Incorporating known malware signatures to classify new malware variants in network traffic. (28th September 2015)
- Record Type:
- Journal Article
- Title:
- Incorporating known malware signatures to classify new malware variants in network traffic. (28th September 2015)
- Main Title:
- Incorporating known malware signatures to classify new malware variants in network traffic
- Authors:
- Ismail, Ismahani
Marsono, Muhammad Nadzir
Khammas, Ban Mohammed
Nor, Sulaiman Mohd - Abstract:
- Summary: Content‐based malware classification technique using n ‐gram features required high computational overhead because of the size of feature space. This paper proposes the augmentation of domain knowledge in the form of known Snort malware signatures to machine learning techniques to reduce resources (in terms of the time to generate machine learning model and the memory usage to store generative model). Although current malware can be encrypted or mutated, these malware still exhibit prevalent contents or payloads as their predecessors. Using a dataset of traffic captured from a campus network, our approach is able to reduce initial generated million n ‐gram features to only around 90000 features, which significantly reduces processing time to generate naive Bayes model by 95%. The generated model that has been trained by the most descriptive features (4‐gram Snort signatures with high information gain) produces lower false negative, about 2% compared with other models. Moreover, the proposed method is capable of detecting 10 new malware variants with 0% false negative. The findings from this paper can be the basis for improving malware classification based on content classification to detect known and new malware. Copyright © 2015 John Wiley & Sons, Ltd. Abstract : In this work, we propose a method to address computational overhead issue and detect new malware variants using content‐based classification technique. We use known malware signatures from open accessSummary: Content‐based malware classification technique using n ‐gram features required high computational overhead because of the size of feature space. This paper proposes the augmentation of domain knowledge in the form of known Snort malware signatures to machine learning techniques to reduce resources (in terms of the time to generate machine learning model and the memory usage to store generative model). Although current malware can be encrypted or mutated, these malware still exhibit prevalent contents or payloads as their predecessors. Using a dataset of traffic captured from a campus network, our approach is able to reduce initial generated million n ‐gram features to only around 90000 features, which significantly reduces processing time to generate naive Bayes model by 95%. The generated model that has been trained by the most descriptive features (4‐gram Snort signatures with high information gain) produces lower false negative, about 2% compared with other models. Moreover, the proposed method is capable of detecting 10 new malware variants with 0% false negative. The findings from this paper can be the basis for improving malware classification based on content classification to detect known and new malware. Copyright © 2015 John Wiley & Sons, Ltd. Abstract : In this work, we propose a method to address computational overhead issue and detect new malware variants using content‐based classification technique. We use known malware signatures from open access database (Snort) to train more descriptive features and minimize the computational time when generating model. Using available dataset from captured traffic, our method can significantly reduce processing time to generate naive Bayes model by 95% and is also capable to detect 10 new malware variants with 0% false negative. … (more)
- Is Part Of:
- International journal of network management. Volume 25:Number 6(2015:Nov./Dec.)
- Journal:
- International journal of network management
- Issue:
- Volume 25:Number 6(2015:Nov./Dec.)
- Issue Display:
- Volume 25, Issue 6 (2015)
- Year:
- 2015
- Volume:
- 25
- Issue:
- 6
- Issue Sort Value:
- 2015-0025-0006-0000
- Page Start:
- 471
- Page End:
- 489
- Publication Date:
- 2015-09-28
- Subjects:
- malware detection -- new malware variants -- content‐based classification -- feature selection -- domain knowledge -- network security
Computer networks -- Management -- Periodicals
004.6 - Journal URLs:
- http://onlinelibrary.wiley.com/journal/10.1002/(ISSN)1099-1190 ↗
http://onlinelibrary.wiley.com/ ↗ - DOI:
- 10.1002/nem.1913 ↗
- Languages:
- English
- ISSNs:
- 1055-7148
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 4542.373300
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 1156.xml