AppFA: A Novel Approach to Detect Malicious Android Applications on the Network

<table class="algorithm-group"><tr><td><table class="algorithm" id="alg1"><tr><td colspan="2">(<span style="margin-left:0em"></span>1) let <svg height="8.8423pt" id="M18" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 6.25863 8.8423" width="6.25863pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g></svg> denotes signature set and <svg height="11.927pt" id="M19" style="vertical-align:-3.291101pt" version="1.1" viewbox="-0.0498162 -8.6359 11.8432 11.927" width="11.8432pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g><g transform="matrix(.0091,0,0,-0.0091,6.071,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z" id="g50-101"></path></g></svg> stands for the signature</td></tr><tr><td colspan="2"><span style="margin-left:1.4444444444444444em"></span>seeds</td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>2) <b>while</b> the clustering signal is received <b>do</b></td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>3) <span style="margin-left:0.88888888888888884em"></span><b>if </b><svg height="8.8423pt" id="M20" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 6.25863 8.8423" width="6.25863pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g></svg> is empty <b>then</b></td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>4) <span style="margin-left:1.6666666666666667em"></span><svg height="11.927pt" id="M21" style="vertical-align:-3.291101pt" version="1.1" viewbox="-0.0498162 -8.6359 32.9255 11.927" width="32.9255pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g><g transform="matrix(.013,0,0,-0.013,9.768,0)"><path d="M535 323V373H52V323H535ZM535 138V188H52V138H535Z" id="g117-34"></path></g><g transform="matrix(.013,0,0,-0.013,21.031,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g><g transform="matrix(.0091,0,0,-0.0091,27.102,3.132)"><path d="M538 684C542 703 539 710 529 710C512 710 455 682 363 674L361 644H396C444 644 448 642 438 594L405 438C373 450 347 451 336 451C288 451 200 416 147 374C69 312 24 207 24 113C24 29 60 -12 94 -12C126 -12 156 4 196 30C231 53 296 100 346 166H348L328 81C311 10 325 -12 348 -12C380 -12 450 24 512 98L495 125C466 97 431 70 417 70C408 70 408 80 411 98L538 684ZM390 373L361 240C336 196 210 56 145 56C132 56 113 73 113 131C113 216 156 338 220 379C243 394 266 402 303 402C331 402 375 388 390 373Z" id="g50-101"></path></g></svg></td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>5) <span style="margin-left:0.88888888888888884em"></span><b>end if</b></td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>6) <span style="margin-left:0.88888888888888884em"></span>carry out signature matching</td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>7) <span style="margin-left:0.88888888888888884em"></span>carry out constrained flow clustering</td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>8) <span style="margin-left:0.88888888888888884em"></span>update <svg height="8.8423pt" id="M22" style="vertical-align:-0.2064009pt" version="1.1" viewbox="-0.0498162 -8.6359 6.25863 8.8423" width="6.25863pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M449 634C442 637 425 643 405 650C376 660 341 666 307 666C181 666 98 590 98 485C98 400 170 343 215 310L246 288C307 243 343 204 343 147C343 67 291 18 219 18C104 18 61 124 51 202L23 199C28 124 27 71 27 47C47 22 122 -16 204 -16C324 -16 428 60 428 174C428 256 379 309 307 360L276 382C223 419 179 455 179 516C179 576 221 632 293 632C379 632 410 564 418 487L448 490C446 536 446 592 449 634Z" id="g113-84"></path></g></svg> with the clustering results</td></tr><tr><td colspan="2">(<span style="margin-left:0em"></span>9) <b>end while</b></td></tr></table></td></tr></table>

<div>App traffic clustering procedure.</div>

Security and Communication Networks

alg1

Algorithm 1

Algorithm 1: AppFA: A Novel Approach to Detect Malicious Android Applications on the Network 