Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CorrNetDroid: Android Malware Detector leveraging a Correlation-based Feature Selection for Network Traffic features

Yash Sharma, Anshul Arora

TL;DR

CorrNetDroid tackles Android malware detection by leveraging dynamic network-traffic features and a novel correlation-based feature selection framework. It ranks features with crRelevance to emphasize class-discriminative power and applies NMRS to prune redundancy among top features, achieving 99.50% accuracy with only two features. The approach outperforms standard statistical tests (e.g., chi-square, ANOVA, Mann–Whitney, Kruskal–Wallis) and surpasses several state-of-the-art dynamic-detection methods, demonstrating strong practical potential for robust, lightweight network-flow based malware detection. The work highlights the importance of feature ranking and redundancy reduction in dynamic analysis and points to future hybrids with static features and malware-family classification.

Abstract

Copious mobile operating systems exist in the market, but Android remains the user's choice. Meanwhile, its growing popularity has also attracted malware developers. Researchers have proposed various static solutions for Android malware detection. However, stealthier malware evade static analysis. This raises the need for a robust Android malware detection system capable of dealing with advanced threats and overcoming the shortcomings of static analysis. Hence, this work proposes a dynamic analysis-based Android malware detection system, CorrNetDroid, that works over network traffic flows. Many traffic features exhibit overlapping ranges in normal and malware datasets. Therefore, we first rank the features using two statistical measures, crRelevance and Normalized Mean Residue Similarity (NMRS), to assess feature-class and feature-feature correlations. Thereafter, we introduce a novel correlation-based feature selection algorithm that applies NMRS on crRelevance rankings to identify the optimal feature subset for Android malware detection. Experimental results highlight that our model effectively reduces the feature set while detecting Android malware with 99.50 percent accuracy when considering only two network traffic features. Furthermore, our experiments demonstrate that the NMRS-based algorithm on crRelevance rankings outperforms statistical tests such as chi-square, ANOVA, Mann-Whitney U test, and Kruskal-Wallis test. In addition, our model surpasses various state-of-the-art Android malware detection techniques in terms of detection accuracy.

CorrNetDroid: Android Malware Detector leveraging a Correlation-based Feature Selection for Network Traffic features

TL;DR

CorrNetDroid tackles Android malware detection by leveraging dynamic network-traffic features and a novel correlation-based feature selection framework. It ranks features with crRelevance to emphasize class-discriminative power and applies NMRS to prune redundancy among top features, achieving 99.50% accuracy with only two features. The approach outperforms standard statistical tests (e.g., chi-square, ANOVA, Mann–Whitney, Kruskal–Wallis) and surpasses several state-of-the-art dynamic-detection methods, demonstrating strong practical potential for robust, lightweight network-flow based malware detection. The work highlights the importance of feature ranking and redundancy reduction in dynamic analysis and points to future hybrids with static features and malware-family classification.

Abstract

Copious mobile operating systems exist in the market, but Android remains the user's choice. Meanwhile, its growing popularity has also attracted malware developers. Researchers have proposed various static solutions for Android malware detection. However, stealthier malware evade static analysis. This raises the need for a robust Android malware detection system capable of dealing with advanced threats and overcoming the shortcomings of static analysis. Hence, this work proposes a dynamic analysis-based Android malware detection system, CorrNetDroid, that works over network traffic flows. Many traffic features exhibit overlapping ranges in normal and malware datasets. Therefore, we first rank the features using two statistical measures, crRelevance and Normalized Mean Residue Similarity (NMRS), to assess feature-class and feature-feature correlations. Thereafter, we introduce a novel correlation-based feature selection algorithm that applies NMRS on crRelevance rankings to identify the optimal feature subset for Android malware detection. Experimental results highlight that our model effectively reduces the feature set while detecting Android malware with 99.50 percent accuracy when considering only two network traffic features. Furthermore, our experiments demonstrate that the NMRS-based algorithm on crRelevance rankings outperforms statistical tests such as chi-square, ANOVA, Mann-Whitney U test, and Kruskal-Wallis test. In addition, our model surpasses various state-of-the-art Android malware detection techniques in terms of detection accuracy.

Paper Structure

This paper contains 20 sections, 5 equations, 1 figure, 3 tables.

Table of Contents

  1. Introduction
  2. Motivation
  3. Research Objectives
  4. Related Work
  5. Network Traffic-Based Analysis
  6. Network Traffic-Based Detection
  7. Detection with Feature Ranking
  8. Detection without Feature Ranking
  9. System Design
  10. Dataset Collection
  11. Traffic Split
  12. Feature Selection
  13. crRelevance: Feature-Class Correlation
  14. NMRS- Feature-Feature Correlation
  15. Results and Discussion
  16. ...and 5 more sections

Figures (1)

  • Figure 1: CorrNetDroid System Design