Malware detection methods using IP flow information collected by NetFlow and IPFIX have been actively researched. However, in the case that a malware generates a long-duration flow, these existing methods cannot detect the malware during the observation of the flow and consequently require time to detect the malware. Also, the existing methods cannot capture the changes of the packet observation interval and data size, which the existing methods use as flow features, if the features change in a short period.
To solve these problems, I propose a malware traffic detection method based on a sliding window. The proposed method enables detection on a window-by-window basis and can detect a flow as a malware even before the flow finishes. Also, by extracting features from each window, it is possible to capture the change of features that occurs in a short period.
In the evaluation, the proposed method reduces 80% of the time required to detect flows that continue until more than 10 seconds, compared to existing methods. Also, it was verified that the proposed method can capture the changes of the features.
Publication
- 小松 聖矢, 桂 祐成, 垣内 正年, 新井 イスマイル, 藤川 和利, "IPフロー情報を用いた確定時間でのマルウェアトラフィック検知," 電子情報通信学会 IA研究会, 信学技法, 電子情報通信学会, vol.121, no.201, pp6-11, 2021年10月15日.