A Glimpse of the Whole: Detecting Few-shot Android Malware Encrypted Network Traffic

Abstract

Reversing binary samples is a conventional way to detect Android malware and is limited by the prosperity of code obfuscation. Detecting network traffic generated by Android malware can counter the advanced obfuscation technic and has been intensively studied in recent years. Existing methods mostly require sufficient and balanced training data to construct a satisfactory detector. Unfortunately, the newly emerged Android malware, especially those of new families, is hard to obtain for lack of prior knowledge. Meanwhile, the state-of-the-art few-shot learning approaches are incompetent for task-specific classification. To address the issues, this paper proposes a novel metric-learning framework, namely Path Optimization Prototypical Nets (POPNet), for few-shot Android malware encrypted network traffic classification. POPNet aims to map network traffic onto a high dimensional metric space, using auxiliary traffic from benign android software to augment the representative ability. Path optimization strategies are carefully designed to compress the searching space to obtain a more rational distribution on the linearly separable metric space. Our method achieves state-of-the-art performance on few-shot and zero-shot classification on MalDroid2017 and USTC2016. Additional experiments on Omniglot further prove the generalization of POPNet.