Malware Classification Method Based on Sequence of Traffic Flow

Hyoyoung Lim; Yukiko Yamaguchi; Hajime Shimada; Hiroki Takakura

doi:10.5220/0005235002300237

Malware Classification Method Based on Sequence of Traffic Flow

Hyoyoung Lim, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura

2015

Abstract

Network-based malware classification plays an important role in improving system security than system-based malware classification. The vast majority of malware needs a network activity in order to accomplish its purpose (e.g., downloading malware, connecting to a C&C server, etc.). Many malware classification approaches based on network behavior have thus been proposed. Nevertheless, they merely rely on either a request URL or payload for signature matching. To classify the network activity of malware, the patterns of network behavior must be understood and the changes in behavior observed. Therefore, the sequence of flows and their correlation caused by the malware should be analysed. In this paper, we present a novel malware classification method based on clustering of flow features and sequence alignment algorithms for computing sequence similarity, which represents network behavior of malware. We focus on analysing the sequence similarity between the sequence patterns of malware traffic flow generated by executing malware on the dynamic analysing system. We also performed an evaluation by using malware traffic collected from a real environment. On the basis of our experimental results, we identified the most appropriate method for classifying malware by similarity of network activity.

Download

Paper Citation

in Harvard Style

Lim H., Yamaguchi Y., Shimada H. and Takakura H. (2015). Malware Classification Method Based on Sequence of Traffic Flow . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 230-237. DOI: 10.5220/0005235002300237

in Bibtex Style

@conference{icissp15,
author={Hyoyoung Lim and Yukiko Yamaguchi and Hajime Shimada and Hiroki Takakura},
title={Malware Classification Method Based on Sequence of Traffic Flow},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2015},
pages={230-237},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005235002300237},
isbn={978-989-758-081-9},
}

in EndNote Style

TY - CONF
JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Malware Classification Method Based on Sequence of Traffic Flow
SN - 978-989-758-081-9
AU - Lim H.
AU - Yamaguchi Y.
AU - Shimada H.
AU - Takakura H.
PY - 2015
SP - 230
EP - 237
DO - 10.5220/0005235002300237