Abstract Signature-based malware detection algorithms are facing challenges to cope with the massive number of threats in the Android environment. In this paper, conversation-level network traffic features are extracted and used in a supervised- based model. This model was used to enhance the process of Android malware detection, categorization, and family classification. The model employs the ensemble learning technique in order to select the most useful features among the extracted features. A real-world dataset called CICAndMal2017 was used in this paper. The results show that Extra-trees classifier had achieved the highest weighted accuracy percentage among the other classifiers by 87.75%, 79.97%, and 66.71%for malware detection, malware categorization, and malware family classification respectively. A comparison with another study that uses the same dataset was made. This study has achieved a significant enhancement in malware family classification and malware categorization. For malware family classification, the enhancement was 39.71% for precision and 41.09% for recall. The rate of enhancement for the Android malware categorization was 30.2% and 31.14% for precision and recall, respectively.

References

[1] Abuthawabeh M. and Mahmoud K., “Android Malware Detection and Categorization Based on Conversation-Level Network Traffic Features,” The International Arab Conference on Information Technology, Al Ain, pp. 42-47, 2019

[2] Ahvanooey M., Li Q., Rabbani M., and Rajput A., “A Survey on Smartphone Security: Software Vulnerabilities, Malware, and Attacks,” International Journal of Advanced 86.65 89 85.7686.1685.8 88.3 85.1 88 PR(%)RC(%)PR(%)RC(%) Random ForestDecision Tree New Model resultsCIC results 80.279.6477.0777.06 49.948.547.845.9 PR(%)RC(%)PR(%)RC(%) Random ForestDecision Tree New Model resultsCIC results 67.2166.5965.265.7 27.525.526.6620.06 PR(%)RC(%)PR(%)RC(%) Random ForestDecision Tree New ModelCIC Enhanced Android Malware Detection and Family Classification, using Conversation-level ... 613 Computer Science and Applications, vol. 8, no. 10, pp. 30-45, 2017.

[3] Alauthman M., “An efficient Approach to Online Bot Detection Based, Doctoral Thesis,” Northumbria University, 2016.

[4] Arora A. and Peddoju S., “Minimizing Network Traffic Features for Android Mobile Malware Detection,” in Proceedings of the 18th International Conference on Distributed Computing and Networking, Hyderabad, pp. 1-10, 2017.

[5] Arora A., Garg S., and Peddoju S., “Malware Detection Using Network Traffic Analysis In Android Based Mobile Devices,” in Proceedings of the 8th International Conference on Next Generation Mobile Applications, Services and Technologies, Oxford, pp. 66-71, 2014.

[6] Arp D., Spreitzenbarth M., Hübner M., Gascon H., and Rieck K., “Drebin: Effective and Explainable Detection of Android Malware in Your Pocket,” in Proceedings of Network and Distributed System Security Symposium (NDSS), San Diego, pp. 1-15, 2014.

[7] Bibi I., Akhunzada A., Malik J., Ahmed G., and Raza M., “An Effective Android Ransomware Detection Through Multi-Factor Feature Filtration and Recurrent Neural Network,” in Proceedings of UK/China Emerging Technologies (UCET), Glasgow, pp. 1-4, 2019.

[8] Chebyshev V., Sinitsyn F., Parinov D., Kupreev O., Lopatin E., and Liskin A., “IT Threat Evolution Q2 2018. Statistics,” Haettu Osoitteesta Secure.

[Online]. Available: com/it- threatevolution-q2-2018-statistics/87170, 2018, Last Visited, 2020.

[9] Chen R., Li Y., and Fang W., “Android Malware Identification Based on Traffic Analysis,” in Proceedings of International Conference on Artificial Intelligence and Security, New York, pp. 293-303, 2019.

[10] Draper-Gil G., Lashkari A., Mamun M., and Ghorbani A., “Characterization Of Encrypted And VPN Traffic Using Time-Related Features,” in Proceedings of the 2nd International Conference on Information Systems Security and Privacy, Italy, pp. 407-414, 2016.

[11] F-Secure, “Android/Kmin.” 2012.

[Online]. Available: https://www.f-secure.com/v- descs/trojan_android_kmin.shtml, Last Visited, 2020.

[12] Google, “Google Play Protect.”

[Online]. Available: https://www.android.com/play- protect/Last Visited, 2020.

[13] Google, “Google Play Store.”

[Online]. Available: https://play.google.com/store, Last Visited, 2020.

[14] Gupta S., “Types of Malware and its Analysis,” International Journal of Scientific and Engineering Research, vol. 4, no. 1, pp. 1-13, 2013.

[15] He G., Xu B., Zhang L., and Zhu H., “On- Device Detection of Repackaged Android Malware via Traffic Clustering,” in Security and Communication Networks, vol. 2020, no .7, pp. 1-19, 2020.

[16] Hamandi K., Chehab A., Elhajj I., and Kayssi A., “Android SMS malware: Vulnerability and Mitigation,” in Proceedings of the 27th International Conference on Advanced Information Networking and Applications Workshops, Barcelona, pp. 1004-1009, 2013.

[17] IDC, “Smartphone Market Share,” 2019.

[Online]. Available: https://www.idc.com/promo/smartphone-market- share/os, Last Visited, 2020.

[18] Kashefi I., Kassiri M., and Saleh M., “Preventing Collusion Attack in Android,” The International Arab Journal of Information Technology, vol. 12, no. 6A, pp. 719-727, 2015.

[19] Lashkari A., Kadir A., Taheri L., and Ghorbani A., “Toward Developing a Systematic Approach to Generate Benchmark Android Malware Datasets and Classification,” in Proceedings International Carnahan Conference on Security Technology, Montreal, pp. 1-7, 2018.

[20] Lashkari A., Akadir A., Gonzalez H., Mbah K., and Ghorbani A., “Towards A Network-Based Framework for Android Malware Detection and Characterization,” in Proceedings of 15th Annual Conference on Privacy, Security and Trust, PST, Calgary, pp. 233-242, 2018.

[21] Liao Q., “Ransomware: a Growing Threat to SMEs,” in Proceedings of Southwest Decision Sciences Institute’s Annual Conference, Houston, pp. 360-366, 2008.

[22] Narang P., Hota C., and Venkatakrishnan V., “PeerShark: Flow-Clustering and Conversation- Generation for Malicious Peer-To-Peer Traffic Identification,” EURASIP Journal on Information Security, vol. 2014, no. 1, pp. 1-12, 2014.

[23] Nauman M. and Khan S., “Design and Implementation of A Fine-Grained Resource Usage Model for the Android Platform,” The International Arab Journal of Information Technology, vol. 8, no. 4, pp. 440-448, 2011.

[24] Parkour M., “Contagio malware database,” contagiodump. 2013.

[Online]. Available: http://contagiodump.blogspot.com/2011/03/take- sample-leave-sample-mobile-malware.html, Last Visited, 2020.

[25] Point C., “FalseGuide misleads users on GooglePlay,” Check Point. 2016.

[Online]. Available: https://blog.checkpoint.com/2017/04/24/falasegu 614 The International Arab Journal of Information Technology, Vol. 17, No. 4A, Special Issue 2020 ide-misleads-users-googleplay/, Last Visited, 2020.

[26] Rashidi B. and Fung C., “A Survey of Android Security Threats And Defenses,” Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, vol. 6, no. 3, pp. 3-35, 2015.

[27] Sharma N., “Android Malware Detection using Decision Trees and Network Traffic,” in International Journal of Computer Science and Information Technologies, vol. 7, no. 4, pp. 1970- 1974, 2016.

[28] Singh R., “An Overview of Android Operating System and its Security,” International Journal of Engineering Research and Applications, vol. 4, no. 2, pp. 519-521, 2014.

[29] Statista, “Number of available applications in the Google Play Store from December 2009 to June 2019,” 2019.

[Online]. Available: https://www.statista.com/statistics/266210/numbe r-of-available-applications-in-the-google-play- store/, Last Visited, 2020.

[30] Statista, “Smartphone users worldwide 2014- 2019”. 2019.

[Online]. Available: http://www.statista.com/statistics/330695/number -of-smartphone-users-worldwide/, Last Visited, 2020.

[31] Taosoftware Co. L., “tPacketCapture.” 2012.

[Online]. Available: https://www.taosoftware.co.jp/en/android/packetc apture/, Last Visited, 2020.

[32] Tcpdump/Libpcap, “Tcpdump and Libpcap,” tcpdump. 2010.

[Online]. Available: https://www.tcpdump.org/, Last Visited, 2020.

[33] Verma A., “WannaLocker - A New WannaCry- inspired Ransomware Is Attacking Android Smartphones,” Fossbytes. 2017.

[Online]. Available: https://fossbytes.com/wannalocker- ransomware-wannacry-android/, Last Visited, 2020.

[34] Virustotal, “Virustotal Free Antivirus Scanners,”

[Online]. Available: https://support.virustotal.com/hc/en- us/categories/360000160117-About-us, Last Visited, 2020.

[35] Whittaker Z., “Half a million Android users tricked into downloading malware from Google Play | TechCrunch,”

[Online]. Available: https://techcrunch.com/2018/11/20/half-a-million- android-users-tricked-into-downloading-malware- from-google-play/, Last Visited, 2020.

[36] Zhang C. and Ma Y., Ensemble Machine Learning: Methods and applications, Boston, MA: Springer, 2012.

[37] Zhou Y. and Jiang X., “Dissecting Android Malware: Characterization and Evolution,” in Proceedings IEEE Symposium on Security and Privacy, San Francisco, pp. 95-109, 2012.

[38] Zulkifli A., Hamid I., Shah W., and Abdullah Z., “Android Malware Detection Based on Network Traffic Using Decision Tree Algorithm,” International Conference on Soft Computing and Data Mining, Johor, pp. 485-494, 2018. Mohammad Abuthawabeh received his master's degree from Princess Sumaya University for Technology, Jordan, in 2019. Currently, he is an information systems specialist of Jordan Anti Money Laundering and Counter Terrorism Unit, and a freelance information security researcher. His research interest includes Information security and machine learning. Khaled Mahmoud get his BSc degree in Computer Science from Jordan University on June 1992, MSc degree in Computer Science (Artificial Intelligence) from Jordan University on 1998 and PhD degree in Print Security and Digital Watermarking from Loughborough University (UK) on 2004. This was followed by academic appointments at ZARQA Private University as an assistance Professor in computer Science. On 2018 he joined Princess Sumaya University as an academic staff in computer science department. His areas of interest include Information security, Digital watermarking, Image forgery detection, AI and Arabic language processing.