Mining network traffic for application category recognition on Android platform

Signature-based static mobile malware detection is fragile when facing code obfuscation and transformation attacks. Behavior based malware detection mechanisms have been widely studied and experimented. So far only the application´s running behaviors, such as API calls and resource consumption are used, which can also be easily concealed and obfuscated with various coding tricks. Most mobile malware need either cellular or network connection to conduct their malicious activities. We propose to monitor an application´s network behavior and interaction to characterize application behaviors. An integrated testbed system has been designed and prototyped for such network behavior collection. Statistical features are derived from application network traffic, which are further fed to a machine-learning based classifier to build one general model for each typical category of mobile applications. Experiments show that applications in each category with identical functionality exhibit similar network behaviors, which makes it possible to use the derived category model of network behaviors to evaluate future unknown application for its trustworthiness.