Browse > Article
http://dx.doi.org/10.7840/kics.2017.42.1.193

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups  

Lim, Hyo-young (Ministry of National Defense)
Kim, Wan-ju (Ajou University Department of NCW)
Noh, Hong-jun (LIG넥스원 C4I연구소 통신연구센터)
Lim, Jae-sung (Ajou University Department of Computer Engineering)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.42, no.1, 2017 , pp. 193-204 More about this Journal
Abstract
The security of Internet systems critically depends on the capability to keep anti-virus (AV) software up-to-date and maintain high detection accuracy against new malware. However, malware variants evolve so quickly they cannot be detected by conventional signature-based detection. In this paper, we proposed a malware classification method based on sequence patterns generated from the network flow of malware samples. We evaluated our method with 766 malware samples and obtained a classification accuracy of approximately 40.4%. In this study, malicious codes were classified only by network behavior of malicious codes, excluding codes and other characteristics. Therefore, this study is expected to be further developed in the future. Also, we can predict the attack groups and additional attacks can be prevented.
Keywords
Malware Classification; Sequence Alignment; Clustering; Traffic Flow; Cyber Warfare;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 J. Erman, M. Arlitt, and A. Mahanti, "Traffic classification using clustering algorithms," in Proc. MineNet '06 ACM, pp. 281-286, Pisa, Italy, Sept. 2006.
2 T. F. Smith and M. S. Waterman, "Identification of common molecular subsequences," J. Molecular Biology, vol. 147, no. 1, pp. 195-197, Mar. 1981.   DOI
3 McAfee, Mcafee labs threats report, Nov. 2014.
4 K. Rieck, et al., "Learning and classification of malware behavior," DIMVA '08, pp. 108-125, Paris, France, Jul. 2008.
5 M. Bailey, et al., "Automated classification and analysis of internet malware," Recent advances in Intrusion Detection, vol. 4637, pp. 178-197, 2007.
6 S. Cesare and Y. Xiang, "Malware variant detection using similarity search over sets of control flow graphs," IEEE TrustCom, pp. 181-189, 2011.
7 J. Kinable and O. Kostakis, "Malware classification based on call graph clustering," J. Comput. Virol., vol. 7, no. 4, pp. 233-245, 2011.   DOI
8 M. K. Shankarapani, et al., "Malware detection using assembly and API call sequences," J. Comput. Virol., vol. 7, no. 2, pp. 107-119, 2011.   DOI
9 K. Iwamoto and K. Wasaki, "Malware classification based on extracted api sequences using static analysis," in Proc. AINTEC '12, pp. 31-38, Bangkok, Thailand, Nov. 2012.
10 K.-H. Kim and M.-J. Choi, "Linear SVM-Based android malware detection and feature selection for performance improvement," J. KICS, vol. 39, no. 8, pp. 738-745, Aug. 2014.
11 H.-H. Kim and M.-J. Choi, "Android malware detection using auto-regressive moving-average model," J. KICS, vol. 40, no. 8, pp. 1551-1559, Aug. 2015.   DOI
12 I. Ahmed and K. Lhee, "Classification of packet contents for malware detection," J. Comput. Virol., vol. 7, no. 4, pp. 279-295, 2011.   DOI
13 U. Bayer, et al., "Scalable, Behavior-Based malware clustering," NDSS Symp., vol. 9, 2009.
14 I. K. Cho, et al., "Malware similarity analysis using API sequence alignments," JISIS, vol. 4, no. 4, pp. 103-114, 2014.
15 G. Berger-Sabbatel and A. Duda, "Classification of malware network activity," Multimedia Commun., Services and Security, vol. 287, pp. 24-35, 2012.
16 R. Perdisci, W. Lee, and N. Feamster, "Behavioral clustering of HTTP-Based malware and signature generation using malicious network traces," NSDI Proc. 7th USENIX Conf. Netw. Syst. Design and Implementation, p. 26, San Jose, California, Apr. 2010.
17 M. Z. Rafique, et al., "Evolutionary algorithms for classification of malware families through different network behaviors," GECCO '14, pp. 1167-1174, Vancouver, Canada, Jul. 2014.
18 S. Nari and Ali A. Ghorbani, "Automated malware classification based on network behavior," IEEE ICNC, pp. 642-647, 2013.
19 Y. Jung and M. Park, "Network defense mechanism based on isolated networks," J. KICS, vol. 41, no. 9, pp. 1103-1107, Sept. 2016.   DOI
20 S. Coull, et al., "Intrusion detection: A bioinformatics approach," in Proc. IEEE Annu. Comput. Security Appl. Conf., 2004.
21 Saul B. Needleman and Christian D. Wunsch, "A general method applicable to the search for similarities in the amino acid sequence of two proteins," J. molecular biology, vol. 48, no.3, pp. 443-453, Mar. 1970.   DOI
22 Scott E. Coull and Boleslaw K. Szymanski, "Sequence alignment for masquerade detection," J. Computational Statistics & Data Anal., vol. 52, no. 8, pp. 4116-4131, Apr. 2008.   DOI
23 M. K. Shankarapani, et al., "Malware detection using assembly and API call sequences," J. Comput. Virol., vol. 7, no. 2, pp. 107-119, 2011.   DOI
24 J. Pedersen, et al., "Fingerprinting malware using bioinformatics tools building a classifier for the zeus virus," in Proc. Int. Conf. Security and Management (SAM), Jan. 2013.
25 N. Stakhanova, M. Couture, and Ali A. Ghorbani, "Exploring network-based malware classification," IEEE MALWARE, Oct. 2011.