针对Android移动应用的恶意加密流量标注方法研究

Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application

为区分恶意Android移动应用在运行过程中产生的恶意流量和正常流量,提出一种Android移动应用恶意流量标注方法。针对加密类型的网络流量,根据端口号和流载荷内容的字节熵值进行加密检测,依据服务器证书等内容判断加密流量是否异常,同时对恶意Android移动应用进行反编译,并利用程序控制流程图分析该加密流量是否涉及敏感操作,从而标注出恶意加密流量。对300个重打包类型的恶意移动应用进行测试,实验结果与同基准值对比分析表明,与未采用该方法的标注结果(1602条恶意加密流量)相比,该方法检测出的恶意加密流量有341条,且标注结果中仅有28条为误报流量。

In order to distinguish malicious traffic generated by running malicious Android applications from normal traffic,this paper proposes a method for annotating malicious traffic of mobile Android applications.For encrypted network traffic,encryption detection is performed based on the port number and the value of byte entropy of the stream payload content.Then whether the encrypted traffic is abnormal is determined based on the server certificate and other content.At the same time,the malicious Android mobile applications are decompiled,and the program is used to control the flow chart to analyze whether the encrypted traffic involves sensitive operations,so as to annotate malicious encrypted traffic.Tests are performed on 300 repackaged types of malicious mobile applications.The comparison of the experimental results with the same benchmark value show that the proposed method detects 341 malicious encrypted traffic where only 28 are false alarms.The result is more accurate than that of annotation that does not use the proposed method,which reports 1602 malicious encrypted traffic.