MalPaCa Feature Combination: Which packet header features and combination thereof are the most generalizable, private and easy to extract to cluster malicious behavior?

More Info


MalPaCa is an unsupervised clustering tool, which the main purpose is to cluster unidirectional network connections based on network behavior. The clustering is only based on non-intrusive (private) packet features such as transport and network header fields, and thus it has a strong potential use-case. This paper focuses on feature extraction and finding the best combinations that provide best clustering results. The features should be generalizable to a wide range of malware families and follow an easy extraction process. To expand the research one additional packet-based feature is found, TCP flags,  as well different variants of previously extracted features were employed, which improves the efficacy of the tool. Finally, a grid search is performed to determine the best combination of the features.