Uncovering APT malware traffic using deep learning combined with time sequence and association analysis

Abstract

Traditional malware detection methods based on static traffic characteristics and machine learning are hard to cope with the increasing number of APT malware variants. In order to alleviate this problem, this paper proposes a deep-learning-based malware classification approach that combines time sequence features and association rules features. This method uses the improved LSTM neural network structure named RESNET_LSTM and PARALLEL_LSTM to extract time sequence features of different protocol traffic. It also utilizes association analysis to generate quantitative rule features. Finally, we connect the time sequence feature vector and the quantization rule vector as input to deep learning models to detect malware traffic. We evaluated our proposed approach on a dataset consisting of malicious traffic generated by 57 types of malware and normal traffic. The experimental results demonstrate that the loss decline rate of PARALLEL_LSTM structure during the training phase is faster than that of the LSTM and RESNET_LSTM structures. When the RESNET_LSTM structure is used, the prediction accuracy is close to 100%, which is slightly higher than the other two structures. The accuracy of the detection methods proposed in this paper are all above 96%, while the accuracy of malware detection methods combined with static traffic characteristics and machine learning is about 85%.