference on Industrial Electronics and Applications (ICIEA)
10-14 installation to run. Install monitoring system to mobile 5 14 121.7 137.1 168
phones, when it have a network connection, our system By comparing the experiment result, the monitoring
automatic start to extracts the feature vector. The feature system can effectively detect the Android malware, and the
vector as follows: process ID, network connection start and higher the phone's configuration, the less time malware
end time, upward and downward flow, source and destination detection, but it have undetected and false positives. After
IP address, protocol type, source and destination port number. analysis, we find second and third groups of malware
Each experiment time up to seven days. detection quantity is less than the actual, it causes is malicious
The experimental results of the monitoring system show in sample concentration of some software link server have failed,
table IV, and the detection time of different device show in and some malicious software was unable to complete the
table V. network communication. The reason of false alarm is too little
training data set, in order to reduce the rate of false positives;
TABLE III. NORMAL SOFTWARE we need more data extraction for a long time to complete the
training. Conclusion: our monitoring system achieved the
No Name Developer Category
purpose of Android malware detection.
1 QQ Tencent Technology Communication
Company Ltd V. CONCLUSION FUTURE WORKS
2 UC Browser UCWeb Inc Communication
3 Weibo Sina.com Social With Android system security problem is increasingly
4 Maps Google Inc Travel & Local serious, the Android system terminal is easy to be APT attacks
5 Alipay Wallet Alipay.com Shopping using tools such as attack as a springboard, information
6 Moji Weather Moji Weather
7 Fruit Slice Top Casual Games Arcade and
collection, a threat not only to the rightness the end user, also
Action poses a serious threat to the mobile Internet and industrial
8 BaiduInput Baidu Inc Tools control system. According to the characteristics of the
9 Google Translate Google Inc Tools Android system, we design a malware detection based on
10 Chrome Browser - Google Inc Communication network traffic monitoring system, used to improve Android
Google
11 youdao dictionary NetEase Corp Books &
terminal defense ability against malicious attacks, and APT
Reference attacks against the application of SVM has good reference
12 TTPod TTPOD Music & Audio value.
13 Adobe Reader Adobe Systems Productivity
14 Instagram Instagram Social
In our future work, we will perfect the SVM algorithm
15 Next Calendar Widget GO Launcher Dev Tools applied to our system to increase the rate of malware detection,
Team and the industrialization of research results.
16 Baidu cloud storage Baidu Inc Tools
Plugin ACKNOWLEDGMENT
17 Google Search Google Inc Tools
18 AlarmTimer AshionChung Tools This paper is supported by 863 Program (Grant
19 Youku- Youku Media & Video No.2011AA01A103).
Movie,TV,cartoon,Music
20 Glow Hockey Netease Mag Social
21 Battery Doctor(Battery Kingsoft Inc Productivity
REFERENCES
Saver) [1] Tencent Mobile Security Lab. (2013, month day). Tencent Mobile
22 TED TED Conferences Education Security Lab Mobile Security Report[Online]. Available:
23 Netease News Netease News & http://m.qq.com/security_lab/news_detail_194.html
(www.163.com) Magazines [2] Fang Binxing, Cui Xiang, Wang Wei. “Survey of Botnets,” Journal of
Computer Research and Development vol. 48, pp. 1315-1331, 2011.
TABLE IV. MALWARE SAMPLES EXPERIMENTAL RESULTS [3] Yue Li, Lidong Zhai, Zhilei Wang, Yunlong Ren. “Control Method of
Twitter-and SMS-Based Mobile Botnet,” in Proceedings of Trustworthy
Group Number of Number Report Incorrect Report Computing and Services in Beijing. 2013, pp. 644-650.
application of report missing
[4] Bill Miller, Dale Rowe. “A survey SCADA of and critical infrastructure
malware incidents,” in Proceedings of the 1st Annual conference on Research in
1 10 8 9 1 0 information technology. 2012, pp. 51-56.
2 11 7 3 0 4
[5] Li Yue, Zhai Lidong, Wang Hongxia, Shi Jinqiao. “Mobile Botnet
3 12 10 7 0 3
Based on SNS,” Journal of Computer Research and Development vol.
4 13 0 1 1 0 49, pp. 1-8, 2012.
5 14 4 4 0 0
[6] Lidong Zhai, Yue Li, Zhaopeng Jia, Li Guo. “APT Threat Detection and
Protection of Integrated Network Space,” Netinfo security vol. 3, pp. 58-
TABLE V. DETECTION TIME OF DIFFERENT DEVICE 60, 2013.
Group Number of I9300 I9100G I9103 [7] Zhou, Yajin, and Xuxian Jiang. “Dissecting android malware:
application (hour) (hour) (hour) Characterization and evolution,” Security and Privacy (SP), 2012 IEEE
1 10 38.5 61.3 104.8 Symposium on. IEEE. 2012, pp. 95-109.
2 11 45.2 85.7 120.1 [8] Hong Yunfeng, Xu Chao,Su Dixin. “Research of Smart Phone Malware
3 12 60.9 98.1 136.4 Detection Based on Anomaly Data Flow Monitoring,” Computer
4 13 73.4 108.6 158.3 security vol. 9, pp. 11-14, 2012.

2014 IEEE 9th Conference on Industrial Electronics and Applications (ICIEA) 1743
[9] Mo Yuxiang, Yu Jianluan, Wang Lei,Zhong Shangping, Zhang Hao.
“Role-based Android mobile phone platform Trojan Detection System,”
Modern Computer vol. 30, pp. 51-55, 2011.
[10] C C Chang, C J Lin. “LIBSVM: a library for support vector machines,”
ACM Transactions on Intelligent Systems and Technology (TIST).
2011, vol. 2, pp. 27.
[11] E. Boser,I. Guyon, and V. Vapnik. “A training algorithm for optimal
margin classifiers,” in Proceedings of the Fifth Annual Workshop on
Computational Learning Theory. 1992, pp. 144-152.
[12] Cortes C, Vapnik V. “Support-vector networks,” Machine learning vol.
20, pp. 273–297, 1995.
[13] Liu Jianghua, Chen Junshi, Chen Jiapin. “Support Vector Machine
Training Algorithm: A Review,” Information and Control vol. 31, pp.
45-50, 2002.

1744 2014 IEEE 9th Conference on Industrial Electronics and Applications (ICIEA)