TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic

Android has become the most popular mobile platform due to its openness and flexibility. Meanwhile, it has also become the main target of massive mobile malware. This phenomenon drives a pressing need for malware detection. In this paper, we propose TrafficAV, which is an effective and explainable detection of mobile malware behavior using network traffic. Network traffic generated by mobile app is mirrored from the wireless access point to the server for data analysis. All data analysis and malware detection are performed on the server side, which consumes minimum resources on mobile devices without affecting the user experience. Due to the difficulty in identifying disparate malicious behaviors of malware from the network traffic, TrafficAV performs a multi-level network traffic analysis, gathering as many features of network traffic as necessary. The proposed method combines network traffic analysis with machine learning algorithm (C4.5 decision tree) that is capable of identifying Android malware with high accuracy. In an evaluation with 8,312 benign apps and 5,560 malware samples, TCP flow detection model and HTTP detection model all perform well and achieve detection rates of 98.16% and 99.65%, respectively. In addition, for the benefit of user, TrafficAV not only displays the final detection results, but also analyzes the behind-the-curtain reason of malicious results. This allows users to further investigate each feature's contribution in the final result, and to grasp the insights behind the final decision.