MVDet: Encrypted malware traffic detection via multi-view analysis

IF 0.9 Q4 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Computer Security Pub Date : 2024-02-12 DOI:10.3233/jcs-230024

Susu Cui, Xueying Han, Cong Dong, Yun Li, Song Liu, Zhigang Lu, Yuling Liu

{"title":"MVDet: Encrypted malware traffic detection via multi-view analysis","authors":"Susu Cui, Xueying Han, Cong Dong, Yun Li, Song Liu, Zhigang Lu, Yuling Liu","doi":"10.3233/jcs-230024","DOIUrl":null,"url":null,"abstract":"Detecting encrypted malware traffic promptly to halt the further propagation of an attack is critical. Currently, machine learning becomes a key technique for extracting encrypted malware traffic patterns. However, due to the dynamic nature of network environments and the frequent updates of malware, current methods face the challenges of detecting unknown malware traffic in open-world environment. To address the issue, we introduce MVDet, a novel method that employs machine learning to mine the behavioral features of malware traffic based on multi-view analysis. Unlike traditional methods, MVDet innovatively characterizes the behavioral features of malware traffic at 4-tuple flows from four views: statistical view, DNS view, TLS view, and business view, which is a more stable feature representation capable of handling complex network environments and malware updates. Additionally, we achieve a short-time behavioral features construction, significantly reducing the time cost for feature extraction and malware detection. As a result, we can detect malware behavior at an early stage promptly. Our evaluation demonstrates that MVDet can detect a wide variety of known malware traffic and exhibits efficient and robust detection in both open-world and unknown malware scenarios. MVDet outperforms state-of-the-art methods in closed-world known malware detection, open-world known malware detection, and open-world unknown malware detection.","PeriodicalId":46074,"journal":{"name":"Journal of Computer Security","volume":null,"pages":null},"PeriodicalIF":0.9000,"publicationDate":"2024-02-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Computer Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3233/jcs-230024","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Detecting encrypted malware traffic promptly to halt the further propagation of an attack is critical. Currently, machine learning becomes a key technique for extracting encrypted malware traffic patterns. However, due to the dynamic nature of network environments and the frequent updates of malware, current methods face the challenges of detecting unknown malware traffic in open-world environment. To address the issue, we introduce MVDet, a novel method that employs machine learning to mine the behavioral features of malware traffic based on multi-view analysis. Unlike traditional methods, MVDet innovatively characterizes the behavioral features of malware traffic at 4-tuple flows from four views: statistical view, DNS view, TLS view, and business view, which is a more stable feature representation capable of handling complex network environments and malware updates. Additionally, we achieve a short-time behavioral features construction, significantly reducing the time cost for feature extraction and malware detection. As a result, we can detect malware behavior at an early stage promptly. Our evaluation demonstrates that MVDet can detect a wide variety of known malware traffic and exhibits efficient and robust detection in both open-world and unknown malware scenarios. MVDet outperforms state-of-the-art methods in closed-world known malware detection, open-world known malware detection, and open-world unknown malware detection.

查看原文本刊更多论文

MVDet：通过多视角分析进行加密恶意软件流量检测

及时检测加密恶意软件流量以阻止攻击的进一步传播至关重要。目前，机器学习已成为提取加密恶意软件流量模式的关键技术。然而，由于网络环境的动态性和恶意软件的频繁更新，目前的方法面临着在开放世界环境中检测未知恶意软件流量的挑战。为了解决这个问题，我们引入了 MVDet，这是一种基于多视角分析、利用机器学习挖掘恶意软件流量行为特征的新方法。与传统方法不同的是，MVDet 创新性地从统计视图、DNS 视图、TLS 视图和业务视图这四个视图来描述恶意软件流量在 4 元组流中的行为特征，这是一种更稳定的特征表示，能够处理复杂的网络环境和恶意软件更新。此外，我们还实现了短时间行为特征构建，大大降低了特征提取和恶意软件检测的时间成本。因此，我们可以在早期阶段及时发现恶意软件行为。我们的评估表明，MVDet 可以检测到各种已知的恶意软件流量，并在开放世界和未知恶意软件场景中表现出高效、稳健的检测能力。MVDet 在封闭世界已知恶意软件检测、开放世界已知恶意软件检测和开放世界未知恶意软件检测方面都优于最先进的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Computer Security COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

1.70

自引率

0.00%

发文量

期刊介绍： The Journal of Computer Security presents research and development results of lasting significance in the theory, design, implementation, analysis, and application of secure computer systems and networks. It will also provide a forum for ideas about the meaning and implications of security and privacy, particularly those with important consequences for the technical community. The Journal provides an opportunity to publish articles of greater depth and length than is possible in the proceedings of various existing conferences, while addressing an audience of researchers in computer security who can be assumed to have a more specialized background than the readership of other archival publications.