Skip to main content
SpringerLink
Log in

Malware Discovery Using Behaviour-Based Exploration of Network Traffic

  • Conference paper
  • First Online:
Similarity Search and Applications (SISAP 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10609))

Included in the following conference series:

  • 1772 Accesses

Abstract

We present a demo of behaviour-based similarity retrieval in network traffic data. The underlying framework is intended to support domain experts searching for network nodes (computers) infected by malicious software, especially in cases when single client-server communication does not have to be sufficient to reliably identify the infection. The focus is on interactive browsing enabling dynamic changes of the retrieval model, which is based on a recently proposed statistical description (fingerprint) of a communication between two network hosts and the bag of features approach. The demo/framework provides unique insight into the data and enables annotation of the data and model modifications during the search for more effective identification of infected hosts.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    E.g., number of sent bytes, length of the connections, IP addresses, port used, etc.

  2. 2.

    No one wants to work on infected computers and simulated infections work poorly.

  3. 3.

    The demo is available as web app at herkules.ms.mff.cuni.cz/NetworkData.

  4. 4.

    The similarity relations are represented by distance matrix evaluated by the server.

  5. 5.

    The name of malware families are as reported by the Cisco CTA engine.

References

  1. Cisco Cognitive Threat Analytics, http://www.cisco.com/c/en/us/solutions/enterprise-networks/cognitive-threat-analytics/index.html

  2. Arora, A., Garg, S., Peddoju, S.K.: Malware detection using network traffic analysis in android based mobile devices. In: NGMAST, pp. 66–71. IEEE (2014)

    Google Scholar 

  3. Bostock, M., Ogievetsky, V., Heer, J.: D3 data-driven documents. IEEE Trans. Vis. Comput. Graphics 17(12), 2301–2309 (2011)

    Article  Google Scholar 

  4. Chávez, E., Navarro, G., Baeza-Yates, R., Marroquín, J.L.: Searching in metric spaces. ACM Comput. Surv. 33(3), 273–321 (2001)

    Article  Google Scholar 

  5. Guofei, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botmfiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, vol. 5, pp. 139–154 (2008)

    Google Scholar 

  6. Heesch, D.: A survey of browsing models for content based image retrieval. Multimedia Tools Appl. 40(2), 261–284 (2008)

    Article  Google Scholar 

  7. Kohout, J., Pevny, T.: Automatic discovery of web servers hosting similar applications. In: Integrated Network Management, pp. 1310–1315. IEEE (2015)

    Google Scholar 

  8. Kohout, J., Pevny, T.: Unsupervised detection of malware in persistent web traffic. In: IEEE International Conference on Accoustics, Signal and Speech Processing (2015)

    Google Scholar 

  9. Lokoč, J., Grošup, T., Čech, P., Skopal, T.: Towards efficient multimedia exploration using the metric space approach. In: 2014 12th International Workshop on Content-Based Multimedia Indexing (CBMI), pp. 1–4, June 2014

    Google Scholar 

  10. McGrew, D., Anderson, B.: Enhanced telemetry for encrypted threat analytics. In: ICNP, pp. 1–6, November 2016

    Google Scholar 

  11. Nguyen, G.P., Worring, M.: Interactive access to large image collections using similarity-based visualization. Visual Lang. Comput. 19(2), 203–224 (2008)

    Article  Google Scholar 

  12. Roesch, M.: Snort - lightweight intrusion detection for networks. In: USENIX Conference on System Administration, LISA 1999, pp. 229–238 (1999)

    Google Scholar 

  13. Schaefer, G.: A next generation browsing environment for large image repositories. Multimedia Tools Appl. 47, 105–120 (2010)

    Article  Google Scholar 

  14. Sivic, J., Zisserman, A.: Video google: a text retrieval approach to object matching in videos. In: IEEE International Conference on Computer Vision, vol. 2 (2003)

    Google Scholar 

  15. Zezula, P., Amato, G., Dohnal, V., Batko, M.: Similarity Search: The Metric Space Approach. Springer, US (2005)

    MATH  Google Scholar 

Download references

Acknowledgements

This research has been supported by Czech Science Foundation (GAČR) project 15-08916S and Charles University grant (GAUK) 201515.

Author information

Authors and Affiliations

  1. SIRET Research Group, Department of Software Engineering, Faculty of Mathematics and Physics, Charles University, Prague, Czech Republic

    Jakub Lokoč, Tomáš Grošup, Přemysl Čech & Tomáš Skopal

  2. Faculty of Electrical Engineering, Czech Technical University, Prague, Czech Republic

    Tomáš Pevný

  3. Cisco Systems, Inc., Cognitive Research Center in Prague, Prague, Czech Republic

    Tomáš Pevný

Authors
  1. Jakub Lokoč
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomáš Grošup
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Přemysl Čech
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tomáš Pevný
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tomáš Skopal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tomáš Skopal .

Editor information

Editors and Affiliations

  1. Fraunhofer Institute for Applied Information Technology, Sankt Augustin, Germany

    Christian Beecks

  2. Ludwig-Maximilians-Universität München, Munich, Germany

    Felix Borutta

  3. Ludwig-Maximilians-Universität München, Munich, Germany

    Peer Kröger

  4. Ludwig-Maximilians-Universität München, Munich, Germany

    Thomas Seidl

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Lokoč, J., Grošup, T., Čech, P., Pevný, T., Skopal, T. (2017). Malware Discovery Using Behaviour-Based Exploration of Network Traffic. In: Beecks, C., Borutta, F., Kröger, P., Seidl, T. (eds) Similarity Search and Applications. SISAP 2017. Lecture Notes in Computer Science(), vol 10609. Springer, Cham. https://doi.org/10.1007/978-3-319-68474-1_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-68474-1_22

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-68473-4

  • Online ISBN: 978-3-319-68474-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation