TY - GEN
T1 - Unknown malware detection using network traffic classification
AU - Bekerman, Dmitri
AU - Shapira, Bracha
AU - Rokach, Lior
AU - Bar, Ariel
N1 - Publisher Copyright: © 2015 IEEE.
PY - 2015/12/3
Y1 - 2015/12/3
N2 - We present an end-to-end supervised based system for detecting malware by analyzing network traffic. The proposed method extracts 972 behavioral features across different protocols and network layers, and refers to different observation resolutions (transaction, session, flow and conversation windows). A feature selection method is then used to identify the most meaningful features and to reduce the data dimensionality to a tractable size. Finally, various supervised methods are evaluated to indicate whether traffic in the network is malicious, to attribute it to known malware families and to discover new threats. A comparative experimental study using real network traffic from various environments indicates that the proposed system outperforms existing state-of-the-art rule-based systems, such as Snort and Suricata. In particular, our chronological evaluation shows that many unknown malware incidents could have been detected at least a month before their static rules were introduced to either the Snort or Suricata systems.
AB - We present an end-to-end supervised based system for detecting malware by analyzing network traffic. The proposed method extracts 972 behavioral features across different protocols and network layers, and refers to different observation resolutions (transaction, session, flow and conversation windows). A feature selection method is then used to identify the most meaningful features and to reduce the data dimensionality to a tractable size. Finally, various supervised methods are evaluated to indicate whether traffic in the network is malicious, to attribute it to known malware families and to discover new threats. A comparative experimental study using real network traffic from various environments indicates that the proposed system outperforms existing state-of-the-art rule-based systems, such as Snort and Suricata. In particular, our chronological evaluation shows that many unknown malware incidents could have been detected at least a month before their static rules were introduced to either the Snort or Suricata systems.
KW - Machine learning
KW - Malware detection
KW - Network intrusion detection systems
KW - Network security
UR - http://www.scopus.com/inward/record.url?scp=84966320780&partnerID=8YFLogxK
U2 - https://doi.org/10.1109/CNS.2015.7346821
DO - https://doi.org/10.1109/CNS.2015.7346821
M3 - Conference contribution
T3 - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
SP - 134
EP - 142
BT - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
T2 - 3rd IEEE International Conference on Communications and Network Security, CNS 2015
Y2 - 28 September 2015 through 30 September 2015
ER -