Malware dection using ip flow level attributes

Although the task of malware detection in network traffic had been done successfully through Deep Packet Inspection (DPI) in the last two decades, this approach is becoming less efficient due to the continuous increasing of network traffic volumes and speeds and concerns on user's privacy. The recent alternative approach is the flow-based detection which has the ability to inspect high speed and backbone network traffic because it significantly aggregates and reduces the inspected data. However, the capability of this approach to detect packet-based attacks such as viruses and trojans is questionable because of the absence of the actual data at the payload level. In this paper we proof through experiments the ability to detect network flows that contain malicious packets that had been previously marked as malicious by Snort using only flow level attributes using several Machine Learning (ML) classifiers. We created our dataset from captured traces of a subnet of our university's network. The detection accuracy is found to be 75% True Positive (TP) with almost zero False Negative which we consider as a verification of the capability of flow-based approach to detect malware. This finding is encouraging for future researches where it can be combined with more traditional detection methods to form more powerful NIDSs

[1]  C.-C. Jay Kuo,et al.  Internet Traffic Classification for Scalable QOS Provision , 2006, 2006 IEEE International Conference on Multimedia and Expo.

[2]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[3]  J. Ross Quinlan,et al.  C4.5: Programs for Machine Learning , 1992 .

[4]  Zihui Ge,et al.  Lightweight application classification for network management , 2007, INM '07.

[5]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[6]  David Aldous,et al.  The Continuum Random Tree III , 1991 .

[7]  Stephen R. Garner,et al.  WEKA: The Waikato Environment for Knowledge Analysis , 1996 .

[8]  Anna Sperotto,et al.  Flow-based intrusion detection , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[9]  홍원기,et al.  A Flow-based Method for Abnormal Network Traffic Detection , 2004 .

[10]  Carey L. Williamson,et al.  Offline/realtime traffic classification using semi-supervised learning , 2007, Perform. Evaluation.

[11]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[12]  Sotiris B. Kotsiantis,et al.  Supervised Machine Learning: A Review of Classification Techniques , 2007, Informatica.

[13]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[14]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[15]  Jean-Yves Le Boudec,et al.  A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models , 2008, PAM.

[16]  Renata Teixeira,et al.  Early application identification , 2006, CoNEXT '06.

[17]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[18]  Reinhard German,et al.  Flow-based Worm Detection using Correlated Honeypot Logs , 2011 .

[19]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[20]  Yan Gao,et al.  A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[21]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[22]  Joseph B. Kadane,et al.  Scan Detection on Very Large Networks Using Logistic Regression Modeling , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[23]  Burkhard Stiller,et al.  Conceptual Integration of Flow-Based and Packet-Based Network Intrusion Detection , 2008, AIMS.

[24]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[25]  Yan Chen,et al.  Towards a High-speed Router-based Anomaly/Intrusion Detection System , 2005 .

[26]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.