Directional features and rule-based labeling for real-time network traffic-based android spyware classification: Directional features and rule-based labeling..

This study addresses the critical challenge of detecting Android spyware in real time, emphasizing cybersecurity risks and the limitations of existing approaches. Previous works rely on signature-based methods or static network traffic analysis, which are effective for known spyware but fail to capture dynamic and evolving spyware behaviors in real-time environments. This study bridges this gap by proposing real-time spyware classification approach based on network traffic analysis, utilizing directional features and rule-based labeling for enhancing spyware classification. It collects 14 spyware types with normal traffic and develops two methods: Method A (single directional) and Method B (bi-directional), applying several learning models to assess performance. Models are saved during batch processing for micro-batch and real-time analysis. Using 150 packets, micro-batch accuracy achieves 76.29-84.95% (Method A) and 74.18-83.23% (Method B), while real-time analysis achieves 74.99% (Method A) and 72.66% (Method B). XGB achieves 80.01% accuracy, advancing Android spyware classification.