URL-Based Dynamic Monitoring of Android Malware using Machine Learning

Android malware depend heavily on DNS traffic to provide flexible communications between compromised smart devices and malicious infrastructure. Nevertheless, we found that there is a gap between connecting DNS queries requests by smart devices and the logs at the DNS-service network level to work altogether. So, this paper combines and correlates two approaches: top-down detection by identifying malware domains using DNS traces at the network level, and bottom-up detection at the device level using the dynamic analysis in order to capture the URLs requested on a number of applications to pinpoint the malware. Here, we propose a URL-based dynamic monitoring of Android malware, with two parts, namely: (i) a client side which is a DNS sniffer that captures and classifies (through the usage of blacklists) the URL(s) requested by app(s) under scrutiny running on the smart device, and (ii) a central server where these URLs are collected and classified by using a machine learning algorithms and where a visualization takes place of the most malware attacks detected. Addditionally, the malicious URLs discovered are used in order to carry out a string pattern matching search into the DNS logs of DSN servers to pinpoint another infected device. Our experimental results with the proposed monitoring system using the Random Forest algorithm show, regarding the F1-Score, a better performance than the previous works with Decision Tree algorithm such as J.48 classifier.