Classification of Malware in HTTPs Traffic Using Machine Learning Approach

Abstract

Cybersecurity and cyberwar have become crucial for a world with the continuous development and expansion of digitalization. In the current digital era, malware has become a significant threat for internet users. Malware spreads faster and poses a big threat to our computer safety. Hence, network security measures have an important role to play for neutralizing these cyber threats. In our research study, we collected some malicious and self-generated benign PCAP’s and then applied a suitable machine learning classification algorithm to build a traffic classifier. The proposed classifier classifies the malicious HTTPs traffic. The experimental results show the average accuracy (90%) and false-positive (0.030) for Random Forest (RF) classifier.

Keywords

• Network traffic
• Classification
• HTTPs
• Malware
• Wireshark
• Machine learning

Project Number

No

References

1. [1]. Wang, W., Zhu, M.,Zeng,X., et.al., “Malware traffic classification using convolutional neural network for representation learning” in international conference on information networking (ICOIN), pp 712-717, IEEE, 2017.
2. [2]. C. McCarthy et al., “An investigation on identifying SSL traffic,” in Computational Intelligence for Security and Defense Applications (CISDA), IEEE Symposium on. IEEE, pp. 115–122, 2011.
3. [3]. Husák, M., Čermák, M., Jirsík, T. and Čeleda, P., “HTTPS traffic analysis and client identification using passive SSL/TLS fingerprinting" EURASIP Journal on Information Security, pp.1-14, 2016.
4. [4]. Becker, Jamin. “A Free, Online PCAP Analysis Engine.” Available at: www.packettotal.com/.
5. [5]. “Wireshark.” Wireshark • Go Deep., Available at: www.wireshark.org/.
6. [6]. “CICFlowMeter.” NetFlowMeter, Available at: www.netflowmeter.ca/.
7. [7]. What is a computer virus or a computer worm? Available at: https://usa.kaspersky.com/resource-center/threats/computer-viruses-vs-worms
8. [8]. Marczak, Bill & Scott-Railton, John & Mckune, Sarah & Deibert, Ron & Abdulrazzak, Bahr "HIDE AND SEEK Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries" 2018.

9. [9]. What is a backdoor? Available at: https://www.wired.com/2014/12/hacker-lexicon-backdoor/.
10. [10]. Kim, S., Park, J., Lee, K., You, I. and Yim, K., "A Brief Survey on Rootkit Techniques in Malicious Codes" J. Internet Serv. Inf. Secur.,vol no 2(3/4), pp.134-147, 2012.
11. [11]. Malode, S.K. and Adware, R.H., "Regenerative braking system in electric vehicles" International Research Journal of Engineering and Technology (IRJET), no 3(3), pp.394-400, 2016.
12. [12]. Mohurle, S. and Patil, M., "A brief study of wanna cry threat: Ransomware attack " International Journal of Advanced Research in Computer Science, Vol.8, No.5, pp.1938-1940, 2017.
13. [13]. Rezaei, S. and Liu, X., "Deep learning for encrypted traffic classification: An overview". IEEE communications magazine, Vol.57 No.5, pp.76-81, 2019.
14. [14]. Valenti, S., Rossi, D., Dainotti, A., Pescapè, A., Finamore, A., & Mellia, M. "Reviewing traffic classification. In Data Traffic Monitoring and Analysis” Springer, Berlin, Heidelberg, pp.123-147, 2013.
15. [15]. Zhao, J., Jing, X., Yan, Z. and Pedrycz, W., "Network traffic classification for data fusion: A survey" Information Fusion, 72, pp.22-47, 2021.
16. [16]. T. Karagiannis, K. Papagiannaki, N. Taft, and M. Faloutsos, “Profiling the end host,” in Passive and Active Network Measurement, S. Uhlig, K. Papagiannaki, and O. Bonaventure, Eds., vol. 4427 of Lecture Notes in Computer Science, pp. 186–196, Springer, Heidelberg, Germany, 2007.
17. [17]. K. Xu, Z.-L. Zhang, and S. Bhattacharyya 2005 “Profiling internet backbone traffic: behavior models and applications,” in Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '05), vol. 35, no. 4, pp. 169–180, ACM.
18. [18]. M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, S. Singh, and G. Varghese, 2007 “Network monitoring using traffic dispersion graphs (TDGs),” in Proceedings of the 7th ACM SIGCOMM Internet Measurement Conference (IMC '07), pp. 315–320, San Diego, Calif, USA, October.
19. [19]. P. Bermolen, M. Mellia, M. Meo, D. Rossi, and S. Valenti, 2011 “Abacus: accurate behavioral classification of P2P-TV traffic,” Computer Networks, vol. 55, no. 6, pp. 1394–1411.
20. [20]. Bakhshi, T., & Ghita, B. 2016 "On internet traffic classification: A two-phased machine learning approach" Journal of Computer Networks and Communications.
21. [21]. Zhang, X. D. 2020 “Machine learning. In A Matrix Algebra Approach to Artificial Intelligence" (pp. 223-440). Springer, Singapore.
22. [22]. Zheng, R., Liu, J., Niu, W., Liu, L., Li, K., & Liao, S. "Preprocessing Method for Encrypted Traffic Based on Semi supervised Clustering. Security and Communication Networks”, 2020.
23. [23]. J. Lokoc, J. Kohout, P. Cech, T. Skopal, and T. Pevny, “k NN Classification of Malware in HTTPS Traffic Using the Metric Space Approach” LNCS, vol. 9650, Springer pp.131–145,2016.
24. [24]. Paul Prase, Lukas Machlica, “Malware Detection by Analyzing Encrypted Network Traffic with Neural Networks” LNCS, vol.10535, Springer pp. 73-88, 2017.
25. [25]. Soutner, D. and Müller, L. "Application of LSTM neural networks in language modelling" In International Conference on Text, Speech and Dialogue (pp. 105-112). Springer, Berlin, Heidelberg, 2013.
26. [26]. Paul Calderon, 2018 "Malware Detection Based on HTTPS Characteristics via Machine Learning" In Proceedings of the 4th International Conference on Information Systems Security and Privacy pp. 410-417.
27. [27]. “Welcome!” Openrefine.github.com, Available at: openrefine.org/.
28. [28]. Waikato Environment for Knowledge Analysis (WEKA), Available at: https://www.cs.waikto.ac.nz/ml.
29. [29]. N.Moustafa, J. Hu, and J. Slay, 2019 “A holistic review of Network Anomaly Detection Systems: A Comprehensive survey,” J. Netw. Comput. Appl., vol. 128, no. December, pp. 33-55, doi:10.1016/j.jnca.2018.12.006.