Skip to main content
SpringerLink
Log in

Malware Detection System by Payload Analysis of Network Traffic (Poster Abstract)

  • Conference paper
Research in Attacks, Intrusions, and Defenses (RAID 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7462))

Included in the following conference series:

Abstract

NIDS based on Payload Analysis detect the malicious code by analyzing the payload of packets flowing through the network. Typically consist of a training phase and another one of detection. The training phase is done with clean traffic so that it represents statistically the usual traffic of the system. Thus, a pattern of such traffic is established. On the other hand, during the detection, traffic analysis is modeled and compared these patterns to determine if it can be classified as dangerous. Then, various proposals that make analysis of the payload to detect malicious code are explicated. In general, all are variants of PAYL [1], one of the first proposals that used this technique successfully. PAYL system classifies traffic based on three characteristics: the port, packet size and flow direction (input or output). Using these three parameters, payloads are classified creating a series of patterns to define what would be normal behavior within each class. Poseidon [2] was developed to correct the errors that arise in building models in PAYL when clustering about the size of packets is applied. The combination of multiple classifiers of a class, also based on PAYL, was developed to eliminate the original system’s vulnerability in the face of mimicry attacks. PCNAD [3] appears to correct the defect PAYL that could not process large packets on fast networks with enough speed. Anagram is another evolution of PAYL, developed by the same authors to correct the deficiencies that had the original system. As in the PAYL, the system is based on n-grams to process the packets and create patterns of behavior. However, it employed Bloom Filters to divide the packets in n-grams of sizes larger than one without the cost in space and system performance will be injured.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Almeida, P.S., Baquero, C., Preguica, N., Hutchison, D.: Scalable bloom filters. Information Processing Letters 101(6), 255–261 (2007)

    Article  MathSciNet  Google Scholar 

  2. Zhang, Y., Li, T., Sun, J., Qin, R.: An FSM-Based Approach for Malicious Code Detection Using the Self-Relocation Gene. In: Huang, D.-S., Wunsch II, D.C., Levine, D.S., Jo, K.-H. (eds.) ICIC 2008. LNCS, vol. 5226, pp. 364–371. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  3. Shafiq, M.Z., Tabish, S.M., Mirza, F., Farooq, M.: PE-Miner: Mining Structural Information to Detect Malicious Executables in Realtime. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 121–141. Springer, Heidelberg (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), School of Computer Science, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases s/n Ciudad Universitaria, 28040, Madrid, Spain

    Luis Javier García Villalba, Jaime Daniel Mejía Castro, Ana Lucila Sandoval Orozco & Javier Martínez Puentes

Authors
  1. Luis Javier García Villalba
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jaime Daniel Mejía Castro
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ana Lucila Sandoval Orozco
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Javier Martínez Puentes
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute Eurecom, 2229 Route des Cretes, 06560, Sophia Antipolis Cedex, France

    Davide Balzarotti

  2. Department of Computer Science, Columbia University, 1214 Amsterdam Avenue, M.C. 0401, 10027-7003, New York, NY, USA

    Salvatore J. Stolfo

  3. School of Computer Science, University of Birmingham, B15 2TT, Edgbaston, Birmingham, UK

    Marco Cova

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Villalba, L.J.G., Castro, J.D.M., Orozco, A.L.S., Puentes, J.M. (2012). Malware Detection System by Payload Analysis of Network Traffic (Poster Abstract). In: Balzarotti, D., Stolfo, S.J., Cova, M. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2012. Lecture Notes in Computer Science, vol 7462. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33338-5_30

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33338-5_30

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33337-8

  • Online ISBN: 978-3-642-33338-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation