Automated malware classification based on network behavior

Abstract

Over the past decade malware, i.e., malicious software, has become a major security threat on the Internet. Today anti-virus companies receive thousands of malicious samples every day. However the vast majority of these samples are variants of the existing malware. Due to the sheer number of malware variants it is important to accurately determine whether a sample belongs to a known malware family or exhibits a new behavior and thus requires further analysis and separate detection signature. Despite of the importance of network activity, the existing research on malware analysis does not fully leverage the malware network behavior for classification. In this paper, we propose an automated malware classification system that focuses on network behavior of malware samples. Our approach employs behavioral profiles that summarize the network behavior of malware samples. The proposed approach is applied to a real world malware corpus. Our experimental results show the effectiveness of the proposed approach in classifying malware samples only based on the network activity exhibited by the samples. © 2013 IEEE.