Malware traffic detection using tamper resistant features

Z. Berkay Celik; Robert J. Walls; Patrick McDaniel; Ananthram Swami

doi:10.1109/MILCOM.2015.7357464

Malware traffic detection using tamper resistant features

Z. Berkay Celik, Robert J. Walls, Patrick McDaniel, Ananthram Swami

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

46 Scopus citations

Abstract

This paper presents a framework for evaluating the transport layer feature space of malware heartbeat traffic. We utilize these features in a prototype detection system to distinguish malware traffic from traffic generated by legitimate applications. In contrast to previous work, we eliminate features at risk of producing overly optimistic detection results, detect previously unobserved anomalous behavior, and rely only on tamper-resistant features making it difficult for sophisticated malware to avoid detection. Further, we characterize the evolution of malware evasion techniques over time by examining the behavior of 16 malware families. In particular, we highlight the difficultly of detecting malware that use traffic-shaping techniques to mimic legitimate traffic.

Original language	English (US)
Title of host publication	2015 IEEE Military Communications Conference, MILCOM 2015
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	330-335
Number of pages	6
ISBN (Electronic)	9781509000739
DOIs	https://doi.org/10.1109/MILCOM.2015.7357464
State	Published - Dec 14 2015
Event	34th Annual IEEE Military Communications Conference, MILCOM 2015 - Tampa, United States Duration: Oct 26 2015 → Oct 28 2015

Publication series

Name	Proceedings - IEEE Military Communications Conference MILCOM
Volume	2015-December

Other

Other	34th Annual IEEE Military Communications Conference, MILCOM 2015
Country/Territory	United States
City	Tampa
Period	10/26/15 → 10/28/15

All Science Journal Classification (ASJC) codes

Electrical and Electronic Engineering

Access to Document

10.1109/MILCOM.2015.7357464

Cite this

Berkay Celik, Z., Walls, R. J., McDaniel, P., & Swami, A. (2015). Malware traffic detection using tamper resistant features. In 2015 IEEE Military Communications Conference, MILCOM 2015 (pp. 330-335). Article 7357464 (Proceedings - IEEE Military Communications Conference MILCOM; Vol. 2015-December). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/MILCOM.2015.7357464

@inproceedings{5fbc037ac37c434098dbca685e8d7e10,

title = "Malware traffic detection using tamper resistant features",

abstract = "This paper presents a framework for evaluating the transport layer feature space of malware heartbeat traffic. We utilize these features in a prototype detection system to distinguish malware traffic from traffic generated by legitimate applications. In contrast to previous work, we eliminate features at risk of producing overly optimistic detection results, detect previously unobserved anomalous behavior, and rely only on tamper-resistant features making it difficult for sophisticated malware to avoid detection. Further, we characterize the evolution of malware evasion techniques over time by examining the behavior of 16 malware families. In particular, we highlight the difficultly of detecting malware that use traffic-shaping techniques to mimic legitimate traffic.",

author = "{Berkay Celik}, Z. and Walls, {Robert J.} and Patrick McDaniel and Ananthram Swami",

note = "Publisher Copyright: {\textcopyright} 2015 IEEE.; 34th Annual IEEE Military Communications Conference, MILCOM 2015 ; Conference date: 26-10-2015 Through 28-10-2015",

year = "2015",

month = dec,

day = "14",

doi = "10.1109/MILCOM.2015.7357464",

language = "English (US)",

series = "Proceedings - IEEE Military Communications Conference MILCOM",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "330--335",

booktitle = "2015 IEEE Military Communications Conference, MILCOM 2015",

address = "United States",

}

Berkay Celik, Z, Walls, RJ, McDaniel, P & Swami, A 2015, Malware traffic detection using tamper resistant features. in 2015 IEEE Military Communications Conference, MILCOM 2015., 7357464, Proceedings - IEEE Military Communications Conference MILCOM, vol. 2015-December, Institute of Electrical and Electronics Engineers Inc., pp. 330-335, 34th Annual IEEE Military Communications Conference, MILCOM 2015, Tampa, United States, 10/26/15. https://doi.org/10.1109/MILCOM.2015.7357464

Malware traffic detection using tamper resistant features. / Berkay Celik, Z.; Walls, Robert J.; McDaniel, Patrick et al.
2015 IEEE Military Communications Conference, MILCOM 2015. Institute of Electrical and Electronics Engineers Inc., 2015. p. 330-335 7357464 (Proceedings - IEEE Military Communications Conference MILCOM; Vol. 2015-December).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Malware traffic detection using tamper resistant features

AU - Berkay Celik, Z.

AU - Walls, Robert J.

AU - McDaniel, Patrick

AU - Swami, Ananthram

PY - 2015/12/14

Y1 - 2015/12/14

N2 - This paper presents a framework for evaluating the transport layer feature space of malware heartbeat traffic. We utilize these features in a prototype detection system to distinguish malware traffic from traffic generated by legitimate applications. In contrast to previous work, we eliminate features at risk of producing overly optimistic detection results, detect previously unobserved anomalous behavior, and rely only on tamper-resistant features making it difficult for sophisticated malware to avoid detection. Further, we characterize the evolution of malware evasion techniques over time by examining the behavior of 16 malware families. In particular, we highlight the difficultly of detecting malware that use traffic-shaping techniques to mimic legitimate traffic.

AB - This paper presents a framework for evaluating the transport layer feature space of malware heartbeat traffic. We utilize these features in a prototype detection system to distinguish malware traffic from traffic generated by legitimate applications. In contrast to previous work, we eliminate features at risk of producing overly optimistic detection results, detect previously unobserved anomalous behavior, and rely only on tamper-resistant features making it difficult for sophisticated malware to avoid detection. Further, we characterize the evolution of malware evasion techniques over time by examining the behavior of 16 malware families. In particular, we highlight the difficultly of detecting malware that use traffic-shaping techniques to mimic legitimate traffic.

UR - http://www.scopus.com/inward/record.url?scp=84959274052&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84959274052&partnerID=8YFLogxK

U2 - 10.1109/MILCOM.2015.7357464

DO - 10.1109/MILCOM.2015.7357464

M3 - Conference contribution

AN - SCOPUS:84959274052

T3 - Proceedings - IEEE Military Communications Conference MILCOM

SP - 330

EP - 335

BT - 2015 IEEE Military Communications Conference, MILCOM 2015

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 34th Annual IEEE Military Communications Conference, MILCOM 2015

Y2 - 26 October 2015 through 28 October 2015

ER -

Malware traffic detection using tamper resistant features

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this