Automated Detection of Malware Activities Using Nonnegative Matrix Factorization

Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this study, we introduce Dark-NMF, a darknet analysis engine using Non-negative Matrix Factorization (NMF). Dark-NMF focuses on synchronizing the spatiotemporal features seen when malware infection spreads and detects abnormally synchronous spatial features (source hosts and destination ports) automatically in near real-time. Dark-NMF measures the synchronization of spatial features by decomposing spatiotemporal patterns from darknet traffic using NMF. We tuned the hyperparameters of Dark- Nmfand evaluated the detection performance of malware activities against the performance of existing methods such as GLASSO and ChangeFinder using a human-labeled ground truth. We found that Dark-NMF detects all malware activities that should be detected in the ground truth without a miss. We also showed that Dark- Nmfhas many advantages over existing methods and provided a highly practical operation guideline. Consequently, Dark-NMF is expected to contribute as threat intelligence information for rapid response to malware activity.