Abstract
Recent malware is becoming sophisticated year by year. It often uses common protocols like HTTP to imitate normal communications. So, we have to consider activities in common protocols when we analyze malware. Meanwhile, the number of malware analysts is insufficient compared to new malware generation speed. To solve this problem, there is expectation to a malware classification method which classifies huge number malware with quickness and accurate. With this method, malware analysts can dedicate to the investigation of new types of malware. In this paper, we propose a malware classification method using Session Sequence of common protocols which classifies malware into new or existing one. Furthermore, if the malware is classified as existing malware, the proposed method also classifies it into existing malware families. We evaluated our proposed method with traffics of 502 malware samples. The experimental results shows that our method can correctly judge and classify in 84.5 % accuracy.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Information-technology Promotion Agency: Design and operational guide to protect against advanced persistent threats, 2nd edn. (2011). https://www.ipa.go.jp/files/000017299.pdf
Cichonski, P., Millar, T., Grance, T., Scarfone, K.: Computer security incident handling guide. Technical report, SP 800-61 Rev. 2, Gaithersburg (2012)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In: USENIX Symposium on Networked Systems Design and Implementation, NSDI, San Jose (2010)
Morales, J.A., Al-Bataineh, A., Xu, S., Sandhu, R.: Analyzing and exploiting network behaviors of malware. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 20–34. Springer, Heidelberg (2010)
Rafique, Z.M., Chen, P., Hyugens, C., Joosen, W.: Evolutionary algorithms for classification of malware families through different network behaviors. In: Proceedings of the 2014 Conference on Genetic and Evolutionary Computation, pp. 1167–1174. ACM, Vancouver (2014)
Lim, H., Yamaguchi, Y., Shimada, H., Takakura, H.: Malware classification method based on sequence of traffic flow. In: Proceedings of 1st International Conference on Information Systems Security and Privacy, Angers, pp. 230–237 (2015)
Hiruta, S., Yamaguchi, Y., Shimada, H., Takakura, H.: Evaluation on malware classification by combining traffic analysis and fuzzy hashing of malware binary. In: Proceedings of the 2015 International Conference on Security and Management, Las Vegas, pp. 89–95 (2015)
Arthur, D., Vassilvitskii, S.: k-means++: the Advantages of careful seeding. In: SODA 2007 Proceeding of the Eigtheenth Annual ACM-SIAM Symposium on Discrete Algorithms, New Orleans, pp. 1027–1035 (2007)
Aoki, K., Yagi, T., Iwamura, M., Itoh, M.: Controlling malware HTTP communications in dynamic analysis system using search engine. In: The 3rd International Workshop on Cyberspace Safety and Security, Milan (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Hiruta, S., Yamaguchi, Y., Shimada, H., Takakura, H., Yagi, T., Akiyama, M. (2016). Evaluation on Malware Classification by Session Sequence of Common Protocols. In: Foresti, S., Persiano, G. (eds) Cryptology and Network Security. CANS 2016. Lecture Notes in Computer Science(), vol 10052. Springer, Cham. https://doi.org/10.1007/978-3-319-48965-0_31
Download citation
DOI: https://doi.org/10.1007/978-3-319-48965-0_31
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48964-3
Online ISBN: 978-3-319-48965-0
eBook Packages: Computer ScienceComputer Science (R0)