Automated Detection of Malware Activities Using Nonnegative Matrix Factorization

Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this stu...

Full description

Saved in:
Bibliographic Details
Main Authors: Han, Chansu, Takeuchi, Jun'ichi, Takahashi, Takeshi, Inoue, Daisuke
Format: Conference Proceeding
Language:English
Subjects:
darknet
Feature extraction
Malware
malware activity
network scan
non-negative matrix factorization
Privacy
Real-time systems
Security
spatiotemporal feature
Spatiotemporal phenomena
Synchronization
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this study, we introduce Dark-NMF, a darknet analysis engine using Non-negative Matrix Factorization (NMF). Dark-NMF focuses on synchronizing the spatiotemporal features seen when malware infection spreads and detects abnormally synchronous spatial features (source hosts and destination ports) automatically in near real-time. Dark-NMF measures the synchronization of spatial features by decomposing spatiotemporal patterns from darknet traffic using NMF. We tuned the hyperparameters of Dark- Nmfand evaluated the detection performance of malware activities against the performance of existing methods such as GLASSO and ChangeFinder using a human-labeled ground truth. We found that Dark-NMF detects all malware activities that should be detected in the ground truth without a miss. We also showed that Dark- Nmfhas many advantages over existing methods and provided a highly practical operation guideline. Consequently, Dark-NMF is expected to contribute as threat intelligence information for rapid response to malware activity.
ISSN:2324-9013
DOI:10.1109/TrustCom53373.2021.00085