Android Malicious Process Identification Method Based on Abnormal Encrypted Traffic Annotation

doi:10.3969/j.issn.1671-1122.2020.07.004

Abstract

Abstract:

Existing Android malicious sample analysis methods need to obtain the sample program to be checked in advance. When the object to be checked is an android smart terminal instead of a sample program, it is impossible to determine which process in the smart terminal is the malicious process to be checked, which affects the effective application of the sample analysis method. Existing detection methods for malicious encrypted traffic can achieve high recognition accuracy, but it is impossible to determine the mapping relationship between malicious traffic and malicious processes in the android terminal, i.e. Which process generates malicious encrypted traffic cannot be determined, and further the specific location information of malicious processes cannot be locked. In order to solve the above problems, this paper proposes an android malicious process identification method based on anomalous encrypted traffic annotation. By monitoring the network communication data generated by android terminals, DNS characteristics, TLS handshake negotiation characteristics and flow statistical characteristics are extracted, and binary classifier based on random forest algorithm is adopted to identify malicious encrypted communication flow. Then, by extracting the characteristics of the flow 5-tuple, a one-to-one mapping is established between the malicious encrypted communication stream and the android terminal process to determine the specific location of the malicious process in the terminal. The experimental results show that the detection accuracy of the proposed method for unknown malicious encrypted traffic in complex network environment is 97.46%, and malicious processes in android terminals can be located according to the detected malicious encrypted data flow.

Key words: TLS protocol, encrypted traffic annotation, 5-tuple, random forest, malicious process identification

CLC Number:

TP309

XU Guotian. Android Malicious Process Identification Method Based on Abnormal Encrypted Traffic Annotation[J]. Netinfo Security, 2020, 20(7): 30-41.

Figures/Tables 10

References 25

[1]	CISCO . Cisco Encrypted Traffic Analytics White Paper[EB/OL]. https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html, 2019-7-1.
[2]	VINOD P, ZEMMARI A, CONTI M. A Machine Learning Based Approach to Detect Malicious Android Apps Using Discriminant System Calls[J]. Future Generation Computer Systems, 2019,94(6):333-350.
[3]	HAN Weijie, XUE Jingfeng, WANGYong . MalDAE: Detecting and Explaining Malware Based on Correlation and Fusion of Static and Dynamic Characteristics[J]. Computers and Security, 2019,83(3):208-233. doi: 10.1016/j.cose.2019.02.007 URL
[4]	ZHANG M, DUAN Y, YIN H. Semantics-aware Android Malware Classification Using Weighted Contextual API Dependency Graphs[C]// ACM. Conference on Computer and Communications Security, November 3-7, 2014, Scottsdale, Arizona, USA. New York: ACM, 2014: 1105-1116.
[5]	ARORA A, GARG S. Malware Detection Using Network Traffic Analysis in Android Based Mobile Devices[C]// IEEE. 2014 Eighth International Conference on Next Generation Mobile Apps, September 1-4, 2014, Oxford, United Kingdom. New York: IEEE, 2014: 66-71.
[6]	HU Bin, ZHOU Zhihong, YAO Lihong, et al. TLS Malicious Traffic Detection Based on Combined Features of Packet Payload and Stream Fingerprints[J]. Computer Engineering, 2019,20(10):32-41.
	胡斌, 周志洪, 姚立红, 等. 基于报文负载和流指纹联合特征的TLS恶意流量检测[J]. 计算机工程, 2019,20(10):32-41.
[7]	BLAKE A, SUBHARTHI P, DAVID M. Deciphering Malware’s Use of TLS[J]. Journal of Computer Virology & Hacking Techniques, 2017,3(2):30-45.
[8]	XIE N N, WANG X, WANG W. Fingerprinting Android Malware Families[J]. Frontiers of Computer Science, 2019,13(3):637-646. doi: 10.1007/s11704-017-6493-y URL
[9]	LAYA T H, ANDI F A, ARASH H L. Extensible Android Malware Detection and Family Classification Using Network-Flows and API-Calls[J]. The IEEE(53rd) International Carnahan Conference on Security Technology, 2019,4(1):26-30.
[10]	ARASH H L, ANDI F A. Toward Developing A Systematic Approach to Generate Benchmark Android Malware Datasets and Classification[J]. 52nd IEEE International Carnahan Conference on Security Technology(ICCST), 2018,2(1):40-49.
[11]	CAI H, MENG N, RYDER B. Droidcat: Effective Android Malware Detection and Categorization Via App-level Profiling[J]. IEEE Transactions on Information Forensics and Security, 2019,14(6):1455-1470. doi: 10.1109/TIFS.2018.2879302 URL
[12]	NGUYEN , ARMITAGE . A Survey of Techniques for Internet TrafficClassification Using Machine Learning[J]. Communications Surveys & Tutorials, 2008,10(4):56-76.
[13]	ZANDER , NGUYEN , ARMITAGE . Automated Traffic Classificationand Application Identification Using Machine Learning[J]. The 30thIEEE Conference on Local Computer Networks, 2005,12(1):250-257.
[14]	LI Hao, MA Kun, CHEN Zhenxiang, et al. Unknown Malware Detection Based on Network Traffic Analysis[J]. Journal of Jinan University, 2019,33(6):500-505.
	李浩, 马坤, 陈贞翔, 等. 基于网络流量分析的未知恶意软件检测[J]. 济南大学学报, 2019,33(6):500-505.
[15]	LI Hongling, ZHAN Yi. Statistics Analysis and Research on Common Permissions of Android Malwares[J]. Computer Technology and Development, 2017,27(11):132-136.
	李红灵, 詹翊. Android恶意程序常用权限分析及统计研究[J]. 计算机技术与发展, 2017,27(11):132-136.
[16]	MALHOTRA A. Android Malware: Study and Analysis of Malware for Privacy Leak in Ad-hoc Network[J]. International Journal of Computer Science & Network Security, 2013,12(3):39-43.
[17]	LIU Xiaojian, LEI Qian, DU Xi, et al. Static Detection Approach for Android Malware Based on Multi-level Features[J]. Journal of Huazhong University of Science and Technology, 2020,48(2):1-7.
	刘晓建, 雷倩, 杜茜, 等. 多层次特征的Android恶意程序静态检测方法[J]. 华中科技大学学报, 2020,48(2):1-7.
[18]	ENCK W, GILBERT P, HAN S. TaintDroid:An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones[J]. ACM Transactions on Computer Systems, 2014,32(2):99-106.
[19]	ZHANG Xuetao, SUN Meng, WANG Jinshuang. Multi-Granularity Android Malware Fast Detection Based on Opcode[J]. Journal of Network and Information Security, 2019,5(6):85-94.
	张雪涛, 孙蒙, 王金双. 基于操作码的安卓恶意代码多粒度快速检测方法[J]. 网络与信息安全学报, 2019,5(6):85-94.
[20]	WANG Run, TANG Benxiao, WANG Lina. Deeprd: Android Repackaging Application Detection Method Based on Siamese LSTM Network[J]. Journal on Communications, 2018,39(8):69-82.
	汪润, 唐奔宵, 王丽娜. 基于Siamese LSTM网络的Android重打包应用检测方法[J]. 通信学报, 2018,39(8):69-82.
[21]	SHABTAI A, MOSKOVITCH R, FEHER C. Detecting Unknown Malicious Code by Applying Classification Techniques on Opcode Patterns[J]. Security Informatics, 2012,1(1):1-22. doi: 10.1186/2190-8532-1-1 URL
[22]	YERIMA S Y, SEZER S, MUTTIK I. High Accuracy Android Malware Detection Using Ensemble Learning[J]. Information Security, 2016,9(6):313-320.
[23]	XU Yichao, YUAN Qianting, XU Jian. Fine-Grained Android Malware Classification with Behavior Features[J]. Application Research of Computers, 2019,37(10):21-27.
	许逸超, 袁倩婷, 徐建. 基于静态行为特征的细粒度Android恶意软件分类[J]. 计算机应用研究, 2019,37(10):21-27.
[24]	WEI F, LI Y, ROY S. Deep Ground TruthAnalysis of Current Android Malware[J]. International Conference on Detection of Intrusions and Malware, 2017,10(2):252-276.
[25]	ALLIX , BISSYANDE , KLEIN . Androzoo: Collecting Millions of Android Apps for the Research Community[J]. Mining Software Repositories, 2016,20(2):46-53.

root@:~# netstat - anop
Proto	Local Address	Foreign Address	State	PID/Program name
TCP	192.168.137.163:39510	123.126.45.26:443	ESTABLISHED	1384/firefox-esr
TCP	192.168.137.163:41248	117.18.237.29:80	ESTABLISHED	1384/firefox-esr
UDP	0.0.0.0:68	o.o.o.o：*		647/dhclient

Stream Num	Proto	Local Address	Foreign Address	State	PacketNum
1	TCP	192.168.137.163:36570	123.125.31.59:443	ESTABLISHED_1	102.103...
2	TCP	192.168.137.163:53324	218.61.192.227:443	SYN-RCVD-1	204
3	UDP	192.168.137.163:38423	192.168.137.2:53	DNS-RECV	162.164...

Proto	Local Address	Foreign Address	State	PID	Program name	Packet Num
TCP	192.168.137.163:36570	123.125.31.59:443	ESTABLISHED	2910	malware-samp	102.103...
TCP	192.168.337.163:53324	218.61.192.227:443	SYN_SEND	1136	firefox-esr	204
UDP	192.168.137.163:38423	192.168.137.2:53	ESTABLISHED	2910	malware-samp	162.164 …

特征集	数据集	Accuracy	precision	recall	F1_measure
3类特征	数据集1	0.9832	0.9746	0.9923	0.9834
3类特征	数据集2	0.9721	0.9643	0.9862	0.9751
2类特征	数据集1	0.9162	0.9286	0.9042	0.9162
2类特征	数据集2	0.829	0.8672	0.7834	0.8232