BotDetector: A robust and scalable approach toward detecting malware-infected devices

Sho Mizuno, Mitsuhiro Hatada, Tatsuya Mori, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    3 Citations (Scopus)

    Abstract

    Damage caused by malware is a serious problem that needs to be addressed. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurement-based approach is that it enables us to monitor a large number of clients. If we find a client as a source of malicious traffic, the client is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and legitimate traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and legitimate. Our extensive experiments demonstrate that our approach discriminates between malicious and legitimate traffic with up to 97.1% precision while maintaining the false positive below 1.0%.

    Original languageEnglish
    Title of host publication2017 IEEE International Conference on Communications, ICC 2017
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    ISBN (Electronic)9781467389990
    DOIs
    Publication statusPublished - 2017 Jul 28
    Event2017 IEEE International Conference on Communications, ICC 2017 - Paris, France
    Duration: 2017 May 212017 May 25

    Other

    Other2017 IEEE International Conference on Communications, ICC 2017
    CountryFrance
    CityParis
    Period17/5/2117/5/25

    Fingerprint

    HTTP
    Malware
    Learning algorithms
    Learning systems
    Classifiers
    Servers
    Internet
    Experiments

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Electrical and Electronic Engineering

    Cite this

    Mizuno, S., Hatada, M., Mori, T., & Goto, S. (2017). BotDetector: A robust and scalable approach toward detecting malware-infected devices. In 2017 IEEE International Conference on Communications, ICC 2017 [7997372] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/ICC.2017.7997372

    BotDetector : A robust and scalable approach toward detecting malware-infected devices. / Mizuno, Sho; Hatada, Mitsuhiro; Mori, Tatsuya; Goto, Shigeki.

    2017 IEEE International Conference on Communications, ICC 2017. Institute of Electrical and Electronics Engineers Inc., 2017. 7997372.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Mizuno, S, Hatada, M, Mori, T & Goto, S 2017, BotDetector: A robust and scalable approach toward detecting malware-infected devices. in 2017 IEEE International Conference on Communications, ICC 2017., 7997372, Institute of Electrical and Electronics Engineers Inc., 2017 IEEE International Conference on Communications, ICC 2017, Paris, France, 17/5/21. https://doi.org/10.1109/ICC.2017.7997372
    Mizuno S, Hatada M, Mori T, Goto S. BotDetector: A robust and scalable approach toward detecting malware-infected devices. In 2017 IEEE International Conference on Communications, ICC 2017. Institute of Electrical and Electronics Engineers Inc. 2017. 7997372 https://doi.org/10.1109/ICC.2017.7997372
    Mizuno, Sho ; Hatada, Mitsuhiro ; Mori, Tatsuya ; Goto, Shigeki. / BotDetector : A robust and scalable approach toward detecting malware-infected devices. 2017 IEEE International Conference on Communications, ICC 2017. Institute of Electrical and Electronics Engineers Inc., 2017.
    @inproceedings{2c03683eb98445bab11a61f99914e212,
    title = "BotDetector: A robust and scalable approach toward detecting malware-infected devices",
    abstract = "Damage caused by malware is a serious problem that needs to be addressed. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurement-based approach is that it enables us to monitor a large number of clients. If we find a client as a source of malicious traffic, the client is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and legitimate traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and legitimate. Our extensive experiments demonstrate that our approach discriminates between malicious and legitimate traffic with up to 97.1{\%} precision while maintaining the false positive below 1.0{\%}.",
    author = "Sho Mizuno and Mitsuhiro Hatada and Tatsuya Mori and Shigeki Goto",
    year = "2017",
    month = "7",
    day = "28",
    doi = "10.1109/ICC.2017.7997372",
    language = "English",
    booktitle = "2017 IEEE International Conference on Communications, ICC 2017",
    publisher = "Institute of Electrical and Electronics Engineers Inc.",
    address = "United States",

    }

    TY - GEN

    T1 - BotDetector

    T2 - A robust and scalable approach toward detecting malware-infected devices

    AU - Mizuno, Sho

    AU - Hatada, Mitsuhiro

    AU - Mori, Tatsuya

    AU - Goto, Shigeki

    PY - 2017/7/28

    Y1 - 2017/7/28

    N2 - Damage caused by malware is a serious problem that needs to be addressed. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurement-based approach is that it enables us to monitor a large number of clients. If we find a client as a source of malicious traffic, the client is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and legitimate traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and legitimate. Our extensive experiments demonstrate that our approach discriminates between malicious and legitimate traffic with up to 97.1% precision while maintaining the false positive below 1.0%.

    AB - Damage caused by malware is a serious problem that needs to be addressed. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurement-based approach is that it enables us to monitor a large number of clients. If we find a client as a source of malicious traffic, the client is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and legitimate traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and legitimate. Our extensive experiments demonstrate that our approach discriminates between malicious and legitimate traffic with up to 97.1% precision while maintaining the false positive below 1.0%.

    UR - http://www.scopus.com/inward/record.url?scp=85028359847&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=85028359847&partnerID=8YFLogxK

    U2 - 10.1109/ICC.2017.7997372

    DO - 10.1109/ICC.2017.7997372

    M3 - Conference contribution

    AN - SCOPUS:85028359847

    BT - 2017 IEEE International Conference on Communications, ICC 2017

    PB - Institute of Electrical and Electronics Engineers Inc.

    ER -