Mariconti, E;
Onaolapo, J;
Ross, G;
Stringhini, G;
(2016)
What's your major threat? On the differences between the network behavior of targeted and commodity malware.
In:
Proceedings of the 2016 11th International Conference on Availability, Reliability and Security (ARES).
(pp. pp. 599-608).
IEEE: Salzburg, Austria.
Preview |
Text
paper.pdf - Accepted Version Download (218kB) | Preview |
Abstract
This work uses statistical classification techniques to learn about the different network behavior patterns demonstrated by targeted malware and generic malware. Targeted malware is a recent type of threat, involving bespoke software that has been created to target a specific victim. It is considered a more dangerous threat than generic malware, because a targeted attack can cause more serious damage to the victim. Our work aims to automatically distinguish between the network activity generated by the two types of malware, which then allows samples of malware to be classified as being either targeted or generic. For a network administrator, such knowledge can be important because it assists to understand which threats require particular attention. Because a network administrator usually manages more than an alarm simultaneously, the aim of the work is particularly relevant. We set up a sandbox and infected virtual machines with malware, recording all resulting malware activity on the network. Using the network packets produced by the malware samples, we extract features to classify their behavior. Before performing classification, we carefully analyze the features and the dataset to study all their details and gain a deeper understanding of the malware under study. Our use of statistical classifiers is shown to give excellent results in some cases, where we achieved an accuracy of almost 96% in distinguishing between the two types of malware. We can conclude that the network behaviors of the two types of malicious code are very different.
| Type: | Proceedings paper |
|---|---|
| Title: | What's your major threat? On the differences between the network behavior of targeted and commodity malware |
| Event: | 2016 11th International Conference on Availability, Reliability and Security (ARES) |
| Location: | Salzburg, AUSTRIA |
| Dates: | 31 August 2016 - 02 September 2016 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1109/ARES.2016.36 |
| Publisher version: | https://doi.org/10.1109/ARES.2016.36 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| Keywords: | Malware, Feature extraction, Ports (Computers), Cryptography, Virtual environments, IP networks, K-NN, Network Security, Malware, Targeted attacks, Random Forests |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences > Dept of Statistical Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/1500918 |
Archive Staff Only
 |
View Item |
