Abstract
We present a demo of behaviour-based similarity retrieval in network traffic data. The underlying framework is intended to support domain experts searching for network nodes (computers) infected by malicious software, especially in cases when single client-server communication does not have to be sufficient to reliably identify the infection. The focus is on interactive browsing enabling dynamic changes of the retrieval model, which is based on a recently proposed statistical description (fingerprint) of a communication between two network hosts and the bag of features approach. The demo/framework provides unique insight into the data and enables annotation of the data and model modifications during the search for more effective identification of infected hosts.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
E.g., number of sent bytes, length of the connections, IP addresses, port used, etc.
- 2.
No one wants to work on infected computers and simulated infections work poorly.
- 3.
The demo is available as web app at herkules.ms.mff.cuni.cz/NetworkData.
- 4.
The similarity relations are represented by distance matrix evaluated by the server.
- 5.
The name of malware families are as reported by the Cisco CTA engine.
References
Cisco Cognitive Threat Analytics, http://www.cisco.com/c/en/us/solutions/enterprise-networks/cognitive-threat-analytics/index.html
Arora, A., Garg, S., Peddoju, S.K.: Malware detection using network traffic analysis in android based mobile devices. In: NGMAST, pp. 66–71. IEEE (2014)
Bostock, M., Ogievetsky, V., Heer, J.: D3 data-driven documents. IEEE Trans. Vis. Comput. Graphics 17(12), 2301–2309 (2011)
Chávez, E., Navarro, G., Baeza-Yates, R., Marroquín, J.L.: Searching in metric spaces. ACM Comput. Surv. 33(3), 273–321 (2001)
Guofei, G., Perdisci, R., Zhang, J., Lee, W., et al.: Botmfiner: clustering analysis of network traffic for protocol-and structure-independent botnet detection. In: USENIX Security Symposium, vol. 5, pp. 139–154 (2008)
Heesch, D.: A survey of browsing models for content based image retrieval. Multimedia Tools Appl. 40(2), 261–284 (2008)
Kohout, J., Pevny, T.: Automatic discovery of web servers hosting similar applications. In: Integrated Network Management, pp. 1310–1315. IEEE (2015)
Kohout, J., Pevny, T.: Unsupervised detection of malware in persistent web traffic. In: IEEE International Conference on Accoustics, Signal and Speech Processing (2015)
Lokoč, J., Grošup, T., Čech, P., Skopal, T.: Towards efficient multimedia exploration using the metric space approach. In: 2014 12th International Workshop on Content-Based Multimedia Indexing (CBMI), pp. 1–4, June 2014
McGrew, D., Anderson, B.: Enhanced telemetry for encrypted threat analytics. In: ICNP, pp. 1–6, November 2016
Nguyen, G.P., Worring, M.: Interactive access to large image collections using similarity-based visualization. Visual Lang. Comput. 19(2), 203–224 (2008)
Roesch, M.: Snort - lightweight intrusion detection for networks. In: USENIX Conference on System Administration, LISA 1999, pp. 229–238 (1999)
Schaefer, G.: A next generation browsing environment for large image repositories. Multimedia Tools Appl. 47, 105–120 (2010)
Sivic, J., Zisserman, A.: Video google: a text retrieval approach to object matching in videos. In: IEEE International Conference on Computer Vision, vol. 2 (2003)
Zezula, P., Amato, G., Dohnal, V., Batko, M.: Similarity Search: The Metric Space Approach. Springer, US (2005)
Acknowledgements
This research has been supported by Czech Science Foundation (GAČR) project 15-08916S and Charles University grant (GAUK) 201515.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lokoč, J., Grošup, T., Čech, P., Pevný, T., Skopal, T. (2017). Malware Discovery Using Behaviour-Based Exploration of Network Traffic. In: Beecks, C., Borutta, F., Kröger, P., Seidl, T. (eds) Similarity Search and Applications. SISAP 2017. Lecture Notes in Computer Science(), vol 10609. Springer, Cham. https://doi.org/10.1007/978-3-319-68474-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-68474-1_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68473-4
Online ISBN: 978-3-319-68474-1
eBook Packages: Computer ScienceComputer Science (R0)