Unknown malware detection using network traffic classification

Dmitri Bekerman, Bracha Shapira, Lior Rokach, Ariel Bar

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

125 Scopus citations

Abstract

We present an end-to-end supervised based system for detecting malware by analyzing network traffic. The proposed method extracts 972 behavioral features across different protocols and network layers, and refers to different observation resolutions (transaction, session, flow and conversation windows). A feature selection method is then used to identify the most meaningful features and to reduce the data dimensionality to a tractable size. Finally, various supervised methods are evaluated to indicate whether traffic in the network is malicious, to attribute it to known malware families and to discover new threats. A comparative experimental study using real network traffic from various environments indicates that the proposed system outperforms existing state-of-the-art rule-based systems, such as Snort and Suricata. In particular, our chronological evaluation shows that many unknown malware incidents could have been detected at least a month before their static rules were introduced to either the Snort or Suricata systems.

Original languageEnglish
Title of host publication2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
PublisherInstitute of Electrical and Electronics Engineers
Pages134-142
Number of pages9
ISBN (Electronic)9781467378765
DOIs
StatePublished - 3 Dec 2015
Event3rd IEEE International Conference on Communications and Network Security, CNS 2015 - Florence, Italy
Duration: 28 Sep 201530 Sep 2015

Publication series

Name2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015

Conference

Conference3rd IEEE International Conference on Communications and Network Security, CNS 2015
Country/TerritoryItaly
CityFlorence
Period28/09/1530/09/15

Keywords

  • Machine learning
  • Malware detection
  • Network intrusion detection systems
  • Network security

ASJC Scopus subject areas

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Unknown malware detection using network traffic classification'. Together they form a unique fingerprint.

Cite this