Presentation is loading. Please wait.

Presentation is loading. Please wait.

Unknown Malware Detection Using Network Traffic Classification

Published byHerman Pranata Modified over 5 years ago

Similar presentations

Presentation on theme: "Unknown Malware Detection Using Network Traffic Classification"— Presentation transcript:

1 Unknown Malware Detection Using Network Traffic Classification
Dmitri Bekerman, Bracha Shapira, Lior Rokach, Ariel Bar Presentation by Venkat Kotha

2 Outline •  Introduction and Related Work •  System Overview •  Dataset •  Evaluation •  Conclusion

3 Malware Modern malware software utilizes sophisticated ways to hide itself stealing confidential data, disrupting enterprise systems Malware programs use the Internet in order to communicate with the initiator of the attack However, malware tries to communicate with its Command and Control (C&C) center, most likely using common and known network protocol to pass through firewalls Thus Network behavioral modeling can be a useful approach for malware detection and malware family classification

4 Related Work To analyze network traffic previous studies focused on • a specific network layer or protocols Rossow 2011, Stakhanova 2011 • on certain malware or malware families Stone-Gross 2009 • But behavior of various malware might be reflected in different layers or protocols, rendering these “partial” perspectives inadequate and difficult to adapt to the constant evolution of existing malware types, as well as new types of malware or techniques

5 Network traffic classification
•  Packet level methods examine each packet's characteristics and application signatures. •  Flow level methods bases on the aggregation of packets to flows and extraction of characteristics from the flow. •  Attributes: Port based attributes are based on the target TCP or UDP port numbers that are assigned by the Internet Assigned Numbers Authority (IANA). •  Payload based attributes are based on signatures of the traffic at the application layer level. •  Statistical based attributes relate to traffic statistical characteristics

6 Methodology •  In this study, first task to detect malicious communication such as interaction with C&C servers in order to enable alerts about the intrusion. •  Authors’ proposed solution based on cross-layers and cross- protocols traffic classification, using supervised learning methods to learn previously unknown malware, based on previously learned ones. •  Solution is dynamically adaptive, always remaining one step ahead of attackers, These traits enable us to discover malicious activities

7 Network Features •  Uniqueness of the solution lies in the fact that we observe data stream analysis in four resolutions, based on Internet and Transport and Application layers, with features generated

8 Network Features Transaction: Interaction between a client and server
- HTTP transaction - DNS transaction - SSL transaction Session: Unique 4-tuple consisting of source and destination IP addresses and port numbers - TCP session - UDP session Flow: A group of sessions between two network addresses during the aggregation period Conversation Windows: A group of flows between a client and a server over an observation period

9 Examples of Features

10 Feature Extraction Extraction of the features is done by a dedicated feature component Processes the raw network traffic, extracts the features and provides the features as an input to the Machine Learning analyzer Data Flow: inputs( *.pcap files and external dbs such as Alexa Rank, GeoIP) •  Input Processor to objects •  Parallel Executor computation engine which extracts features •  Output processor- CSV file containing feature

11 Data Flow

12 Machine Learning Features are passed to classification algorithms
Naïve Bayes, Decision tree (J48), Random Forest AUC – The receiver operating characteristic (ROC) curve is a standard technique for summarizing classifier (0-1 range, 0.5 is diagonal line) TPR: Measurement of proportion of actual positives (malicious network activities) FPR: Measurement of the proportion of actual negatives

13 Dataset The Sandbox malicious captures included: a) 2,585 records obtained from the Verint sandbox. b) 7,991 records obtained from an academic sandbox. c) 4,167 records obtained from the Virus Total. d) 23,600 records obtained from the Emerging Threats. e) 12,377 malicious records collected from the web and open source community. Benign corporate traffic was captured for 10 days in a students' lab at Ben-Gurion University. Corporate traffic gathered by Verint from a real network including malicious and benign traffic

14 Labelling of data Carried out using two labeling methods Using NIDs
- Snort and Suricata SIDs - based on deep-packet inspection rules Using Verint’s blacklist labeling - unites all malicious activities to 52 unique families - based on the domains, URLs and destination IP blacklist The corporate traffic gathered by Verint was labeled only with their labels, all other datasets were labeled with both types of labels

15 Dataset distribution Dataset has 19 malware families sampled mixing

16 Evaluation Cross family classification accuracy
- Differentiating benign traffic from malicious traffic - Classify the malicious traffic to known labeled families

17 Evaluation Unknown malicious family accuracy
- To identify previously unknown malware families

18 Network environment Comparison of Network environment robustness
Results are very accurate in classifying sandbox environments trained on other sandbox environments. Results are lower (AUC of 0.7) for the real network environment

19 Real network traffic experiment
Classifying benign and malicious network traffic in a real environment In the real network dataset, 2,693 malicious instances were observed to be related to four different families

20 Data Split Used the time split method, and split the data based on the deployment dates of SIDs The results reveal that from the split point 60/40 (60% of data in the train test and the remaining 40% in test set), the AUC remains consistently above the level of 0.8. From the split point 80/20, the stable level is raised to 0.9.

21 Chronological Experiments
Random Forest classifier succeeds in detecting most of the malware (except in 2 cases) 4 weeks before a relevant rule was deployed Detection rate deteriorates as we look further in time

22 Robustness of features
Analysis shows that only 204 features of the available 927 were ever selected by the CFS algorithm. On average, only 27 features were selected during each week for the respected model

23 Robustness of features
Some of the features were constantly selected for most of the models during all periods Implies that a very small set of features can serve the model for a long period of time

24 Robustness in cross environments
Specific set of features were extracted for each environment Also, Global set is prepared, based on features selected from all other environments Difference of AUC between private set and global set is measured as Robustness

25 Conclusion In the proposed method, different observation resolution, cross layers and protocols features improve classification performance Accuracy was not affected by network environments, neither sandbox nor real networks Analysis has shown predictive performance results significantly improved over modern rule based network intrusion detection systems (Snort, Suricata)

26 Conclusion Proposed method was implemented with a small amount of network behavior features, which are suitable over time and for different network environments The method analyzes only traffic behavior and not its content or has no payload analysis, it is effective - encrypted traffic - malware using legitimate network resources - users' privacy is preserved (can be integrated with enterprise network systems)

27 Future work To extend the research one can transfer learning techniques to improve detection from untrained network environments To evaluate the proposed methods and models on mobile network traffic To test the proposed methods for malware family clustering Adjust the method for online detection for high bandwidth networks

28 Thank You

Download ppt "Unknown Malware Detection Using Network Traffic Classification"

Similar presentations

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.

Marios Iliofotou (UC Riverside) Brian Gallagher (LLNL)Tina Eliassi-Rad (Rutgers University) Guowu Xi (UC Riverside)Michalis Faloutsos (UC Riverside) ACM.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Privacy-Preserving Cross-Domain Network Reachability Quantification

Privacy-Preserving Cross-Domain Network Reachability Quantification
Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.

Mining Behavior Models Wenke Lee College of Computing Georgia Institute of Technology.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)

BotFinder: Finding Bots in Network Traffic Without Deep Packet Inspection F. Tegeler, X. Fu (U Goe), G. Vigna, C. Kruegel (UCSB)
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.

A fast identification method for P2P flow based on nodes connection degree LING XING, WEI-WEI ZHENG, JIAN-GUO MA, WEI- DONG MA Apperceiving Computing and.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
What is FORENSICS? Why do we need Network Forensics?

What is FORENSICS? Why do we need Network Forensics?

Similar presentations

Ads by Google