Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information and Communications Security

ICICS 2019: Information and Communications Security pp 3–17Cite as

Prototype-Based Malware Traffic Classification with Novelty Detection

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11999))

Abstract

Automated malware classification using deep learning techniques has been widely researched in recent years. However, existing studies addressing this problem are always based on the assumption of closed world, where all the categories are known and fixed. Thus, they lack robustness and do not have the ability to recognize novel malware instances. In this paper, we propose a prototype-based approach to perform robust malware traffic classification with novel class detection. We design a new objective function where a distance based cross entropy (DCE) loss term and a metric regularization (MR) term are included. The DCE term ensures the discrimination of different classes, and the MR term improves the within-class compactness and expands the between-class separateness in the deeply learned feature space, which enables the robustness of novel class detection. Extensive experiments have been conducted on datasets with real malware traffic. The experimental results demonstrate that our proposed approach outperforms the existing methods and achieves state-of-the-art results.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Malware Capture Facility Project (https://www.stratosphereips.org/datasets-malware) is responsible for making the long-term captures. This project is continually obtaining malware and normal data to feed the Stratosphere IPS.

  2. 2.

    https://github.com/yungshenglu/USTC-TFC2016.

References

  1. Anderson, B., McGrew, D.: Machine learning for encrypted malware traffic classification: accounting for noisy labels and non-stationarity. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1723–1732. ACM (2017)

    Google Scholar 

  2. Bekerman, D., Shapira, B., Rokach, L., Bar, A.: Unknown malware detection using network traffic classification. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 134–142. IEEE (2015)

    Google Scholar 

  3. Bonilla, E.V., Robles-Kelly, A.: Discriminative Probabilistic Prototype Learning (2012)

    Google Scholar 

  4. Celik, Z.B., Walls, R.J., McDaniel, P., Swami, A.: Malware traffic detection using tamper resistant features. In: MILCOM 2015–2015 IEEE Military Communications Conference, pp. 330–335. IEEE (2015)

    Google Scholar 

  5. Chen, Z., et al.: Machine learning based mobile malware detection using highly imbalanced network traffic. Inf. Sci. 433, 346–364 (2018)

    Article  Google Scholar 

  6. Cover, T., Hart, P.: Nearest neighbor pattern classification. IEEE Trans. Inf. Theory 13(1), 21–27 (1967)

    Article  Google Scholar 

  7. Decaestecker, C.: Finding prototypes for nearest neighbour classification by means of gradient descent and deterministic annealing. Pattern Recogn. 30(2), 281–288 (1997)

    Article  Google Scholar 

  8. Huang, Y.-S., et al.: A simulated annealing approach to construct optimized prototypes for nearest-neighbor classification. In: Proceedings of 13th International Conference on Pattern Recognition, vol. 4, pp. 483–487. IEEE (1996)

    Google Scholar 

  9. Javaid, A.Y., Niyaz, Q., Sun, W., Alam, M.: A deep learning approach for network intrusion detection system. In: EAI International Conference on Bio-inspired Information & Communications Technologies (2016)

    Google Scholar 

  10. Kohonen, T.: Learning vector quantization. In: Kohonen, T. (ed.) Self-Organizing Maps. Springer Series in Information Sciences, vol. 30, pp. 175–189. Springer, Heidelberg (1995). https://doi.org/10.1007/978-3-642-97610-0_6

    Chapter  Google Scholar 

  11. Kuncheva, L.I., Bezdek, J.C.: Nearest prototype classification: clustering, genetic algorithms, or random search? IEEE Trans. Syst. Man Cybern. Part C Appl. Rev 28(1), 160–164 (1998)

    Article  Google Scholar 

  12. Li, Z., Qin, Z., Huang, K., Yang, X., Ye, S.: Intrusion detection using convolutional neural networks for representation learning. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017, Part V. LNCS, vol. 10638, pp. 858–866. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70139-4_87

    Chapter  Google Scholar 

  13. Liu, C.-L., Sako, H., Fujisawa, H.: Discriminative learning quadratic discriminant function for handwriting recognition. IEEE Trans. Neural Networks 15(2), 430–444 (2004)

    Article  Google Scholar 

  14. Liu, C.-L., Sako, H., Fujisawa, H.: Effects of classifier structures and training regimes on integrated segmentation and recognition of handwritten numeral strings. IEEE Trans. Pattern Anal. Mach. Intell. 26(11), 1395–1407 (2004)

    Article  Google Scholar 

  15. Marín, G., Casas, P., Capdehourat, G.: Rawpower: deep learning based anomaly detection from raw network traffic measurements. In: Proceedings of the ACM SIGCOMM 2018 Conference on Posters and Demos, pp. 75–77. ACM (2018)

    Google Scholar 

  16. Marín, G., Casas, P., Capdehourat, G.: Deepsec meets rawpower-deep learning for detection of network attacks using raw representations. ACM SIGMETRICS Perform. Eval. Rev. 46(3), 147–150 (2019)

    Article  Google Scholar 

  17. Miller, D., Rao, A.V., Rose, K.: A global optimization technique for statistical classifier design. IEEE Trans. Signal Process. 44(12), 3108–3122 (1996)

    Article  Google Scholar 

  18. Narudin, F.A., Feizollah, A., Anuar, N.B., Gani, A.: Evaluation of machine learning classifiers for mobile malware detection. Soft Comput. 20(1), 343–357 (2016)

    Article  Google Scholar 

  19. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12(Oct), 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  20. Radford, B.J., Apolonio, L.M., Trias, A.J., Simpson, J.A.: Network traffic anomaly detection using recurrent neural networks. arXiv preprint arXiv:1803.10769 (2018)

  21. Saad, S., et al.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy, Security and Trust, pp. 174–180. IEEE (2011)

    Google Scholar 

  22. Sato, A., Yamada, K.: Generalized learning vector quantization. In: Advances in Neural Information Processing Systems, pp. 423–429 (1996)

    Google Scholar 

  23. Sato, A., Yamada, K.: A formulation of learning vector quantization using a new misclassification measure. In: Proceedings of the Fourteenth International Conference on Pattern Recognition (Cat. No. 98EX170), vol. 1, pp. 322–325. IEEE (1998)

    Google Scholar 

  24. Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In: 2017 International Conference on Information Networking (ICOIN), pp. 712–717. IEEE (2017)

    Google Scholar 

Download references

Acknowledgements

This work is supported by the strategic Priority Research Program of Chinese Academy of Sciences, Grant No. XDC02040200.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Lixin Zhao, Lijun Cai, Aimin Yu, Zhen Xu & Dan Meng

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Lixin Zhao

Authors
  1. Lixin Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lijun Cai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aimin Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhen Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dan Meng
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Aimin Yu .

Editor information

Editors and Affiliations

  1. Singapore University of Technology and Design, Singapore, Singapore

    Jianying Zhou

  2. The Hong Kong Polytechnic University, Kowloon, Hong Kong

    Xiapu Luo

  3. Peking University, Beijing, China

    Qingni Shen

  4. Institute of Information Engineering, Beijing, China

    Zhen Xu

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhao, L., Cai, L., Yu, A., Xu, Z., Meng, D. (2020). Prototype-Based Malware Traffic Classification with Novelty Detection. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41579-2_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41578-5

  • Online ISBN: 978-3-030-41579-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation