Network-based Malware Detection with a Two-tier Architecture for Online Incremental Update

As smartphones carry more and more private information, it has become the main target of malware attacks. Threats on mobile devices have become increasingly sophisticated, making it imperative to develop effective tools that are able to detect and counter such threats. Unfortunately, existing malware detection tools based on machine learning techniques struggle to keep up due to the difficulty in performing online incremental update on the detection models. In this paper, a Two-tier Architecture Malware Detection (TAMD) method is proposed, which can learn from the statistical features of network traffic to detect malware. The first layer of TAMD identifies uncertain samples in the training set through a preliminary classification, whereas the second layer builds an improved classifier by filtering out such samples. We enhance TAMD with an incremental leaning based technique (TAMD-IL), which allows to incrementally update the detection models without retraining it from scratch by removing and adding sub-models in TAMD. We experimentally demonstrate that TAMD outperforms the existing methods with up to 98.72% on precision and 96.57% on recall. We also evaluate TAMD-IL on four concept drift datasets and compare it with classical machine learning algorithms, two state-of-the-art malware detection technologies, and three incremental learning technologies. Experimental results show that TAMD-IL is efficient in terms of both update time and memory usage.