Due to its popularity and open-source nature, Android is the mobile platform that has been targeted the most by malware that aim to steal personal information or to control the users??? devices. More specifically, mobile botnets are malware that allow an attacker to remotely control the victims??? devices through different channels like HTTP, thus creating malicious networks of bots. In this paper, we show how it is possible to effectively group mobile botnets families by analyzing the HTTP traffic they generate. To do so, we create malware clusters by looking at specific statistical information that are related to the HTTP traffic. This approach also allows us to extract signatures with which it is possible to precisely detect new malware that belong to the clustered families. Contrarily to x86 malware, we show that using fine-grained HTTP structural features do not increase detection performances. Finally, we point out how the HTTP information flow among mobile bots contains more information when compared to the one generated by desktop ones, allowing for a more precise detection of mobile threats.

Clustering android malware families by Http traffic

ARESU, MARCO;ARIU, DAVIDE;AHMADI, MANSOUR;MAIORCA, DAVIDE;GIACINTO, GIORGIO
2016-01-01

Abstract

Due to its popularity and open-source nature, Android is the mobile platform that has been targeted the most by malware that aim to steal personal information or to control the users??? devices. More specifically, mobile botnets are malware that allow an attacker to remotely control the victims??? devices through different channels like HTTP, thus creating malicious networks of bots. In this paper, we show how it is possible to effectively group mobile botnets families by analyzing the HTTP traffic they generate. To do so, we create malware clusters by looking at specific statistical information that are related to the HTTP traffic. This approach also allows us to extract signatures with which it is possible to precisely detect new malware that belong to the clustered families. Contrarily to x86 malware, we show that using fine-grained HTTP structural features do not increase detection performances. Finally, we point out how the HTTP information flow among mobile bots contains more information when compared to the one generated by desktop ones, allowing for a more precise detection of mobile threats.
2016
978-1-5090-0317-4
978-1-5090-0319-8
978-1-5090-0317-4
978-1-5090-0319-8
Android; Botnet; Malware detection; Clustering; HTTP; Traffic network
File in questo prodotto:
File Dimensione Formato  
MalwareConf2015_printed.pdf

Solo gestori archivio

Tipologia: versione editoriale
Dimensione 271.35 kB
Formato Adobe PDF
271.35 kB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11584/142136
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 28
  • ???jsp.display-item.citation.isi??? 22
social impact