Research Article
On-Device Detection of Repackaged Android Malware via Traffic Clustering
Table 1
Main notation used in this paper.
| Notation | Meaning |
| i | Android app i | u | Number of mobile devices with app i installed | r | Number of devices with repackaged app | f | Network flow | C-IPf | Client-side IP address of f | S-IPf | Server-side IP address of f | S-Portf | Server-side port of f | AppNf | Name of the app that generates f | AppVf | Version of the app that generates f | Ti | Set time interval | | Recording time of flow fu at the edge server | di | Feature set of app i | | Plaintext word in the feature sets | V(di) | Numerical vector of traffic contents | | Feature vector for the encrypted flow j in di | | Traffic behaviors of di | | Content similarity between di and dk | | Behavior similarity between di and dk | | Final similarity between di and dk |
|
|