IEdroid:Detecting Malicious Android Network Behavior Using Incremental Ensemble of Ensembles

Abstract

Malware detection has attracted widespread attention due to the growing malware sophistication. Machine learning based methods have been proposed to find traces of malware by analyzing network traffic. However, network traffic exhibits a series of growing and changing states, which makes it challenging to design a detection model that can detect malicious traffic over a long period without the need for costly retraining. In this paper, we present, IEdroid, an Android malicious network behavior detection method that leverages incremental ensembles for model update. Specifically, we train multiple classifiers to form an interim ensemble in distributed cluster environment, and update the interim ensemble by removing and adding classifiers. The generated model is composed of multiple interim ensembles that can adapt to the network traffic. We evaluated the performance of IEdroid using a dataset consisting of 98,565 benign and 41,267 malicious flows. Results show that IEdroid can effectively detect malicious traffic compared with state-of-the-art detection models. The experiment trained IEdroid on datasets incrementally for 10 times without a significant loss on accuracy, precision, recall, and F-Measure, compared with re-training from scratch with full data.