Beyond Labeling: Using Clustering to Build Network Behavioral Profiles of Malware Families

Research output: Chapter in Book/Conference proceedings/Edited volumeChapterScientificpeer-review

7 Citations (Scopus)
194 Downloads (Pure)


Malware family labels are known to be inconsistent. They are also black-box since they do not represent the capabilities of malware. The current state of the art in malware capability assessment includes mostly manual approaches, which are infeasible due to the ever-increasing volume of discovered malware samples. We propose a novel unsupervised machine learning-based method called MalPaCA, which automates capability assessment by clustering the temporal behavior in malware's network traces. MalPaCA provides meaningful behavioral clusters using only 20 packet headers. Behavioral profiles are generated based on the cluster membership of malware's network traces. A Directed Acyclic Graph shows the relationship between malwares according to their overlapping behaviors. The behavioral profiles together with the DAG provide more insightful characterization of malware than current family designations. We also propose a visualization-based evaluation method for the obtained clusters to assist practitioners in understanding the clustering results. We apply MalPaCA on a financial malware dataset collected in the wild that comprises 1.1 k malware samples resulting in 3.6 M packets. Our experiments show that (i) MalPaCA successfully identifies capabilities, such as port scans and reuse of Command and Control servers; (ii) It uncovers multiple discrepancies between behavioral clusters and malware family labels; and (iii) It demonstrates the effectiveness of clustering traces using temporal features by producing an error rate of 8.3%, compared to 57.5% obtained from statistical features.

Original languageEnglish
Title of host publicationMalware Analysis using Artificial Intelligence and Deep Learning
EditorsAndrii Shalaginov, Mark Stamp, Mamoun Alazab
Place of PublicationCham
Number of pages29
ISBN (Electronic)978-3-030-62582-5
ISBN (Print)978-3-030-62581-8
Publication statusPublished - 2021

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project

Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.


  • Malware capability assessment
  • Network traffic
  • Behavioral profiles
  • Unsupervised learning
  • Sequence Clustering


Dive into the research topics of 'Beyond Labeling: Using Clustering to Build Network Behavioral Profiles of Malware Families'. Together they form a unique fingerprint.

Cite this