MalPaCa Feature Combination: Which packet header features and combination thereof are the most generalizable, private and easy to extract to cluster malicious behavior?
J. Garack (TU Delft - Electrical Engineering, Mathematics and Computer Science)
Sicco Verwer – Mentor (TU Delft - Cyber Security)
Azqa Nadeem – Graduation committee member (TU Delft - Cyber Security)
M.A. Migut – Coach (TU Delft - Computer Science & Engineering-Teaching Team)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
MalPaCa is an unsupervised clustering tool, which the main purpose is to cluster unidirectional network connections based on network behavior. The clustering is only based on non-intrusive (private) packet features such as transport and network header fields, and thus it has a strong potential use-case. This paper focuses on feature extraction and finding the best combinations that provide best clustering results. The features should be generalizable to a wide range of malware families and follow an easy extraction process. To expand the research one additional packet-based feature is found, TCP flags, as well different variants of previously extracted features were employed, which improves the efficacy of the tool. Finally, a grid search is performed to determine the best combination of the features.