AMDetector: Detecting Large-scale and Novel Android Malware Traffic with Meta-learning

International Conference on Computational Science. (ICCS) 2022

Wenhao Li,Xiao-Yu Zhang,Huaifeng Bao, Lin Li.


In the severe COVID-19 environment, encrypted mobile malware is increasingly threatening personal privacy, especially those targeting on Android platform. Existing methods mainly focus on extracting features from Android Malware (DroidMal) by reversing the binary samples, which is sensitive to the deduction of the available samples. Thus, they fail to tackle the insufficiency of the novel DoridMal. Therefore, it is necessary to investigate an effective solution to classify large-scale DroidMal, as well as to detect the novel one. We consider few-shot DroidMal detection as DoridMal encrypted network traffic classification and propose an image-based method with meta-learning, namely AMDetector, to address the issues. By capturing network traffic produced by DroidMal, samples are augmented and thus cater to the learning algorithms. Firstly, DroidMal encrypted traffic is converted to session images. Then, session images are embedded into a high dimension metric space, in which traffic samples can be linearly separated by computing the distance with the corresponding prototype. Large-scale and novel DroidMal traffic is classified by applying different meta-learning strategies. Experimental results on public datasets have demonstrated the capability of our method to classify large-scale known DroidMal traffic as well as to detect the novel one. It is encouraging to see that, our model achieves superior performance on known and novel DroidMal traffic classification among the state-of-the-arts. Moreover, AMDetector is able to classify the unseen cross-platform malware.