Android malware clustering analysis on network-level behavior

Abstract

Android becomes the most popular operating system for smart phones today. However, malicious application proposes a huge threat on Android platform. Many malware are designed to steal personal information of user or control the device of user through the network. In this paper, we show how to efficiently cluster network behavior by analyzing the statistical information of HTTP flow at the network level. To do so, we observe the specific statistical information on HTTP flow generated by more than 8,000 malware. In the end, we separate malware’s malicious network into seven different clusters using clustering technology. Our evaluation experiments show that HTTP flows in the same cluster have similar network behavior and there are big differences between the different clusters. This similarity and variability are manifested at some specific network-level statistical characteristics. In addition, in order to show the results of the study more intuitively, we reduce the dimensionality of the original features, and show the final clustering results in two-dimensional space.