Connection Pattern Based Android Network Traffic Clustering

Network traffic clustering plays a fundamental role in network flow analysis. Existing Android network traffic clustering methods have three shortages. First, these methods always focus on partial features, such as port numbers, with the absence of holistic features. Second, existing methods sometimes fail to work if payload of one network package is encrypted. Third, some methods are valid only for several specific application-layer network protocols. To handle these inefficiencies, we adopted network-connection-pattern based features to facilitate Android network traffic clustering. First, a record platform was constructed. This platform executed 575 Android applications and recorded network traffic. Second, we obtained input datasets of clustering through the record platform and extracted features based on network connection pattern. Then, we clustered the input datasets. Finally, we employed Information Gain algorithm and Fast Correlation-Based Filter algorithm separately to rank contributions of features according to the clustering results. Experiments show that the network-connection-pattern-based features lead to more efficient clustering result than the port-number-based features.