Detection of Android Malware Behavior in Browser Downloads

Abstract

Hypertext transfer protocol has become one of the most widely used Internet or industrial control systems, so protecting Web services is critical. Many information security research institutions deploy honeypots to collect network packets and analyze the software services and methods for the attack to understand the hacker's attack behavior. However, in analyzing the log, the analyst may face the problem of massive data volume and repeated inspection. Therefore, the analyst needs a tool to detect whether many newly captured packets are new types to reduce the analysis log time. We propose a new exception detection method named 'Detect new exceptions for Web-server‘. It overcomes the characteristics of abnormal packets captured by honeypots, such as Diverse, Unlabeled, and Imbalanced, and learns historical strange packet behavior in a semi-supervised manner. Historical exception behavior models are built to detect whether newly captured packets are new-type exceptions. The discovery approach incorporated with a feature-based can accomplish the result of low false positives and typical false downsides. It is feasible to rapidly discover whether the recently caught packages are a new type of irregularity and determine the new sort of problem index, minimizing the moment and price of the evaluation procedure for analysts.