Automated malware classification based on network behavior

1. Automated malware classification based on network behavior Author : SaeedNari , Ali A. Ghorbani 2013 international conference on computing , networking and communications, communications and information security symposium Speaker : Wen Lin Yu /17

2. outline Introduction Related works Automated Malware Classification Evaluation Conclusion /17

3. Introduction • Malware software has long become one of the major security threats on the Internet . • Anti-virus programs primarily use content-based signatures in order to identify and classify malwares into their respective families. /17

4. Content-based approaches : • This approach is not very accurate due to the existence of obfuscation , polymorphic and metamorphic techniques widely used by modern malware . • Behavior-based approaches: • Analysis by system call • Network activity /17

5. Related work • Content-based approach • Kolter and Maloof applied machine learning to classify malicious executables using n-grams of byte codes as features . • Tian used features from printable strings contained in malware samples to distinguish between malicious and benign executables. /17

6. Behavior-based approaches : • Lee and Mody represent malware samples with sequences of system calls and use string edit distance to classify them . • Bailey apply normalized compression distance(NCD) as a similarity measure for classifying malware samples. • Rieck use the information contained in the analysis reports created by CWSandBox . /17

7. This paper focus on how to automated classification malware by network behavior . And consider the dependencies between network flows. /17

8. Automated Malware classification Network Trace (pcap files) Flow Extraction Behavior Tree Generation Feature Extraction Classification /17

9. Flow Extraction • Network flows are extracted from pcap files based on port numbers and protocols using TShark utility . /17

10. Behavior graphs • Existing works on behavior based classification use network flow information such as port number and protocol to create profiles. • We use dependencies between network flows to create behavior profile. /17

11. Example behavior graph /17

12. Feature Extraction • There are two approaches for comparing and classifying the malware samples based on the behavior graphs. • Graph edit distance • Distance based on maximum common sub-graph • Features based on the behavior graphs : • Graph size • Root out-degree • Average out-degree • Maximum out-degree • Number of specific nodes /17

13. Classification • Classifying malware samples to their respective families using the feature vectors extracted in the previous step. • Using classification algorithms provided by WEKA library . /17

14. Evaluation • Labeling the Dataset • We used the malware dataset provided by Communication Research Center Canada(CRC) . • Malwares will be assigned a label by 11 anti-viruses scanners . • We identified 13 malware families with this approach . /17

15. Dataset size /17

16. Classification Accuracy /17

17. Conclusion • The framework author proposed outperforms five anti-virus programs in classifying malware samples . • The experiment author made only show that the framework has better performance than other five , but doesn’t show that it has better detection rate than other . /17

18. Thank you /17