Robust network security systems are essential to prevent and mitigate the harming effects of the ever-growing occurrence of network attacks. In recent years, machine learning-based systems have gain popularity for network security applications, usually considering the application of shallow models, which rely on the careful engineering of expert, handcrafted input features. The main limitation of this approach is that handcrafted features can fail to perform well under different scenarios and types of attacks. Deep Learning (DL) models can solve this limitation using their ability to learn feature representations from raw, non-processed data. In this paper we explore the power of DL models on the specific problem of detection and classification of malware network traffic. As a major advantage with respect to the state of the art, we consider raw measurements coming directly from the stream of monitored bytes as input to the proposed models, and evaluate different raw-traffic feature representations, including packet and flow-level ones. We introduce DeepMAL, a DL model which is able to capture the underlying statistics of malicious traffic, without any sort of expert handcrafted features. Using publicly available traffic traces containing different families of malware traffic, we show that DeepMAL can detect and classify malware flows with high accuracy, outperforming traditional, shallow-like models.
- Deep Learning
- Network Security
- Raw Network Measurements
This is a preview of subscription content, access via your institution.
Unable to display preview. Download preview PDF.
Simonyan, K., et al. Deep inside convolutional networks: Visualising image classification models and saliency maps. CoRR abs/1312.6034 (2013).
Bengio, Y., et al. Representation Learning: A Review and New Perspectives. IEEE Trans. P.A.M.I., 2013.
Boutaba, R., et al. A Comprehensive Survey on ML for Networking: Evolution, Applications and Research Opportunities. Journal of Internet Services and Applications, 9(1):16, 2018.
Ahmed, T., et al. ML Approaches to Network Anomaly Detection. In Proc. SYSML, 2007.
Bhuyan, M. H., et al. Network Anomaly Detection: Methods, Systems and Tools. In IEEE Comm. Sur. & Tut., vol. 16 (1), pp. 303–336, 2014.
Mohiuddin, A., et al. A Survey of Network Anomaly Detection Techniques. In J. of Net. and Comp. App., vol. 60, pp. 19–31, 2016.
Buczak, A. L., et al. A Survey of Data Mining and ML Methods for Cyber Security Intrusion Detection. In IEEE Communications Surveys & Tutorials, vol. 18 (2), pp. 1153–1176, 2008.
Nguyen, T. T., et al. A Survey of Techniques for Internet Traffic Classification using ML. In IEEE Communications Surveys & Tutorials, vol. 10 (4), pp. 56-76, 2008.
Casas, P., et al. (Semi)-supervised ML approaches for network security in high-dimensional network data. In Proc, ACM CCS, 2016.
García, S., et al. An empirical comparison of botnet detection methods. Comput. Secur. 45, 2014.
Lopez-Martin, M., et al. Network traffic classifier with convolutional and recurrent neural networks for internet of things. IEEE Access 5 (2017), 18042–18050.
Lotfollahi, M., et al. Deep packet: A novel approach for encrypted traffic classification using DL. CoRR abs/1709.02656 (2017).
Marín, G., et al. Rawpower: DL based anomaly detection from raw network traffic measurements. In Proc. ACM SIGCOMM SRC, poster, 2018.
Marín, G., et al. DeepSec meets RawPower - DL for Detection of Network Attacks Using Raw Representations. In ACM SIGMETRICS Performance Evaluation Review, vol. 46 (3), pp. 147-150, 2018.
Radford, B. J., et al. Network traffic anomaly detection using recurrent neural networks. CoRR abs/1803.10769.
L. Bernaille, et al. Traffic Classification On The Fly. ACM CCR, 36(2), pp. 23-26, 2006.
Wang, W., et al. End-to-end encrypted traffic classification with one-dimensional convolution neural networks. In Proc. IEEE ISI, 2017.
T. Shapira, et al. FlowPic: Encrypted Internet Traffic Classification is as Easy as Image Recognition In Proc. IEEE INFOCOM Workshops, NI Workshop, 2019.
Wang, W., et al. Malware traffic classification using convolutional neural network for representation learning. In Proc. ICOIN, 2017.
Wang, Z. The applications of DL on traffic identification. In Black Hat USA, Las Vegas (2015).
G. Aceto, et al. Mobile Encrypted Traffic Classification Using DL: Experimental Evaluation, Lessons Learned, and Challenges. IEEE TNSM, 2019.
W. Wang, et al. HAST-IDS: Learning hierarchical spatial-temporal features using deep neural networks to improve intrusion detection. IEEE Access 6 (2018): 1792-1806.
G. Aceto, et al. Mobile encrypted traffic classification using DL. TMA Conference 2018.
Z. Li, et al. Intrusion detection using convolutional neural networks for representation learning. Int. Conf. on Neural Information Processing, 2017.
Z. Chen, et al. Seq2img: A sequence-to-image based approach towards IP traffic classification using convolutional neural networks. IEEE Big Data, 2017.
S. Z. Lin, et al. Character-Level Intrusion Detection Based on CNNs. IJCNN, 2018.
J. Cui, et al. WEDL-NIDS: Improving Network Intrusion Detection Using Word Embedding-Based DL Method. Int. Conf. on Modeling Decisions for AI, 2018.
H. Huang, et al. Automatic Multi-task Learning System for Abnormal Network Traffic Detection. Int. Jour. of Emerging Tech. in Learning (iJET), pp. 4–20, 2018.
O. Salman, et al. A Multi-level Internet Traffic Classifier Using DL. 9th NoF, 2018.
Editors and Affiliations
Rights and permissions
© 2021 Der/die Autor(en), exklusiv lizenziert durch Springer Fachmedien Wiesbaden GmbH , ein Teil von Springer Nature
About this paper
Cite this paper
Marín, G., Caasas, P., Capdehourat, G. (2021). DeepMAL - Deep Learning Models for Malware Traffic Detection and Classification. In: Haber, P., Lampoltshammer, T., Mayr, M., Plankensteiner, K. (eds) Data Science – Analytics and Applications. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-32182-6_16
Publisher Name: Springer Vieweg, Wiesbaden
Print ISBN: 978-3-658-32181-9
Online ISBN: 978-3-658-32182-6
eBook Packages: Computer Science and Engineering (German Language)