Enhancing encrypted traffic analysis via source APIs: A robust approach for malicious traffic detection

The widespread adoption of encryption protocols has increased the complexity of detecting malicious Android traffic. By randomizing payload content, encryption obscures semantically explicit features in network traffic, thereby concealing its behavioral intent. Although existing methods mitigate this issue by expanding feature sets or extracting spatiotemporal patterns, they do not fundamentally reconstruct the original payload semantics. In this paper, we propose RATD, a detection model that enhances encrypted traffic representation by introducing semantics of source-APIs. This approach leverages the correlation between system API calls made prior to traffic transmission (referred to as source APIs) and the behavioral intent within encrypted traffic, thereby compensating for semantic loss. First, we construct API-traffic association samples by monitoring network connection APIs. Then, we transform the API sequences into graphs and apply a Graph Convolutional Network (GCN) to learn their structural and semantic representations. These features are fused with corresponding traffic features through a multi-source encoder module. Finally, to address the challenges of limited data availability in real-world deployment, we introduce a representation enhancement module to improve model’s robustness in scenarios with missing data. Experimental results show that RATD is significantly better than the state-of-the-art models across multiple datasets. In particular, in scenarios with missing API data, the accuracy of our model decreases by at most 2.9%, showing a stronger environmental adaptability.