The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups

공격그룹 분류 및 예측을 위한 네트워크 행위기반 악성코드 분류에 관한 연구

  • Received : 2016.11.11
  • Accepted : 2016.12.06
  • Published : 2017.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

The security of Internet systems critically depends on the capability to keep anti-virus (AV) software up-to-date and maintain high detection accuracy against new malware. However, malware variants evolve so quickly they cannot be detected by conventional signature-based detection. In this paper, we proposed a malware classification method based on sequence patterns generated from the network flow of malware samples. We evaluated our method with 766 malware samples and obtained a classification accuracy of approximately 40.4%. In this study, malicious codes were classified only by network behavior of malicious codes, excluding codes and other characteristics. Therefore, this study is expected to be further developed in the future. Also, we can predict the attack groups and additional attacks can be prevented.

인터넷 시스템의 보안은 백신을 최신으로 업데이트하고, 신종 악성코드를 탐지해 내는 능력에 달려있다. 하지만, 급변하는 인터넷 환경과 더불어, 악성코드는 끊임없이 변종을 만들어내고 더욱 지능적으로 진화하고 있어 현재 운용중인 시그니쳐 기반 탐지체계로 탐지되지 않는다. 따라서, 본 연구에서는 악성코드의 네트워크 행위 패턴을 추출하여 DNA 서열 유사도를 비교하여 활용하는 유사 시퀀스 정렬 알고리즘을 적용하여 악성코드를 분류하는 기법을 제안한다. 제안한 기법을 실제 네트워크에서 수집된 악성코드 샘플 766개에 적용하여 유사도를 비교한 결과 40.4%의 정확도를 얻었다. 이는 코드나 다른 특성을 배제하고 악성코드의 네트워크 행위만으로 분류했다는 점을 미루어 볼 때 앞으로 더 발전 가능성이 있을 것으로 기대된다. 또한 이를 통해 공격그룹을 예측하거나 추가적인 공격을 예방할 수 있다.

Keywords

References

  1. McAfee, Mcafee labs threats report, Nov. 2014.
  2. K. Rieck, et al., "Learning and classification of malware behavior," DIMVA '08, pp. 108-125, Paris, France, Jul. 2008.
  3. M. Bailey, et al., "Automated classification and analysis of internet malware," Recent advances in Intrusion Detection, vol. 4637, pp. 178-197, 2007.
  4. S. Cesare and Y. Xiang, "Malware variant detection using similarity search over sets of control flow graphs," IEEE TrustCom, pp. 181-189, 2011.
  5. J. Kinable and O. Kostakis, "Malware classification based on call graph clustering," J. Comput. Virol., vol. 7, no. 4, pp. 233-245, 2011. https://doi.org/10.1007/s11416-011-0151-y
  6. M. K. Shankarapani, et al., "Malware detection using assembly and API call sequences," J. Comput. Virol., vol. 7, no. 2, pp. 107-119, 2011. https://doi.org/10.1007/s11416-010-0141-5
  7. K. Iwamoto and K. Wasaki, "Malware classification based on extracted api sequences using static analysis," in Proc. AINTEC '12, pp. 31-38, Bangkok, Thailand, Nov. 2012.
  8. K.-H. Kim and M.-J. Choi, "Linear SVM-Based android malware detection and feature selection for performance improvement," J. KICS, vol. 39, no. 8, pp. 738-745, Aug. 2014.
  9. H.-H. Kim and M.-J. Choi, "Android malware detection using auto-regressive moving-average model," J. KICS, vol. 40, no. 8, pp. 1551-1559, Aug. 2015. https://doi.org/10.7840/kics.2015.40.8.1551
  10. U. Bayer, et al., "Scalable, Behavior-Based malware clustering," NDSS Symp., vol. 9, 2009.
  11. I. K. Cho, et al., "Malware similarity analysis using API sequence alignments," JISIS, vol. 4, no. 4, pp. 103-114, 2014.
  12. G. Berger-Sabbatel and A. Duda, "Classification of malware network activity," Multimedia Commun., Services and Security, vol. 287, pp. 24-35, 2012.
  13. N. Stakhanova, M. Couture, and Ali A. Ghorbani, "Exploring network-based malware classification," IEEE MALWARE, Oct. 2011.
  14. R. Perdisci, W. Lee, and N. Feamster, "Behavioral clustering of HTTP-Based malware and signature generation using malicious network traces," NSDI Proc. 7th USENIX Conf. Netw. Syst. Design and Implementation, p. 26, San Jose, California, Apr. 2010.
  15. M. Z. Rafique, et al., "Evolutionary algorithms for classification of malware families through different network behaviors," GECCO '14, pp. 1167-1174, Vancouver, Canada, Jul. 2014.
  16. I. Ahmed and K. Lhee, "Classification of packet contents for malware detection," J. Comput. Virol., vol. 7, no. 4, pp. 279-295, 2011. https://doi.org/10.1007/s11416-011-0156-6
  17. S. Nari and Ali A. Ghorbani, "Automated malware classification based on network behavior," IEEE ICNC, pp. 642-647, 2013.
  18. Y. Jung and M. Park, "Network defense mechanism based on isolated networks," J. KICS, vol. 41, no. 9, pp. 1103-1107, Sept. 2016. https://doi.org/10.7840/kics.2016.41.9.1103
  19. S. Coull, et al., "Intrusion detection: A bioinformatics approach," in Proc. IEEE Annu. Comput. Security Appl. Conf., 2004.
  20. Scott E. Coull and Boleslaw K. Szymanski, "Sequence alignment for masquerade detection," J. Computational Statistics & Data Anal., vol. 52, no. 8, pp. 4116-4131, Apr. 2008. https://doi.org/10.1016/j.csda.2008.01.022
  21. M. K. Shankarapani, et al., "Malware detection using assembly and API call sequences," J. Comput. Virol., vol. 7, no. 2, pp. 107-119, 2011. https://doi.org/10.1007/s11416-010-0141-5
  22. J. Pedersen, et al., "Fingerprinting malware using bioinformatics tools building a classifier for the zeus virus," in Proc. Int. Conf. Security and Management (SAM), Jan. 2013.
  23. Saul B. Needleman and Christian D. Wunsch, "A general method applicable to the search for similarities in the amino acid sequence of two proteins," J. molecular biology, vol. 48, no.3, pp. 443-453, Mar. 1970. https://doi.org/10.1016/0022-2836(70)90057-4
  24. T. F. Smith and M. S. Waterman, "Identification of common molecular subsequences," J. Molecular Biology, vol. 147, no. 1, pp. 195-197, Mar. 1981. https://doi.org/10.1016/0022-2836(81)90087-5
  25. J. Erman, M. Arlitt, and A. Mahanti, "Traffic classification using clustering algorithms," in Proc. MineNet '06 ACM, pp. 281-286, Pisa, Italy, Sept. 2006.

Cited by

  1. 광범위한 단말 정보 식별을 위한 스캔 모델링 및 성능 분석 vol.42, pp.4, 2017, https://doi.org/10.7840/kics.2017.42.4.785
  2. Endpoint에 적용 가능한 정적 feature 기반 고속의 사이버 침투공격 분석기술 연구 vol.19, pp.5, 2017, https://doi.org/10.7472/jksii.2018.19.5.21