Malware has become a significant problem on the Android platform. To defend against Android malware, researchers have proposed several on-device detection methods. Typically, these on-device detection methods are composed of two steps: (i) extracting the apps’ behavior features from the mobile devices and (ii) sending the extracted features to remote servers (such as a cloud platform) for analysis. By monitoring the behaviors of the apps that are running on mobile devices, available methods can detect suspicious applications (simply, apps) accurately. However, mobile devices are typically resource limited. The feature extraction and massive data transmission might consume substantial power and CPU resources; thus, the performance of mobile devices will be degraded. To address this issue, we propose a novel method for detecting Android malware by clustering apps’ traffic at the edge computing nodes. First, a new integrated architecture of the cloud, edge, and mobile devices for Android malware detection is presented. Then, for repackaged Android malware, the network traffic content and statistics are extracted at the edge as detection features. Finally, in the cloud, similarities between apps are calculated, and the similarity values are automatically clustered to separate the original apps and the malware. The experimental results demonstrate that the proposed method can detect repackaged Android malware with high precision and with a minimal impact on the performance of mobile devices.

中文翻译：

---

通过流量群集在设备上检测重新打包的Android恶意软件

恶意软件已成为Android平台上的重要问题。为了防御Android恶意软件，研究人员提出了几种设备上检测方法。通常，这些设备上检测方法由两个步骤组成：（i）从移动设备提取应用程序的行为特征；（ii）将提取的特征发送到远程服务器（例如云平台）进行分析。通过监控在移动设备上运行的应用程序的行为，可用的方法可以检测可疑的应用程序（简单地说，应用程序） 准确。但是，移动设备通常受资源限制。特征提取和海量数据传输可能会消耗大量的电源和CPU资源。因此，移动设备的性能将下降。为了解决此问题，我们提出了一种通过在边缘计算节点处对应用流量进行聚类来检测Android恶意软件的新颖方法。首先，提出了用于Android恶意软件检测的云，边缘和移动设备的新集成架构。然后，对于重新打包的Android恶意软件，网络流量内容和统计信息将在边缘提取，作为检测功能。最终，在云中，将计算应用程序之间的相似度，并自动将相似度值聚类以分离原始应用程序和恶意软件。