SNDMI: Spyware network traffic detection method based on inducement operations

Abstract

Spyware is a type of malware widely used by attackers to steal confidential information from users without their knowledge. It has the characteristics of high latency, high stealth, and high threat. Spyware typically uses trigger-based tactics to implement its malicious behavior, making it a challenge for traditional host-based detection methods and traditional network traffic-based detection methods to implement highly accurate and efficient spyware detection. To address this problem, this article focuses on the network behavior of spyware, analyzes the inducibility of spyware network traffic, and further proposes a spyware network traffic detection method based on inducement operations (SNDMI). SNDMI can cause spyware to generate more network traffic for detection by using inducement operations in the constructed inducement operation set. SNDMI extracts three types of network traffic features: distributional features, statistical features, and trend features, and uses a genetic algorithm to select features. The experimental results show that SNDMI with LightGBM achieves an accuracy of 98.98% and a false positive rate of 0.45% on the traffic of hundreds of benign and spyware samples.