Classification of packet contents for malware detection | Journal of Computer Virology and Hacking Techniques Skip to main content
Springer Nature Link
Log in

Classification of packet contents for malware detection

  • Original paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

Many existing schemes for malware detection are signature-based. Although they can effectively detect known malwares, they cannot detect variants of known malwares or new ones. Most network servers do not expect executable code in their in-bound network traffic, such as on-line shopping malls, Picasa, Youtube, Blogger, etc. Therefore, such network applications can be protected from malware infection by monitoring their ports to see if incoming packets contain any executable contents. This paper proposes a content-classification scheme that identifies executable content in incoming packets. The proposed scheme analyzes the packet payload in two steps. It first analyzes the packet payload to see if it contains multimedia-type data (such as \({{\tt avi, wmv, jpg})}\) . If not, then it classifies the payload either as text-type (such as \({{\tt txt, jsp, asp})}\) or executable. Although in our experiments the proposed scheme shows a low rate of false negatives and positives (4.69% and 2.53%, respectively), the presence of inaccuracies still requires further inspection to efficiently detect the occurrence of malware. In this paper, we also propose simple statistical and combinatorial analysis to deal with false positives and negatives.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bro. http://www.bro-ids.org. Accessed 14 Nov 2010

  2. Publicly available library of malwares (VX Heavens). http://vx.netlux.org/. Accessed 14 Nov 2010

  3. Snort. http://www.snort.org/. Accessed 14 Nov 2010

  4. Tcpdump. http://www.tcpdump.org. Accessed 14 Nov 2010

  5. Tcptrace. http://www.tcptrace.org. Accessed 14 Nov 2010

  6. Amirani, M.C., Toorani, M., Shirazi, A.A.B.: A new approach to content-based file type detection. In: IEEE Symposium on Computers and Communications (ISCC ’08), pp. 1103–1108 (2008)

  7. Bolzoni, D., Etalle, S., Hartel, P.: Poseidon: a 2-tier anomaly-based network intrusion detection system. In: Fourth IEEE International Workshop on Information Assurance (IWIA’06). London, UK (2006)

  8. Calhoun W.C., Coles D.: Predicting the types of file fragments. Digit. Investig. 5(1), 14–20 (2008)

    Article  Google Scholar 

  9. Criscione, C., Zanero, S.: Masibty: an anomaly based intrusion prevention system for web applications. In: Black Hat Europe. Moevenpick City Center, Amsterdam, Netherlands (2009)

  10. Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: 16th USENIX Security Symposium, Boston, pp. 167–182 (2007)

  11. Harris, R.M.: Using artificial neural networks for forensic file type identification. Technical report, Purdue University (2007)

  12. Kolmogorov A.: Three approaches to the quantitative definition of information. Problems Inf Transmission 1(1), 1–7 (1965)

    MathSciNet  Google Scholar 

  13. Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: ACM Symposium on Applied Computing, Madrid, pp. 201–208 (2010)

  14. Li, W.J., Stolfo, S., Stavrou, A., Androulaki, E., Keromytis, A.D.: A study of malcode-bearing documents. In: Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Lucerne, pp. 231–250 (2007)

  15. Li, W.J., Wang, K., Stolfo, S.J., Herzog, B.: Fileprints: identifying file types by n-gram analysis. In: Workshop on Information Assurance and Security (IAW’05), pp. 64–71. United States Military Academy, West Point, New York (2005)

  16. Martin, K., Nahid, S.: File type identification of data fragments by their binary structure. In: Proceedings of the 7th Annual IEEE Information Assurance Workshop, pp. 140–147. United States Military Academy, West Point, New York (2006)

  17. Martin, K., Nahid, S.: Oscar: file type identification of binary data in disk clusters and ram pages. In: Proceedings of IFIP International Information Security Conference: Security and Privacy in Dynamic Environments (SEC2006), pp. 413–424 (2006)

  18. McDaniel, M., Heydari, M.H.: Content based file type detection algorithms. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, vol. 9, p. 332a (2003)

  19. Shafiq, M.Z., Khayam, S.A., Farooq, M.: Embedded malware detection using markov n-grams. In: International Conference on Detection of Intrusions, Malware and Vulnerability Assessment (DIMVA’08), Paris, pp. 88–107 (2008)

  20. Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: 10th ACM Conference on Computer and Communications Security, Washington, DC, pp. 262–271 (2003)

  21. Stolfo S.J., Wang K., Li W.J.: Towards stealthy malware detection. Adv. Inf. Secur. 27, 231–249 (2007)

    Article  Google Scholar 

  22. Tan, P.N., Steinbach, M., Kumar, V.: Classification: alternative techniques. In: Introduction to Data Mining. AddisonWesley, USA (2005)

  23. Veenman, C.J.: Statistical disk cluster classification for file carving. In: IEEE Third International Symposium on Information Assurance and Security, pp. 393–398 (2007)

  24. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: 9th International Symposium on Recent Advances in Intrusion Detection (RAID’06), Hamburg, pp. 226–248 (2006)

  25. Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Seventh International Symposium on Recent Advances in Intrusion Detection (RAID’04), France, pp. 203–222 (2004)

  26. Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: a signature-free buffer overflow attack blocker. In: 15th USENIX Security Symposium, Boston, pp. 225–240 (2006)

  27. Zanero, S.: Ulisse, a network intrusion detection system. In: 4th annual workshop on cyber security and information intelligence research (CSIIRW’08). Oak Ridge, TN, USA (2008)

  28. Zhang, Y., Paxson, V.: Detecting backdoors. In: 9th USENIX Security Symposium, Colorado (2000)

Download references

Author information

Authors and Affiliations

  1. Information Security Institute, Queensland University of Technology, Brisbane, Australia

    Irfan Ahmed

  2. Seoul, South-Korea

    Kyung-suk Lhee

Authors
  1. Irfan Ahmed
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Kyung-suk Lhee
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Kyung-suk Lhee.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ahmed, I., Lhee, Ks. Classification of packet contents for malware detection. J Comput Virol 7, 279–295 (2011). https://doi.org/10.1007/s11416-011-0156-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-011-0156-6

Keywords