End-To-End Android Malware Classification Based on Pure Traffic Images

Android security accidents frequently occurred in recent years. It has become an urgent need to propose a method for efficiently detecting and classifying Android malware. Many existing machine learning-based methods often require a lot of time for feature engineering, making it time-consuming to classify malware. To accurately and rapidly detect and classify Android malware, this paper proposes an end-to-end Android malware classification model based on traffic analysis and deep learning. The model uses traffic data generated during the Android APP's runtime as input. First, the traffic data will be processed by a third-party traffic removal module based on the idea of clustering to remove impurity traffic that is not conducive to the classification. Then the pure traffic is converted into pure traffic images which can represent traffic characteristics. Finally, a novel convolutional neural network model named 1.5D-CNN is applied to detect and classify malware by classifying these images. The model was trained and tested on a real Android traffic dataset named CICAndMal2017 which contains the traffic data of benign APPs and four types of malware, and it achieved an average accuracy of 98.5%. Compared with traditional machine learning methods, precision and recall both increased by more than 20 percentage points on average.