Presentation | 2021-10-15 Malware Traffic Detection at Certain Time Using IP Flow Information Seiya Komatsu, Yusei Katsura, Masatoshi Kakiuchi, Ismail Arai, Kazutoshi Fujikawa, |
---|---|
PDF Download Page | PDF download Page Link |
Abstract(in Japanese) | (See Japanese page) |
Abstract(in English) | The damage caused by the activities of malware such as botnets and ransomware has become a social problem. In order to detect malware activity efficiently and reduce the damage, research on detecting malware activity traffic in the network has been proposed. There are three types of traffic information used in these research: packet information, IP flow information, and interface counters information. In the case of using IP flow information, traffic is aggregated in 5-tuples, which is lightweight, but the information is not output until a timeout occurs or the connection is terminated. Therefore, making it difficult to detect scanning activities or long-lasting flows at an early stage. This research aims to maintain the same detection performance as conventional research by modifying the feature while detecting these flows before they terminate. In this paper, we experiment with existing methods that use connection status, port numbers, and transport layer protocols transition of each flow as features. We used the ISCX botnet dataset converted into IP flow information using Zeek to investigate the detection performance when the upper limit of flow duration is not set (the longest flow in the dataset: 240,418 seconds) and when the upper limit is set to 30 seconds. As a result, we confirmed that detection was possible with an F-measure of 98.1% and 96.1%, respectively. From this research, we showed that it is possible to detect malware traffic within 30 seconds (a certain time) with a slight decrease in detection performance. |
Keyword(in Japanese) | (See Japanese page) |
Keyword(in English) | Malware / Botnet / Malware Detection / Intrusion Detection / Network Security |
Paper # | IA2021-27 |
Date of Issue | 2021-10-08 (IA) |
Conference Information | |
Committee | IA |
---|---|
Conference Date | 2021/10/15(1days) |
Place (in Japanese) | (See Japanese page) |
Place (in English) | Online |
Topics (in Japanese) | (See Japanese page) |
Topics (in English) | Network R&D Testbed Operation and Utilization, etc. (cosponsored by ADVNET) |
Chair | Tomoki Yoshihisa(Osaka Univ.) |
Vice Chair | Toru Kondo(Hiroshima Univ.) / Yuichiro Hei(KDDI Research) / Hiroshi Yamamoto(Ritsumeikan Univ.) |
Secretary | Toru Kondo(Osaka Univ.) / Yuichiro Hei(Kogakuin Univ.) / Hiroshi Yamamoto(NEC) |
Assistant | Daisuke Kotani(Kyoto Univ.) / Ryo Nakamurai(Fukuoka Univ.) / Daiki Nobayashi(Kyushu Inst. of Tech.) |
Paper Information | |
Registration To | Technical Committee on Internet Architecture |
---|---|
Language | JPN |
Title (in Japanese) | (See Japanese page) |
Sub Title (in Japanese) | (See Japanese page) |
Title (in English) | Malware Traffic Detection at Certain Time Using IP Flow Information |
Sub Title (in English) | |
Keyword(1) | Malware |
Keyword(2) | Botnet |
Keyword(3) | Malware Detection |
Keyword(4) | Intrusion Detection |
Keyword(5) | Network Security |
1st Author's Name | Seiya Komatsu |
1st Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
2nd Author's Name | Yusei Katsura |
2nd Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
3rd Author's Name | Masatoshi Kakiuchi |
3rd Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
4th Author's Name | Ismail Arai |
4th Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
5th Author's Name | Kazutoshi Fujikawa |
5th Author's Affiliation | Nara Institute of Science and Technology(NAIST) |
Date | 2021-10-15 |
Paper # | IA2021-27 |
Volume (vol) | vol.121 |
Number (no) | IA-201 |
Page | pp.pp.6-11(IA), |
#Pages | 6 |
Date of Issue | 2021-10-08 (IA) |