Hierarchical Classification of Android Malware Traffic.

In the last few years, Android mobile devices have encountered a large spread and nowadays a huge part of the traffic traversing the Internet is related to them. In parallel, the number of possible threats and attacks has also increased, thus emphasizing the need for accurate automatic malware detection systems. In this paper, we design and evaluate a system to detect whether a traffic object (biflow) is benign or malicious, possibly understanding its specific nature in the latter case. The proposal leverages machine learning in a hierarchical fashion, in order to capitalize on the structure of the traffic data and reap both design and performance benefits. The comparative evaluation-performed considering the public CICAndMal2017 dataset-assesses the performance of several machine-learning algorithms and witnesses that the hierarchical approach leads to improved performance w.r.t. the flat approach (up to +0.18 F1-score, depending on the granularity of the analysis and the machine learning algorithm considered). In addition, we evaluate the impact of a reject-option mechanism, showing the trade-off between classification accuracy and ratio of classified biflows.