UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

What's your major threat? On the differences between the network behavior of targeted and commodity malware

Mariconti, E; Onaolapo, J; Ross, G; Stringhini, G; (2016) What's your major threat? On the differences between the network behavior of targeted and commodity malware. In: Proceedings of the 2016 11th International Conference on Availability, Reliability and Security (ARES). (pp. pp. 599-608). IEEE: Salzburg, Austria. Green open access

[thumbnail of paper.pdf]
Preview
Text
paper.pdf - Accepted Version

Download (218kB) | Preview

Abstract

This work uses statistical classification techniques to learn about the different network behavior patterns demonstrated by targeted malware and generic malware. Targeted malware is a recent type of threat, involving bespoke software that has been created to target a specific victim. It is considered a more dangerous threat than generic malware, because a targeted attack can cause more serious damage to the victim. Our work aims to automatically distinguish between the network activity generated by the two types of malware, which then allows samples of malware to be classified as being either targeted or generic. For a network administrator, such knowledge can be important because it assists to understand which threats require particular attention. Because a network administrator usually manages more than an alarm simultaneously, the aim of the work is particularly relevant. We set up a sandbox and infected virtual machines with malware, recording all resulting malware activity on the network. Using the network packets produced by the malware samples, we extract features to classify their behavior. Before performing classification, we carefully analyze the features and the dataset to study all their details and gain a deeper understanding of the malware under study. Our use of statistical classifiers is shown to give excellent results in some cases, where we achieved an accuracy of almost 96% in distinguishing between the two types of malware. We can conclude that the network behaviors of the two types of malicious code are very different.

Type: Proceedings paper
Title: What's your major threat? On the differences between the network behavior of targeted and commodity malware
Event: 2016 11th International Conference on Availability, Reliability and Security (ARES)
Location: Salzburg, AUSTRIA
Dates: 31 August 2016 - 02 September 2016
Open access status: An open access version is available from UCL Discovery
DOI: 10.1109/ARES.2016.36
Publisher version: https://doi.org/10.1109/ARES.2016.36
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
Keywords: Malware, Feature extraction, Ports (Computers), Cryptography, Virtual environments, IP networks, K-NN, Network Security, Malware, Targeted attacks, Random Forests
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences > Dept of Statistical Science
URI: https://discovery.ucl.ac.uk/id/eprint/1500918
Downloads since deposit
94Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item