We present an end-to-end supervised based system
for detecting malware by analyzing network traffic. The
proposed method extracts 972 behavioral features across
different protocols and network layers, and refers to different
observation resolutions (transaction, session, flow and
conversation windows). A feature selection method is then used
to identify the most meaningful features and to reduce the data
dimensionality to a tractable size. Finally, various supervised
methods are evaluated to indicate whether traffic in the network
is malicious, to attribute it to known malware “families” and to
discover new threats. A comparative experimental study using
real network traffic from various environments indicates that the
proposed system outperforms existing state-of-the-art rule-based
systems, such as Snort and Suricata. In particular, our
chronological evaluation shows that many unknown malware
incidents could have been detected at least a month before their
static rules were introduced to either the Snort or Suricata
systems.