Malware dection using IP flow level attributes
Although the task of malware detection in network traffic had been done successfully through Deep Packet Inspection (DPI) in the last two decades, this approach is becoming less efficient due to the continuous increasing of network traffic volumes and speeds and concerns on user's privacy. The...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Asian Research Publishing Network (ARPN)
2013
|
| Subjects: | |
| Online Access: | http://eprints.utm.my/id/eprint/49662/1/SulaimanMohd.Nor2013_MalwaredectionusingIP.pdf http://eprints.utm.my/id/eprint/49662/ http://www.jatit.org |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Universiti Teknologi Malaysia |
| Language: | English |
| id |
my.utm.49662 |
|---|---|
| record_format |
eprints |
| spelling |
my.utm.496622018-10-14T08:26:33Z http://eprints.utm.my/id/eprint/49662/ Malware dection using IP flow level attributes Abdalla, Ahmed A. Jamil, Haitham Hamza Ibrahim, Hamza Awad Mohd. Nor, Sulaiman QA76 Computer software Although the task of malware detection in network traffic had been done successfully through Deep Packet Inspection (DPI) in the last two decades, this approach is becoming less efficient due to the continuous increasing of network traffic volumes and speeds and concerns on user's privacy. The recent alternative approach is the flow-based detection which has the ability to inspect high speed and backbone network traffic because it significantly aggregates and reduces the inspected data. However, the capability of this approach to detect packet-based attacks such as viruses and trojans is questionable because of the absence of the actual data at the payload level. In this paper we proof through experiments the ability to detect network flows that contain malicious packets that had been previously marked as malicious by Snort using only flow level attributes using several Machine Learning (ML) classifiers. We created our dataset from captured traces of a subnet of our university's network. The detection accuracy is found to be 75% True Positive (TP) with almost zero False Negative which we consider as a verification of the capability of flow-based approach to detect malware. This finding is encouraging for future researches where it can be combined with more traditional detection methods to form more powerful NIDSs Asian Research Publishing Network (ARPN) 2013 Article PeerReviewed application/pdf en http://eprints.utm.my/id/eprint/49662/1/SulaimanMohd.Nor2013_MalwaredectionusingIP.pdf Abdalla, Ahmed and A. Jamil, Haitham and Hamza Ibrahim, Hamza Awad and Mohd. Nor, Sulaiman (2013) Malware dection using IP flow level attributes. Journal of Theoretical and Applied Information Technology, 57 (3). pp. 530-539. ISSN 1992-8645 http://www.jatit.org |
| institution |
Universiti Teknologi Malaysia |
| building |
UTM Library |
| collection |
Institutional Repository |
| continent |
Asia |
| country |
Malaysia |
| content_provider |
Universiti Teknologi Malaysia |
| content_source |
UTM Institutional Repository |
| url_provider |
http://eprints.utm.my/ |
| language |
English |
| topic |
QA76 Computer software |
| spellingShingle |
QA76 Computer software Abdalla, Ahmed A. Jamil, Haitham Hamza Ibrahim, Hamza Awad Mohd. Nor, Sulaiman Malware dection using IP flow level attributes |
| description |
Although the task of malware detection in network traffic had been done successfully through Deep Packet Inspection (DPI) in the last two decades, this approach is becoming less efficient due to the continuous increasing of network traffic volumes and speeds and concerns on user's privacy. The recent alternative approach is the flow-based detection which has the ability to inspect high speed and backbone network traffic because it significantly aggregates and reduces the inspected data. However, the capability of this approach to detect packet-based attacks such as viruses and trojans is questionable because of the absence of the actual data at the payload level. In this paper we proof through experiments the ability to detect network flows that contain malicious packets that had been previously marked as malicious by Snort using only flow level attributes using several Machine Learning (ML) classifiers. We created our dataset from captured traces of a subnet of our university's network. The detection accuracy is found to be 75% True Positive (TP) with almost zero False Negative which we consider as a verification of the capability of flow-based approach to detect malware. This finding is encouraging for future researches where it can be combined with more traditional detection methods to form more powerful NIDSs |
| format |
Article |
| author |
Abdalla, Ahmed A. Jamil, Haitham Hamza Ibrahim, Hamza Awad Mohd. Nor, Sulaiman |
| author_facet |
Abdalla, Ahmed A. Jamil, Haitham Hamza Ibrahim, Hamza Awad Mohd. Nor, Sulaiman |
| author_sort |
Abdalla, Ahmed |
| title |
Malware dection using IP flow level attributes |
| title_short |
Malware dection using IP flow level attributes |
| title_full |
Malware dection using IP flow level attributes |
| title_fullStr |
Malware dection using IP flow level attributes |
| title_full_unstemmed |
Malware dection using IP flow level attributes |
| title_sort |
malware dection using ip flow level attributes |
| publisher |
Asian Research Publishing Network (ARPN) |
| publishDate |
2013 |
| url |
http://eprints.utm.my/id/eprint/49662/1/SulaimanMohd.Nor2013_MalwaredectionusingIP.pdf http://eprints.utm.my/id/eprint/49662/ http://www.jatit.org |
| _version_ |
1643652746137567232 |