Projects per year
Abstract
Malware family labels are known to be inconsistent. They are also black-box since they do not represent the capabilities of malware. The current state of the art in malware capability assessment includes mostly manual approaches, which are infeasible due to the ever-increasing volume of discovered malware samples. We propose a novel unsupervised machine learning-based method called MalPaCA, which automates capability assessment by clustering the temporal behavior in malware's network traces. MalPaCA provides meaningful behavioral clusters using only 20 packet headers. Behavioral profiles are generated based on the cluster membership of malware's network traces. A Directed Acyclic Graph shows the relationship between malwares according to their overlapping behaviors. The behavioral profiles together with the DAG provide more insightful characterization of malware than current family designations. We also propose a visualization-based evaluation method for the obtained clusters to assist practitioners in understanding the clustering results. We apply MalPaCA on a financial malware dataset collected in the wild that comprises 1.1 k malware samples resulting in 3.6 M packets. Our experiments show that (i) MalPaCA successfully identifies capabilities, such as port scans and reuse of Command and Control servers; (ii) It uncovers multiple discrepancies between behavioral clusters and malware family labels; and (iii) It demonstrates the effectiveness of clustering traces using temporal features by producing an error rate of 8.3%, compared to 57.5% obtained from statistical features.
Original language | English |
---|---|
Title of host publication | Malware Analysis using Artificial Intelligence and Deep Learning |
Editors | Andrii Shalaginov, Mark Stamp, Mamoun Alazab |
Place of Publication | Cham |
Publisher | Springer |
Pages | 381-409 |
Number of pages | 29 |
ISBN (Electronic) | 978-3-030-62582-5 |
ISBN (Print) | 978-3-030-62581-8 |
DOIs | |
Publication status | Published - 2021 |
Bibliographical note
Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-careOtherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.
Keywords
- Malware capability assessment
- Network traffic
- Behavioral profiles
- Unsupervised learning
- Sequence Clustering
Fingerprint
Dive into the research topics of 'Beyond Labeling: Using Clustering to Build Network Behavioral Profiles of Malware Families'. Together they form a unique fingerprint.Projects
- 1 Active
-
Cybersecurity (TPM)
van Eeten, M. J. G., Hernandez Ganan, C., Gürses, F. S., van Wegberg, R. S., Parkin, S. E., Zhauniarovich, Y., van Engelenburg, S. H., Kadenko, N. I., Labunets, K., Akyazi, U., Bouwman, X. B., Jansen, B. A., Kaur, M., Al Alsadi, A., Lone, Q. B., Turcios Rodriguez, E. R., Vermeer, M., van Harten, V. T. C., Vetrivel, S., Oomens, E. (. C. )., Kustosch, L. F., Bisogni, F., Ciere, M., Fiebig, T., Korczynski, M. T., Moreira Moura, G. C., Noroozian, A., Pieters, W., Tajalizadehkhoob, S., Dacier, B. H. A., San José Sanchez, J., Çetin, F. O. & Zannettou, S.
1/01/10 → …
Project: Research