Let gambling hide nowhere: Detecting illegal mobile gambling apps via heterogeneous graph-based encrypted traffic analysis

Mobile gambling apps, as a new type of online gambling service, have not only enriched people's online entertainment activities but also brought about negative impacts for both individuals and society. Existing gambling app detection methods mainly extract static content -based characteristics, such as vision and textual features, to mine the key information from the user interface to detect gambling apps. In this paper, we are the first to introduce a dynamic communication characteristic -based approach by utilizing encrypted traffic analysis. Firstly, we conduct an analysis of the communication characteristics of 175 popular gambling apps in China, and unveil their important server domain name randomization and inter -app level familial characteristics, which cannot be well -leveraged by previous encrypted traffic analysis methods. Based on the analysis results, we design HeCGamb, a Heterogeneous Communication Graph -based method to enhance the Gambling app detection performance. HeCGamb models the inter -flow relations from various traffic flows to mine the flow -level communication patterns of gambling apps. Based on the inter -flow relations, HeCGamb further constructs inter -app relations to utilize the app -level familial characteristics. Finally, the multi -view semantic information from both servers and apps with inter -app relations are fused to generate the app node representations to comprehensively leverage the characteristics from server domains and familial apps. Extensive experiments not only demonstrate the superior performance(94.1% F1 -score and 96.8% AUC score in open world) of HeCGamb, but also highlight its potential in gambling industry chain tracking.