Exploring network-based malware classification

Author

Stakhanova, Natalia ; Couture, Mathieu ; Ghorbani, Ali A.

Author_Institution

Sch. of CIS, Univ. of South Alabama, Mobile, AL, USA

fYear

2011

fDate

18-19 Oct. 2011

Firstpage

14

Lastpage

20

Abstract

Over the last years, dynamic and static malware analysis techniques have made significant progress. Majority of the existing analysis systems primarily focus on internal host activity. In spite of the importance of network activity, only a limited set of analysis tools have recently started taking it into account. In this work, we study the value of network activity for malware classification by various antivirus products. Specifically, we ask the following question: How well can we classify malware according to network activity? We monitor the execution of a malware sample in a controlled environment and summarize the obtained high-level network information in a graph. We then analyze graphs similarity to determine whether such high-level behavioral profile is sufficient to provide accurate classification of malware samples. The experimental study on a real-world malware collection demonstrates that our approach is able to group malware samples that behave similarly.

Keywords

graph theory; invasive software; pattern classification; antivirus products; dynamic malware analysis; exploring network based malware classification; graph theory; malware collection; malware sample; malware samples; network activity; static malware analysis; Analysis of variance; Data mining; Electronic mail; Internet; Malware; Protocols; Software;

fLanguage

English

Publisher

ieee

Conference_Titel

Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on

Conference_Location

Fajardo

Print_ISBN

978-1-4673-0031-5

Type

conf

DOI

10.1109/MALWARE.2011.6112321

Filename

6112321