Malware dection using IP flow level attributes
Although the task of malware detection in network traffic had been done successfully through Deep Packet Inspection (DPI) in the last two decades, this approach is becoming less efficient due to the continuous increasing of network traffic volumes and speeds and concerns on user's privacy. The...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Asian Research Publishing Network (ARPN)
2013
|
| Subjects: | |
| Online Access: | http://eprints.utm.my/id/eprint/49662/1/SulaimanMohd.Nor2013_MalwaredectionusingIP.pdf http://eprints.utm.my/id/eprint/49662/ http://www.jatit.org |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Universiti Teknologi Malaysia |
| Language: | English |
| Summary: | Although the task of malware detection in network traffic had been done successfully through Deep Packet Inspection (DPI) in the last two decades, this approach is becoming less efficient due to the continuous increasing of network traffic volumes and speeds and concerns on user's privacy. The recent alternative approach is the flow-based detection which has the ability to inspect high speed and backbone network traffic because it significantly aggregates and reduces the inspected data. However, the capability of this approach to detect packet-based attacks such as viruses and trojans is questionable because of the absence of the actual data at the payload level. In this paper we proof through experiments the ability to detect network flows that contain malicious packets that had been previously marked as malicious by Snort using only flow level attributes using several Machine Learning (ML) classifiers. We created our dataset from captured traces of a subnet of our university's network. The detection accuracy is found to be 75% True Positive (TP) with almost zero False Negative which we consider as a verification of the capability of flow-based approach to detect malware. This finding is encouraging for future researches where it can be combined with more traditional detection methods to form more powerful NIDSs |
|---|