MalPaCa Feature Combination: Which packet header features and combination thereof are the most generalizable, private and easy to extract to cluster malicious behavior?

Bachelor thesis (2021)

Authors

J. Garack Electrical Engineering, Mathematics and Computer Science

Contributors

S.E. Verwer Cyber Security - EEMCS (mentor)
A. Nadeem Cyber Security - EEMCS (graduation committee member)
M.A. Migut Computer Science & Engineering-Teaching Team - EEMCS (coach)
Faculty
Electrical Engineering, Mathematics and Computer Science, Electrical Engineering, Mathematics and Computer Science
Copyright: © 2021 Jonathan Garack
More Info
expand_more

Published Date

01-07-2021

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Abstract

MalPaCa is an unsupervised clustering tool, which the main purpose is to cluster unidirectional network connections based on network behavior. The clustering is only based on non-intrusive (private) packet features such as transport and network header fields, and thus it has a strong potential use-case. This paper focuses on feature extraction and finding the best combinations that provide best clustering results. The features should be generalizable to a wide range of malware families and follow an easy extraction process. To expand the research one additional packet-based feature is found, TCP flags,  as well different variants of previously extracted features were employed, which improves the efficacy of the tool. Finally, a grid search is performed to determine the best combination of the features.