TY - GEN
T1 - BotDetector
T2 - 2017 IEEE International Conference on Communications, ICC 2017
AU - Mizuno, Sho
AU - Hatada, Mitsuhiro
AU - Mori, Tatsuya
AU - Goto, Shigeki
N1 - Funding Information:
We thank Mr. Tatsuaki Kimura for his valuable comments on the automatic template generation algorithm. A part of this work was supported by JSPS Grant-in-Aid for Scientific Research B, Grant Number JP16H02832.
Publisher Copyright:
© 2017 IEEE.
PY - 2017/7/28
Y1 - 2017/7/28
N2 - Damage caused by malware is a serious problem that needs to be addressed. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurement-based approach is that it enables us to monitor a large number of clients. If we find a client as a source of malicious traffic, the client is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and legitimate traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and legitimate. Our extensive experiments demonstrate that our approach discriminates between malicious and legitimate traffic with up to 97.1% precision while maintaining the false positive below 1.0%.
AB - Damage caused by malware is a serious problem that needs to be addressed. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurement-based approach is that it enables us to monitor a large number of clients. If we find a client as a source of malicious traffic, the client is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and legitimate traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and legitimate. Our extensive experiments demonstrate that our approach discriminates between malicious and legitimate traffic with up to 97.1% precision while maintaining the false positive below 1.0%.
UR - http://www.scopus.com/inward/record.url?scp=85028359847&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85028359847&partnerID=8YFLogxK
U2 - 10.1109/ICC.2017.7997372
DO - 10.1109/ICC.2017.7997372
M3 - Conference contribution
AN - SCOPUS:85028359847
T3 - IEEE International Conference on Communications
BT - 2017 IEEE International Conference on Communications, ICC 2017
A2 - Debbah, Merouane
A2 - Gesbert, David
A2 - Mellouk, Abdelhamid
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 21 May 2017 through 25 May 2017
ER -