Malware classification method based on sequence of traffic flow

Network-based malware classification plays an important role in improving system security than system-based malware classification. The vast majority of malware needs a network activity in order to accomplish its purpose (e.g., downloading malware, connecting to a C&C server, etc.). Many malware classification approaches based on network behavior have thus been proposed. Nevertheless, they merely rely on either a request URL or payload for signature matching. To classify the network activity of malware, the patterns of network behavior must be understood and the changes in behavior observed. Therefore, the sequence of flows and their correlation caused by the malware should be analysed. In this paper, we present a novel malware classification method based on clustering of flow features and sequence alignment algorithms for computing sequence similarity, which represents network behavior of malware. We focus on analysing the sequence similarity between the sequence patterns of malware traffic flow generated by executing malware on the dynamic analysing system. We also performed an evaluation by using malware traffic collected from a real environment. On the basis of our experimental results, we identified the most appropriate method for classifying malware by similarity of network activity.