A malware traffic detection method based on Victim-Attacker interaction patterns

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-04-08 DOI:10.1016/j.cose.2025.104487

Yanze Qu , Hailong Ma , Chaofan Zheng , Yiming Jiang , Wenbo Wang

{"title":"A malware traffic detection method based on Victim-Attacker interaction patterns","authors":"Yanze Qu , Hailong Ma , Chaofan Zheng , Yiming Jiang , Wenbo Wang","doi":"10.1016/j.cose.2025.104487","DOIUrl":null,"url":null,"abstract":"<div><div>The widespread adoption of encryption protocols has provided benefits for personal privacy, while also offering cover for the command and control (C&C) communication of malware such as Trojans, presenting significant challenges to existing network monitoring systems. Existing methods exhibit limited capacity to discern threats across network flows, while neglecting the prevalent packet loss phenomenon in real-world network environments. This paper proposes a malware traffic detection method based on the interaction patterns between compromised hosts and C&C servers. With a novel detection unit called channel unit representing interaction patterns, compared to existing methods, our proposed method is capable of discerning threats across network flows and is more resilient to packet loss. Evaluation experiments show that our method has superior detection performance in both binary and multi-class classification scenarios, achieving accuracy rates of 99.84 % and 96.08 % respectively. In terms of packet loss tolerance, compared with existing methods, our method exhibits the minimal performance degradation under a 20 % packet loss rate, maintaining a multi-classification accuracy of 99.63 % and a binary classification accuracy of 95.72 %.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104487"},"PeriodicalIF":4.8000,"publicationDate":"2025-04-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001750","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The widespread adoption of encryption protocols has provided benefits for personal privacy, while also offering cover for the command and control (C&C) communication of malware such as Trojans, presenting significant challenges to existing network monitoring systems. Existing methods exhibit limited capacity to discern threats across network flows, while neglecting the prevalent packet loss phenomenon in real-world network environments. This paper proposes a malware traffic detection method based on the interaction patterns between compromised hosts and C&C servers. With a novel detection unit called channel unit representing interaction patterns, compared to existing methods, our proposed method is capable of discerning threats across network flows and is more resilient to packet loss. Evaluation experiments show that our method has superior detection performance in both binary and multi-class classification scenarios, achieving accuracy rates of 99.84 % and 96.08 % respectively. In terms of packet loss tolerance, compared with existing methods, our method exhibits the minimal performance degradation under a 20 % packet loss rate, maintaining a multi-classification accuracy of 99.63 % and a binary classification accuracy of 95.72 %.

查看原文本刊更多论文

基于受害者-攻击者交互模式的恶意软件流量检测方法

加密协议的广泛采用为个人隐私提供了好处，同时也为特洛伊木马等恶意软件的指挥和控制（C&；C）通信提供了掩护，对现有的网络监控系统提出了重大挑战。现有的方法在识别跨网络流的威胁方面表现出有限的能力，同时忽略了现实网络环境中普遍存在的丢包现象。本文提出了一种基于被入侵主机与C&；C服务器交互模式的恶意流量检测方法。与现有方法相比，我们提出的方法采用了一种新颖的检测单元信道单元，表示交互模式，能够识别跨网络流的威胁，并且对丢包更具弹性。评估实验表明，我们的方法在二分类和多分类场景下都具有优异的检测性能，准确率分别达到99.84%和96.08%。在丢包容忍度方面，与现有方法相比，该方法在丢包率为20%时性能下降最小，多重分类准确率为99.63%，二值分类准确率为95.72%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.