Statistical network behavior based threat detection

2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) Pub Date : 2017-05-01 DOI:10.1109/INFCOMW.2017.8116413

Jin Cao, L. Drabeck, Ran He

{"title":"Statistical network behavior based threat detection","authors":"Jin Cao, L. Drabeck, Ran He","doi":"10.1109/INFCOMW.2017.8116413","DOIUrl":null,"url":null,"abstract":"Malware, short for malicious software, contuses to morph and change. Traditional anti-virus software may have problems detecting malicious software that have not been seen before. By employing machine learning techniques, one can learn the general behavior patterns of different threat types and use these to detect variants of unknown threats. We have developed a malware detection system based on machine learning that uses features derived from a user's network flows to external hosts. A novel aspect of our technique is to separate hosts into different groups by how common they are visited by the users and then develop user features separately for each of these host groups. The network data for the training of the detector is based on malware samples that have been run in a sandbox and normal users' traffic that is collected from an LTE wireless network provider. Specifically, we use the Adaboost algorithm as the classification engine and obtain a good performance of 0.78% false alarm rate and 96.5% accuracy for detecting users infected with malwares. We also provide high and low confidence regions for our system based on subclasses of threats.","PeriodicalId":306731,"journal":{"name":"2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","volume":"61 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INFCOMW.2017.8116413","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Malware, short for malicious software, contuses to morph and change. Traditional anti-virus software may have problems detecting malicious software that have not been seen before. By employing machine learning techniques, one can learn the general behavior patterns of different threat types and use these to detect variants of unknown threats. We have developed a malware detection system based on machine learning that uses features derived from a user's network flows to external hosts. A novel aspect of our technique is to separate hosts into different groups by how common they are visited by the users and then develop user features separately for each of these host groups. The network data for the training of the detector is based on malware samples that have been run in a sandbox and normal users' traffic that is collected from an LTE wireless network provider. Specifically, we use the Adaboost algorithm as the classification engine and obtain a good performance of 0.78% false alarm rate and 96.5% accuracy for detecting users infected with malwares. We also provide high and low confidence regions for our system based on subclasses of threats.

查看原文本刊更多论文

基于威胁检测的统计网络行为

恶意软件(Malware)是恶意软件的简称，它容易变形和改变。传统的杀毒软件在检测以前从未见过的恶意软件时可能存在问题。通过使用机器学习技术，人们可以学习不同威胁类型的一般行为模式，并使用这些模式来检测未知威胁的变体。我们开发了一种基于机器学习的恶意软件检测系统，该系统使用从用户网络流向外部主机的特征。我们技术的一个新颖方面是，根据用户访问主机的频率将主机分成不同的组，然后为每个主机组分别开发用户功能。用于训练检测器的网络数据是基于在沙箱中运行的恶意软件样本和从LTE无线网络提供商收集的正常用户流量。具体来说，我们使用Adaboost算法作为分类引擎，在检测感染恶意软件的用户时，获得了0.78%的虚警率和96.5%的准确率的良好性能。我们还根据威胁子类为我们的系统提供了高置信度和低置信度区域。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2017 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)

自引率

0.00%

发文量