As illustrated in Figures 2 and 5, for an identified app, AppFA first constructs its network behavior profile and then compares the profile with both its historical profiles and the profiles of its peer groups for malicious apps detection.
The experimental setup used for AppFA is shown in Figure 7.
Since we mainly focus on repackaging and updating malwares, 93 typical information collection malwares, including repackaging and updating attack types, are selected from MalGenome to test the detection rate of AppFA (the malicious apps dataset was downloaded from http://www.malgenomeproject.org/ in 2015.
For testing the false positive rates of AppFA, we rely on the GooglePlayAppsCrawler.py project to identify the 100 most popular free apps.
We first examine the detection rates and false positive rates of AppFA with different values of [t.sub.s] and [k.sub.i] (i = 1,2).
Further, AppFA with different value of cluster number p is also tested.
Finally, we evaluate AppFA with the remaining malicious apps besides the selected 93 samples.
Note that AppFA is designed to perform nearly real-time malicious apps detection; thus efficiency is also a big concern.
As shown in Table 4, AppFA does not consider traffic content and mainly uses traffic statistical features to detect malicious Android apps.
That means AppFA has to access the Internet when performing malicious apps detection.
We have implemented the local similar app searching and evaluated AppFA's performance in local networks.
Figures 8, 9, 10, and 11 show that AppFA gets high detection rates and low false positive rates when detecting repackaged apps.