IEdroid:Detecting Malicious Android Network Behavior Using Incremental Ensemble of Ensembles

Malware detection has attracted widespread attention due to the growing malware sophistication. Machine learning based methods have been proposed to find traces of malware by analyzing network traffic. However, network traffic exhibits a series of growing and changing states, which makes it challeng...

Full description

Saved in:
Bibliographic Details
Main Authors: Liu, Cong, Yan, Anli, Chen, Zhenxiang, Zhang, Haibo, Yan, Qiben, Peng, Lizhi, Zhao, Chuan
Format: Conference Proceeding
Language:English
Subjects:
Adaptation models
big data
Distributed databases
incremental update
Machine learning
malicious behavior detection
Malware
network traffic
Prototypes
Telecommunication traffic
Training
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malware detection has attracted widespread attention due to the growing malware sophistication. Machine learning based methods have been proposed to find traces of malware by analyzing network traffic. However, network traffic exhibits a series of growing and changing states, which makes it challenging to design a detection model that can detect malicious traffic over a long period without the need for costly retraining. In this paper, we present, IEdroid, an Android malicious network behavior detection method that leverages incremental ensembles for model update. Specifically, we train multiple classifiers to form an interim ensemble in distributed cluster environment, and update the interim ensemble by removing and adding classifiers. The generated model is composed of multiple interim ensembles that can adapt to the network traffic. We evaluated the performance of IEdroid using a dataset consisting of 98,565 benign and 41,267 malicious flows. Results show that IEdroid can effectively detect malicious traffic compared with state-of-the-art detection models. The experiment trained IEdroid on datasets incrementally for 10 times without a significant loss on accuracy, precision, recall, and F-Measure, compared with re-training from scratch with full data.
ISSN:2690-5965
DOI:10.1109/ICPADS53394.2021.00104