Abstract
The popularity of encryption method brings a great challenge to malware traffic identification. Traditional classes defined by expert experience are usually classified based on the host behaviors of malware, such as banking malware or ransomware, which are often irrelevant to its communication traffic behaviors. It leads to the fact that the boundaries of traffic feature dataset of different malware classes are fuzzy and make these traditional classes unhelpful for classification based on traffic features. Meanwhile, traditional machine learning-based encrypted malware traffic identification methods, such as using the multi-classification supervised learning model, are inefficient both in model training and detection, and its detection accuracy cannot meet the demand. In this paper, we propose a distance-based method, which utilizes unsupervised learning algorithm Gaussian mixture model (GMM) and ordering points to identify the clustering structure (OPTICS) to calculate the Distance between malwares and make use of the Distance to define the new malware class called FClass. Then, a set of models are trained by XGBoost algorithm to build an identification framework based on the FClass. The performance of the proposed method has been evaluated by comparing it with the other four methods. The results show that the proposed distance-based method is more efficient and accurate.
Highlights
The identification of encrypted malware traffic has been a research hotspot since the 1990s
The main method to detect encrypted malware traffic is supervised learning method which is based on those features that are not affected by encryption, for example, statistical features extracted from packets [5], The associate editor coordinating the review of this manuscript and approving it for publication was Zhitao Guan
The main contributions of this paper are listed as follows: 1) We propose a distance-based method which could establish a framework for identifying multiple kinds of encrypted malware traffic
Summary
The identification of encrypted malware traffic has been a research hotspot since the 1990s. In its 2018 cybersecurity report, Cisco noted that its analysis of 400,000 malwares found that as of October 2017, about 70 percent of them communicated by using encryption methods [1]. Common encryption methods, such as SSL/TLS protocol, mainly encrypt the payload of network traffic. The identification of malware traffic requires discovering malware traffic and identifying the traffic generated by which type of malware. It turns a binary problem into a multi-classification problem
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
