Separation of benign and malicious network events for accurate malware family classification

Hesham Mekky; Aziz Mohaisen; Zhi-Li Zhang

doi:10.1109/CNS.2015.7346820

Separation of benign and malicious network events for accurate malware family classification

Hesham Mekky, Aziz Mohaisen, Zhi-Li Zhang

Computer Science and Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

5 Scopus citations

Abstract

Labeling malware samples with their appropriate malware family helps understand and track malware evolution and develop mitigation techniques. Current malware analysis techniques that use supervised machine learning rely on classification models that are trained on malware traffic generated from a sandbox environment. These models are then used to classify future unseen observations. In practice, however, malware traffic comes mixed with other legitimate background traffic from host machines, such as user browsing and software update traffic. Hence, the classifier's accuracy to predict the correct malware label on unseen (mixed) traffic is low. We propose a novel classification system that uses an Independent Component Analysis (ICA) module that applies distribution decomposition to separate the observed traffic into two components, malware traffic and background traffic. We also use a random forest classifier module to learn a classification model for every malware family, and then use it to predict malware family labels using the output of the ICA module. This system is thus capable of labeling malware traffic after removing background artifacts (noise), which makes it more efficient and accurate than current classification methods. Our experiments on three malware family datasets show that the performance of our system improves significantly after removing the background traffic artifacts.

Original language	English (US)
Title of host publication	2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	125-133
Number of pages	9
ISBN (Electronic)	9781467378765
DOIs	https://doi.org/10.1109/CNS.2015.7346820
State	Published - Dec 3 2015
Event	3rd IEEE International Conference on Communications and Network Security, CNS 2015 - Florence, Italy Duration: Sep 28 2015 → Sep 30 2015

Publication series

Name	2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015

Other

Other	3rd IEEE International Conference on Communications and Network Security, CNS 2015
Country	Italy
City	Florence
Period	9/28/15 → 9/30/15

Bibliographical note

Funding Information:
This research was supported in part by NSF grants CNS- 1117536, CRI-1305237, CNS-1411636 and DTRA grant HDTRA1-14-1-0040 and DoD ARO MURI Award W911NF- 12-1-0385.

Publisher Copyright:
© 2015 IEEE.

Access

10.1109/CNS.2015.7346820

Fingerprint Dive into the research topics of 'Separation of benign and malicious network events for accurate malware family classification'. Together they form a unique fingerprint.

Cite this

Mekky, H., Mohaisen, A., & Zhang, Z-L. (2015). Separation of benign and malicious network events for accurate malware family classification. In 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015 (pp. 125-133). [7346820] (2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CNS.2015.7346820

Separation of benign and malicious network events for accurate malware family classification. / Mekky, Hesham; Mohaisen, Aziz; Zhang, Zhi-Li.

2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 125-133 7346820 (2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Mekky, H, Mohaisen, A & Zhang, Z-L 2015, Separation of benign and malicious network events for accurate malware family classification. in 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015., 7346820, 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015, Institute of Electrical and Electronics Engineers Inc., pp. 125-133, 3rd IEEE International Conference on Communications and Network Security, CNS 2015, Florence, Italy, 9/28/15. https://doi.org/10.1109/CNS.2015.7346820

Mekky H, Mohaisen A, Zhang Z-L. Separation of benign and malicious network events for accurate malware family classification. In 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015. Institute of Electrical and Electronics Engineers Inc. 2015. p. 125-133. 7346820. (2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015). https://doi.org/10.1109/CNS.2015.7346820

@inproceedings{72c6ac47c2da4a94be26a18b063cc4a1,

title = "Separation of benign and malicious network events for accurate malware family classification",

abstract = "Labeling malware samples with their appropriate malware family helps understand and track malware evolution and develop mitigation techniques. Current malware analysis techniques that use supervised machine learning rely on classification models that are trained on malware traffic generated from a sandbox environment. These models are then used to classify future unseen observations. In practice, however, malware traffic comes mixed with other legitimate background traffic from host machines, such as user browsing and software update traffic. Hence, the classifier's accuracy to predict the correct malware label on unseen (mixed) traffic is low. We propose a novel classification system that uses an Independent Component Analysis (ICA) module that applies distribution decomposition to separate the observed traffic into two components, malware traffic and background traffic. We also use a random forest classifier module to learn a classification model for every malware family, and then use it to predict malware family labels using the output of the ICA module. This system is thus capable of labeling malware traffic after removing background artifacts (noise), which makes it more efficient and accurate than current classification methods. Our experiments on three malware family datasets show that the performance of our system improves significantly after removing the background traffic artifacts.",

author = "Hesham Mekky and Aziz Mohaisen and Zhi-Li Zhang",

note = "Funding Information: This research was supported in part by NSF grants CNS- 1117536, CRI-1305237, CNS-1411636 and DTRA grant HDTRA1-14-1-0040 and DoD ARO MURI Award W911NF- 12-1-0385. Publisher Copyright: {\textcopyright} 2015 IEEE.; 3rd IEEE International Conference on Communications and Network Security, CNS 2015 ; Conference date: 28-09-2015 Through 30-09-2015",

year = "2015",

month = dec,

day = "3",

doi = "10.1109/CNS.2015.7346820",

language = "English (US)",

series = "2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "125--133",

booktitle = "2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015",

}

TY - GEN

T1 - Separation of benign and malicious network events for accurate malware family classification

AU - Mekky, Hesham

AU - Mohaisen, Aziz

AU - Zhang, Zhi-Li

N1 - Funding Information: This research was supported in part by NSF grants CNS- 1117536, CRI-1305237, CNS-1411636 and DTRA grant HDTRA1-14-1-0040 and DoD ARO MURI Award W911NF- 12-1-0385. Publisher Copyright: © 2015 IEEE.

PY - 2015/12/3

Y1 - 2015/12/3

N2 - Labeling malware samples with their appropriate malware family helps understand and track malware evolution and develop mitigation techniques. Current malware analysis techniques that use supervised machine learning rely on classification models that are trained on malware traffic generated from a sandbox environment. These models are then used to classify future unseen observations. In practice, however, malware traffic comes mixed with other legitimate background traffic from host machines, such as user browsing and software update traffic. Hence, the classifier's accuracy to predict the correct malware label on unseen (mixed) traffic is low. We propose a novel classification system that uses an Independent Component Analysis (ICA) module that applies distribution decomposition to separate the observed traffic into two components, malware traffic and background traffic. We also use a random forest classifier module to learn a classification model for every malware family, and then use it to predict malware family labels using the output of the ICA module. This system is thus capable of labeling malware traffic after removing background artifacts (noise), which makes it more efficient and accurate than current classification methods. Our experiments on three malware family datasets show that the performance of our system improves significantly after removing the background traffic artifacts.

AB - Labeling malware samples with their appropriate malware family helps understand and track malware evolution and develop mitigation techniques. Current malware analysis techniques that use supervised machine learning rely on classification models that are trained on malware traffic generated from a sandbox environment. These models are then used to classify future unseen observations. In practice, however, malware traffic comes mixed with other legitimate background traffic from host machines, such as user browsing and software update traffic. Hence, the classifier's accuracy to predict the correct malware label on unseen (mixed) traffic is low. We propose a novel classification system that uses an Independent Component Analysis (ICA) module that applies distribution decomposition to separate the observed traffic into two components, malware traffic and background traffic. We also use a random forest classifier module to learn a classification model for every malware family, and then use it to predict malware family labels using the output of the ICA module. This system is thus capable of labeling malware traffic after removing background artifacts (noise), which makes it more efficient and accurate than current classification methods. Our experiments on three malware family datasets show that the performance of our system improves significantly after removing the background traffic artifacts.

UR - http://www.scopus.com/inward/record.url?scp=84966373391&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84966373391&partnerID=8YFLogxK

U2 - 10.1109/CNS.2015.7346820

DO - 10.1109/CNS.2015.7346820

M3 - Conference contribution

AN - SCOPUS:84966373391

T3 - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015

SP - 125

EP - 133

BT - 2015 IEEE Conference on Communications and NetworkSecurity, CNS 2015

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 3rd IEEE International Conference on Communications and Network Security, CNS 2015

Y2 - 28 September 2015 through 30 September 2015

ER -

Separation of benign and malicious network events for accurate malware family classification

Abstract

Publication series

Other

Bibliographical note

Access

Other files and links

Cite this