Vol.60, No.2, 2019, pp.721-739, doi:10.32604/cmc.2019.05610
OPEN ACCESS
ARTICLE
MalDetect: A Structure of Encrypted Malware Traffic Detection
  • Jiyuan Liu1, Yingzhi Zeng2, Jiangyong Shi2, Yuexiang Yang2,∗, Rui Wang3, Liangzhong He4
Student of College of Computer, National University of Defense Technology, Hunan, China.
Faculty of College of Computer, National University of Defense Technology, Hunan, China.
CEO of AppBugs Inc, USA.
Faculty of China Mobile (Su Zhou) Software Technology Co., Ltd.
* Corresponding Author: Yuexiang Yang. Email: .
Abstract
Recently, TLS protocol has been widely used to secure the application data carried in network traffic. It becomes more difficult for attackers to decipher messages through capturing the traffic generated from communications of hosts. On the other hand, malwares adopt TLS protocol when accessing to internet, which makes most malware traffic detection methods, such as DPI (Deep Packet Inspection), ineffective. Some literatures use statistical method with extracting the observable data fields exposed in TLS connections to train machine learning classifiers so as to infer whether a traffic flow is malware or not. However, most of them adopt the features based on the complete flow, such as flow duration, but seldom consider that the detection result should be given out as soon as possible. In this paper, we propose MalDetect, a structure of encrypted malware traffic detection. MalDetect only extracts features from approximately 8 packets (the number varies in different flows) at the beginning of traffic flows, which makes it capable of detecting malware traffic before the malware behaviors take practical impacts. In addition, observing that it is inefficient and time-consuming to re-train the offline classifier when new flow samples arrive, we deploy Online Random Forest in MalDetect. This enables the classifier to update its parameters in online mode and gets rid of the re-training process. MalDetect is coded in C++ language and open in Github. Furthermore, MalDetect is thoroughly evaluated from three aspects: effectiveness, timeliness and performance.
Keywords
Network intrusion detection, encrypted traffic, online learning
Cite This Article
. , "Maldetect: a structure of encrypted malware traffic detection," Computers, Materials & Continua, vol. 60, no.2, pp. 721–739, 2019.
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.