Evaluation of secular changes in statistical features of traffic for the purpose of malware detection

Kenji Kawamoto, Masatsugu Ichino, Mitsuhiro Hatada, Yusuke Otsuki, Hiroshi Yoshiura, Jiro Katto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    1 Citation (Scopus)

    Abstract

    Applications and malware affecting them are dramatically changing. It isn't certain whether the currently used features can classify normal traffic or malware traffic correctly. In this paper, we evaluated the features used in previous studies while taking into account secular changes to classify normal traffic into the normal category and anomalous traffic into the anomalous category correctly. A secular change in this study is a difference in a feature between the date the training data were caputred and the date the test data were captured in the same circumstance. The evaluation is based on the Euclidean distance between the normal codebook or anomalous codebook made by vector quantization and the test data. We report on what causes these secular changes and which features with little or no secular change are effective for malware detection.

    Original languageEnglish
    Title of host publicationStudies in Computational Intelligence
    Pages1-11
    Number of pages11
    Volume443
    DOIs
    Publication statusPublished - 2013

    Publication series

    NameStudies in Computational Intelligence
    Volume443
    ISSN (Print)1860949X

    Fingerprint

    Vector quantization
    Malware

    ASJC Scopus subject areas

    • Artificial Intelligence

    Cite this

    Kawamoto, K., Ichino, M., Hatada, M., Otsuki, Y., Yoshiura, H., & Katto, J. (2013). Evaluation of secular changes in statistical features of traffic for the purpose of malware detection. In Studies in Computational Intelligence (Vol. 443, pp. 1-11). (Studies in Computational Intelligence; Vol. 443). https://doi.org/10.1007/978-3-642-32172-6-1

    Evaluation of secular changes in statistical features of traffic for the purpose of malware detection. / Kawamoto, Kenji; Ichino, Masatsugu; Hatada, Mitsuhiro; Otsuki, Yusuke; Yoshiura, Hiroshi; Katto, Jiro.

    Studies in Computational Intelligence. Vol. 443 2013. p. 1-11 (Studies in Computational Intelligence; Vol. 443).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Kawamoto, K, Ichino, M, Hatada, M, Otsuki, Y, Yoshiura, H & Katto, J 2013, Evaluation of secular changes in statistical features of traffic for the purpose of malware detection. in Studies in Computational Intelligence. vol. 443, Studies in Computational Intelligence, vol. 443, pp. 1-11. https://doi.org/10.1007/978-3-642-32172-6-1
    Kawamoto K, Ichino M, Hatada M, Otsuki Y, Yoshiura H, Katto J. Evaluation of secular changes in statistical features of traffic for the purpose of malware detection. In Studies in Computational Intelligence. Vol. 443. 2013. p. 1-11. (Studies in Computational Intelligence). https://doi.org/10.1007/978-3-642-32172-6-1
    Kawamoto, Kenji ; Ichino, Masatsugu ; Hatada, Mitsuhiro ; Otsuki, Yusuke ; Yoshiura, Hiroshi ; Katto, Jiro. / Evaluation of secular changes in statistical features of traffic for the purpose of malware detection. Studies in Computational Intelligence. Vol. 443 2013. pp. 1-11 (Studies in Computational Intelligence).
    @inproceedings{49765ce604804e6098cf9bbde1176802,
    title = "Evaluation of secular changes in statistical features of traffic for the purpose of malware detection",
    abstract = "Applications and malware affecting them are dramatically changing. It isn't certain whether the currently used features can classify normal traffic or malware traffic correctly. In this paper, we evaluated the features used in previous studies while taking into account secular changes to classify normal traffic into the normal category and anomalous traffic into the anomalous category correctly. A secular change in this study is a difference in a feature between the date the training data were caputred and the date the test data were captured in the same circumstance. The evaluation is based on the Euclidean distance between the normal codebook or anomalous codebook made by vector quantization and the test data. We report on what causes these secular changes and which features with little or no secular change are effective for malware detection.",
    author = "Kenji Kawamoto and Masatsugu Ichino and Mitsuhiro Hatada and Yusuke Otsuki and Hiroshi Yoshiura and Jiro Katto",
    year = "2013",
    doi = "10.1007/978-3-642-32172-6-1",
    language = "English",
    isbn = "9783642321719",
    volume = "443",
    series = "Studies in Computational Intelligence",
    pages = "1--11",
    booktitle = "Studies in Computational Intelligence",

    }

    TY - GEN

    T1 - Evaluation of secular changes in statistical features of traffic for the purpose of malware detection

    AU - Kawamoto, Kenji

    AU - Ichino, Masatsugu

    AU - Hatada, Mitsuhiro

    AU - Otsuki, Yusuke

    AU - Yoshiura, Hiroshi

    AU - Katto, Jiro

    PY - 2013

    Y1 - 2013

    N2 - Applications and malware affecting them are dramatically changing. It isn't certain whether the currently used features can classify normal traffic or malware traffic correctly. In this paper, we evaluated the features used in previous studies while taking into account secular changes to classify normal traffic into the normal category and anomalous traffic into the anomalous category correctly. A secular change in this study is a difference in a feature between the date the training data were caputred and the date the test data were captured in the same circumstance. The evaluation is based on the Euclidean distance between the normal codebook or anomalous codebook made by vector quantization and the test data. We report on what causes these secular changes and which features with little or no secular change are effective for malware detection.

    AB - Applications and malware affecting them are dramatically changing. It isn't certain whether the currently used features can classify normal traffic or malware traffic correctly. In this paper, we evaluated the features used in previous studies while taking into account secular changes to classify normal traffic into the normal category and anomalous traffic into the anomalous category correctly. A secular change in this study is a difference in a feature between the date the training data were caputred and the date the test data were captured in the same circumstance. The evaluation is based on the Euclidean distance between the normal codebook or anomalous codebook made by vector quantization and the test data. We report on what causes these secular changes and which features with little or no secular change are effective for malware detection.

    UR - http://www.scopus.com/inward/record.url?scp=84867658581&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84867658581&partnerID=8YFLogxK

    U2 - 10.1007/978-3-642-32172-6-1

    DO - 10.1007/978-3-642-32172-6-1

    M3 - Conference contribution

    AN - SCOPUS:84867658581

    SN - 9783642321719

    VL - 443

    T3 - Studies in Computational Intelligence

    SP - 1

    EP - 11

    BT - Studies in Computational Intelligence

    ER -