Sistema de Detección de Envío de Malware mediante el Análisis de la Carga Útil del Tráfico de la Red (Malware Detection System by Payload Analysis of Network Traffic)

Luis Javier García Villalba (javiergv@fdi.ucm.es), Ana Lucila Sandoval Orozco (asandoval@fdi.ucm.es), Jorge Maestre Vidal (gass@fdi.ucm.es)


Universidad Complutense de Madrid
This paper appears in: Revista IEEE América Latina

Publication Date: March 2015
Volume: 13,   Issue: 3 
ISSN: 1548-0992


Abstract:
This paper presents a system for detecting intrusions when analyzing the network traffic payload looking for malware evidences. The system implements the detection algorithm as a Snort preprocessor component. Since they work together, a highly effective system against known attacks has been achieved (based on Snort rules) and a highly effective system against unknown threats (which was the main aim of the designed system). As the majority of such systems, the proposal consists of two phases: a training phase and a detection phase. During the training phase a statistical model of the legitimate network usage is created through Bloom Filters and N-grams techniques. Subsequently, the results obtained by analyzing a dataset of attacks are compared with such model. This will allow a set of rules to be developed which will be able to determine whether the packets payloads contain malware. In the detection phase, the traffic to analyze is compared with the model created in the training phase and the results obtained when applying rules. The performed experiments showed really satisfactory results, with 100% malware detection and just 0.15% false positives.

Index Terms:
Anomaly, Bloom Filter, IDS, Intrusion Detection System, Malware, N-Gram, NIDS, Payload, Preprocessor, Network Intrusion Detection System, Snort   


Documents that cite this document
This function is not implemented yet.


[PDF Full-Text (310)]