MURITE-detector: Identifying User-Role in Information Theft Events of Mobile Network

The emergence of information theft apps poses a serious threat to smartphone users. Most of information theft apps rely on network interfaces to steal users' privacy and use short message service (SMS) to implement command and control. In this paper, we propose an available and effective user-role identification model, MURITE-detector (Mobile User-Role in Information Theft Events detector), by using network flows and call detail records (CDRs) with convolutional neural network (CNN) algorithm. Firstly, we generate network flow vectors and CDR vectors from raw data sets, and then match them into node vectors. Subsequently, we use CNN to classify user-roles into: Sourcer, Transferer, Victim and Other. Because of command-and control server invalidation and system version incompatibility, etc., most of the collected information theft apps can't run properly in reality. So we extract code modules from some of these apps, and then recode and compile them into ITM-capsule (Information Theft Modules capsule) to generate information theft network traffic. Finally, we obtain 37,384 information theft network flows, 61,635 benign network flows and 200,522 short message CDRs. We match these data through labels and construct two node vector sets A and B randomly. In addition, we also compare CNN with other machine learning algorithms, and the result shows that CNN performs better. In an evaluation of MURITE-detector, it gets an accuracy of 92.17%, a precision of 93.18% and a recall of 94.68%. Therefore, our model is suitable for identifying user-role in mobile network information theft events.