A Distance-Based Method for Building an Encrypted Malware Traffic Identification Framework

Liu, Jiayong; Tian, Zhiyi; Zheng, Rongfeng; Liu, Liang

doi:10.1109/access.2019.2930717

Cited by 25 publications

(16 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For the random forest classifiers, their testing time seems to be correlated to a tunable parameter (i.e., the number of trees in the forest), each of which is hand-tuned to optimize the accuracy (800 for Markov chain-based random forest and 200 for TIG-based random forest). It implies that the raw input size (25) to construct the traffic interaction graph is optimized, as described in [11]. A similar tendency is observed in the SVM classifiers.…”

Section: Roc Curves and Auc Valuesmentioning

confidence: 57%

“…For malware family classification for TLS-encrypted traffic, [9] showed that the L1 multinomial logistic regression classifier with the enhanced flow features can classify TLS-encrypted malware traffic into 1 of 18 classes (i.e., malware families) with a total accuracy of 90.3%. In [25], an XGBoost [26]-based malware family classification framework was proposed with a distance-based clustering method to measure the similarity between malware families. Ref.…”

Section: Malware Detection and Family Classification From Tls-encrypt...mentioning

confidence: 99%

“…[27] proposed a multi-task hierarchical learning method, which is based on one-dimensional CNN and gives both mid-level class (e.g., malware family) and top-level class (e.g., either malware or benign) at the same time. In both [25,27], features were selected from the enhanced flow features.…”

Section: Malware Detection and Family Classification From Tls-encrypt...mentioning

confidence: 99%

“…To this end, MalClassifier [35] presents a malware family classification system from connection logs of a widely used real-time network monitoring framework called Bro (currently Zeek) [36]. Clearly, MalClassifier is efficient and can be operated in real time, but it is reported that a distance-based method [25] outperforms MalClassifer especially due to false positives due to the similarity of several malware families.…”

Section: Malware Detection and Family Classification From Tls-encrypt...mentioning

confidence: 99%

See 3 more Smart Citations

Experimental Evaluation of Malware Family Classification Methods from Sequential Information of TLS-Encrypted Traffic

Roh

2021

Electronics

View full text Add to dashboard Cite

In parallel with the rapid adoption of transport layer security (TLS), malware has utilized the encrypted communication channel provided by TLS to hinder detection from network traffic. To this end, recent research efforts are directed toward malware detection and malware family classification for TLS-encrypted traffic. However, amongst their feature sets, the proposals to utilize the sequential information of each TLS session has not been properly evaluated, especially in the context of malware family classification. In this context, we propose a systematic framework to evaluate the state-of-the-art malware family classification methods for TLS-encrypted traffic in a controlled environment and discuss the advantages and limitations of the methods comprehensively. In particular, our experimental results for the 10 representations and classifier combinations show that the graph-based representation for the sequential information achieves better performance regardless of the evaluated classification algorithms. With our framework and findings, researchers can design better machine learning based classifiers.

show abstract

Section: Roc Curves and Auc Valuesmentioning

confidence: 57%

Section: Malware Detection and Family Classification From Tls-encrypt...mentioning

confidence: 99%

Section: Malware Detection and Family Classification From Tls-encrypt...mentioning

confidence: 99%

Section: Malware Detection and Family Classification From Tls-encrypt...mentioning

confidence: 99%

See 2 more Smart Citations

Experimental Evaluation of Malware Family Classification Methods from Sequential Information of TLS-Encrypted Traffic

Roh

2021

Electronics

View full text Add to dashboard Cite

show abstract

“…In [24], Prasse et al proposed a Long Short-term Memory neural network which uses only observable features of HTTPS traffic (client and host IP addresses and ports, timestamps, data flow volume, and the unencrypted host domain name) for malware classification, claiming it outperforms random forest models in similar applications with a 64% detection rate and 70% precision. The authors of [25] proposed a distance-based, supervised learning solution which suffers from the pitfall of relying on collecting a large amount of traffic data and extracting the features before any analysis can be completed. An approach that analyzes persistent communications, instead of the presence of anomalies within the persistent communication itself, is offered in [26].…”

Section: B Use Of Encryption In Malware Developmentmentioning

confidence: 99%

Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection

et al. 2020

View full text Add to dashboard Cite

One critical vulnerability of stream ciphers is the reuse of an encryption key. Since most stream ciphers consist of only a key scheduling algorithm and an Exclusive OR (XOR) operation, an adversary may break the cipher by XORing two captured ciphertexts generated under the same key. Various cryptanalysis techniques based on this property have been introduced in order to recover plaintexts or encryption keys; in contrast, this research reinterprets the vulnerability as a method of detecting stream ciphers from the ciphertexts it generates. Patterns found in the values (characters) expressed across the bytes of a ciphertext make the ciphertext distinguishable from random and are unique to each combination of ciphers and encryption keys. We propose a scheme that uses these patterns as a fingerprint, which is capable of detecting all ciphertexts of a given length generated by an encryption pair. The scheme can be utilized to detect a specific type of malware that exploits a stream cipher with a stored key such as the DarkComet Remote Access Trojan (RAT). We show that our scheme achieves 100% accuracy for messages longer than 13 bytes in about 17 µsec, providing a fast and highly accurate tool to aid in encrypted malware detection.

show abstract

Improving Cyber-Threat Detection by Moving the Boundary Around the Normal Samples

Andresini

Appice

Caforio

et al. 2020

Studies in Computational Intelligence

View full text Add to dashboard Cite

A Distance-Based Method for Building an Encrypted Malware Traffic Identification Framework

Cited by 25 publications

References 33 publications

Experimental Evaluation of Malware Family Classification Methods from Sequential Information of TLS-Encrypted Traffic

Experimental Evaluation of Malware Family Classification Methods from Sequential Information of TLS-Encrypted Traffic

Rethinking the Weakness of Stream Ciphers and Its Application to Encrypted Malware Detection

Improving Cyber-Threat Detection by Moving the Boundary Around the Normal Samples

Contact Info

Product

Resources

About