In collaboration with Ministry of Economy under the Magnet Program
D Bekerman, B Shapira, L Rokach, A Bar
Communications and Network Security (CNS), 2015 IEEE Conference on, 134-142
We present an end-to-end supervised based systemfor detecting malware by analyzing network traffic. Theproposed method extracts 972 behavioral features acrossdifferent protocols and network layers, and refers to differentobservation resolutions (transaction, session, flow andconversation windows). A feature selection method is then usedto identify the most meaningful features and to reduce the datadimensionality to a tractable size. Finally, various supervisedmethods are evaluated to indicate whether traffic in the networkis malicious, to attribute it to known malware “families” and todiscover new threats. A comparative experimental study usingreal network traffic from various environments indicates that theproposed system outperforms existing state-of-the-art rule-basedsystems, such as Snort and Suricata. In particular, ourchronological evaluation shows that many unknown malwareincidents could have been detected at least a month before theirstatic rules were introduced to either the Snort or Suricatasystems.