Automated Detection of Malware Activities Using Nonnegative Matrix Factorization

Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this stu...

Full description

Saved in:
Bibliographic Details
Main Authors: Han, Chansu, Takeuchi, Jun'ichi, Takahashi, Takeshi, Inoue, Daisuke
Format: Conference Proceeding
Language:English
Subjects:
darknet
Feature extraction
Malware
malware activity
network scan
non-negative matrix factorization
Privacy
Real-time systems
Security
spatiotemporal feature
Spatiotemporal phenomena
Synchronization
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites
container_end_page 556
container_issue
container_start_page 548
container_title
container_volume
creator Han, Chansu
Takeuchi, Jun'ichi
Takahashi, Takeshi
Inoue, Daisuke
description Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this study, we introduce Dark-NMF, a darknet analysis engine using Non-negative Matrix Factorization (NMF). Dark-NMF focuses on synchronizing the spatiotemporal features seen when malware infection spreads and detects abnormally synchronous spatial features (source hosts and destination ports) automatically in near real-time. Dark-NMF measures the synchronization of spatial features by decomposing spatiotemporal patterns from darknet traffic using NMF. We tuned the hyperparameters of Dark- Nmfand evaluated the detection performance of malware activities against the performance of existing methods such as GLASSO and ChangeFinder using a human-labeled ground truth. We found that Dark-NMF detects all malware activities that should be detected in the ground truth without a miss. We also showed that Dark- Nmfhas many advantages over existing methods and provided a highly practical operation guideline. Consequently, Dark-NMF is expected to contribute as threat intelligence information for rapid response to malware activity.
doi_str_mv 10.1109/TrustCom53373.2021.00085
format conference_proceeding
fullrecord <record><control><sourceid>ieee_CHZPO</sourceid><recordid>TN_cdi_ieee_primary_9724358</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9724358</ieee_id><sourcerecordid>9724358</sourcerecordid><originalsourceid>FETCH-LOGICAL-i269t-a5004d36f46319064e2d3152df7920fbadec5e9eb12b468d0f0b211973c13b583</originalsourceid><addsrcrecordid>eNotjMtOwzAQRQ0SEqX0C9j4B1JmPLYTL6NAAak8Fu26cpJJZdQkKHF5fT1BsLrSuedeISTCEhHc9WY4jrHoW0OU0lKBwiUAZOZEXKC1RqM1GZyKmSKlEwdI52Ixjq-TQwo0ZmYmXvJj7FsfuZY3HLmKoe9k38hHf_jwA8t8Iu8hBh7ldgzdXj71Xcd7P1GepDiET7nyVeyH8O1_x5firPGHkRf_ORfb1e2muE_Wz3cPRb5OgrIuJt4A6Jpsoy2hA6tZ1YRG1U3qFDSlr7ky7LhEVWqb1dBAqRBdShVSaTKai6u_38DMu7chtH742rlUaZraH3QhUfk</addsrcrecordid><sourcetype>Publisher</sourcetype><iscdi>true</iscdi><recordtype>conference_proceeding</recordtype></control><display><type>conference_proceeding</type><title>Automated Detection of Malware Activities Using Nonnegative Matrix Factorization</title><source>IEEE Xplore All Conference Series</source><creator>Han, Chansu ; Takeuchi, Jun'ichi ; Takahashi, Takeshi ; Inoue, Daisuke</creator><creatorcontrib>Han, Chansu ; Takeuchi, Jun'ichi ; Takahashi, Takeshi ; Inoue, Daisuke</creatorcontrib><description>Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this study, we introduce Dark-NMF, a darknet analysis engine using Non-negative Matrix Factorization (NMF). Dark-NMF focuses on synchronizing the spatiotemporal features seen when malware infection spreads and detects abnormally synchronous spatial features (source hosts and destination ports) automatically in near real-time. Dark-NMF measures the synchronization of spatial features by decomposing spatiotemporal patterns from darknet traffic using NMF. We tuned the hyperparameters of Dark- Nmfand evaluated the detection performance of malware activities against the performance of existing methods such as GLASSO and ChangeFinder using a human-labeled ground truth. We found that Dark-NMF detects all malware activities that should be detected in the ground truth without a miss. We also showed that Dark- Nmfhas many advantages over existing methods and provided a highly practical operation guideline. Consequently, Dark-NMF is expected to contribute as threat intelligence information for rapid response to malware activity.</description><identifier>EISSN: 2324-9013</identifier><identifier>EISBN: 1665416580</identifier><identifier>EISBN: 9781665416580</identifier><identifier>DOI: 10.1109/TrustCom53373.2021.00085</identifier><identifier>CODEN: IEEPAD</identifier><language>eng</language><publisher>IEEE</publisher><subject>darknet ; Feature extraction ; Malware ; malware activity ; network scan ; non-negative matrix factorization ; Privacy ; Real-time systems ; Security ; spatiotemporal feature ; Spatiotemporal phenomena ; Synchronization</subject><ispartof>2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2021, p.548-556</ispartof><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9724358$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>309,310,780,784,789,790,23930,23931,25140,27925,54555,54932</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9724358$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Han, Chansu</creatorcontrib><creatorcontrib>Takeuchi, Jun'ichi</creatorcontrib><creatorcontrib>Takahashi, Takeshi</creatorcontrib><creatorcontrib>Inoue, Daisuke</creatorcontrib><title>Automated Detection of Malware Activities Using Nonnegative Matrix Factorization</title><title>2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)</title><addtitle>TRUSTCOM</addtitle><description>Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this study, we introduce Dark-NMF, a darknet analysis engine using Non-negative Matrix Factorization (NMF). Dark-NMF focuses on synchronizing the spatiotemporal features seen when malware infection spreads and detects abnormally synchronous spatial features (source hosts and destination ports) automatically in near real-time. Dark-NMF measures the synchronization of spatial features by decomposing spatiotemporal patterns from darknet traffic using NMF. We tuned the hyperparameters of Dark- Nmfand evaluated the detection performance of malware activities against the performance of existing methods such as GLASSO and ChangeFinder using a human-labeled ground truth. We found that Dark-NMF detects all malware activities that should be detected in the ground truth without a miss. We also showed that Dark- Nmfhas many advantages over existing methods and provided a highly practical operation guideline. Consequently, Dark-NMF is expected to contribute as threat intelligence information for rapid response to malware activity.</description><subject>darknet</subject><subject>Feature extraction</subject><subject>Malware</subject><subject>malware activity</subject><subject>network scan</subject><subject>non-negative matrix factorization</subject><subject>Privacy</subject><subject>Real-time systems</subject><subject>Security</subject><subject>spatiotemporal feature</subject><subject>Spatiotemporal phenomena</subject><subject>Synchronization</subject><issn>2324-9013</issn><isbn>1665416580</isbn><isbn>9781665416580</isbn><fulltext>true</fulltext><rsrctype>conference_proceeding</rsrctype><creationdate>2021</creationdate><recordtype>conference_proceeding</recordtype><sourceid>6IE</sourceid><recordid>eNotjMtOwzAQRQ0SEqX0C9j4B1JmPLYTL6NAAak8Fu26cpJJZdQkKHF5fT1BsLrSuedeISTCEhHc9WY4jrHoW0OU0lKBwiUAZOZEXKC1RqM1GZyKmSKlEwdI52Ixjq-TQwo0ZmYmXvJj7FsfuZY3HLmKoe9k38hHf_jwA8t8Iu8hBh7ldgzdXj71Xcd7P1GepDiET7nyVeyH8O1_x5firPGHkRf_ORfb1e2muE_Wz3cPRb5OgrIuJt4A6Jpsoy2hA6tZ1YRG1U3qFDSlr7ky7LhEVWqb1dBAqRBdShVSaTKai6u_38DMu7chtH742rlUaZraH3QhUfk</recordid><startdate>20210101</startdate><enddate>20210101</enddate><creator>Han, Chansu</creator><creator>Takeuchi, Jun'ichi</creator><creator>Takahashi, Takeshi</creator><creator>Inoue, Daisuke</creator><general>IEEE</general><scope>6IE</scope><scope>6IL</scope><scope>CBEJK</scope><scope>RIE</scope><scope>RIL</scope></search><sort><creationdate>20210101</creationdate><title>Automated Detection of Malware Activities Using Nonnegative Matrix Factorization</title><author>Han, Chansu ; Takeuchi, Jun'ichi ; Takahashi, Takeshi ; Inoue, Daisuke</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-i269t-a5004d36f46319064e2d3152df7920fbadec5e9eb12b468d0f0b211973c13b583</frbrgroupid><rsrctype>conference_proceedings</rsrctype><prefilter>conference_proceedings</prefilter><language>eng</language><creationdate>2021</creationdate><topic>darknet</topic><topic>Feature extraction</topic><topic>Malware</topic><topic>malware activity</topic><topic>network scan</topic><topic>non-negative matrix factorization</topic><topic>Privacy</topic><topic>Real-time systems</topic><topic>Security</topic><topic>spatiotemporal feature</topic><topic>Spatiotemporal phenomena</topic><topic>Synchronization</topic><toplevel>online_resources</toplevel><creatorcontrib>Han, Chansu</creatorcontrib><creatorcontrib>Takeuchi, Jun'ichi</creatorcontrib><creatorcontrib>Takahashi, Takeshi</creatorcontrib><creatorcontrib>Inoue, Daisuke</creatorcontrib><collection>IEEE Electronic Library (IEL) Conference Proceedings</collection><collection>IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume</collection><collection>IEEE Xplore All Conference Proceedings</collection><collection>IEEE Electronic Library (IEL)</collection><collection>IEEE Proceedings Order Plans (POP All) 1998-Present</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Han, Chansu</au><au>Takeuchi, Jun'ichi</au><au>Takahashi, Takeshi</au><au>Inoue, Daisuke</au><format>book</format><genre>proceeding</genre><ristype>CONF</ristype><atitle>Automated Detection of Malware Activities Using Nonnegative Matrix Factorization</atitle><btitle>2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)</btitle><stitle>TRUSTCOM</stitle><date>2021-01-01</date><risdate>2021</risdate><spage>548</spage><epage>556</epage><pages>548-556</pages><eissn>2324-9013</eissn><eisbn>1665416580</eisbn><eisbn>9781665416580</eisbn><coden>IEEPAD</coden><abstract>Malware is increasingly diversified and sophisti-cated. It is essential to rapidly and accurately detect malware activities when malware infection spreads. However, accurately distinguishing potential malware activities from countless indis-criminate scanning attacks is a huge challenge. In this study, we introduce Dark-NMF, a darknet analysis engine using Non-negative Matrix Factorization (NMF). Dark-NMF focuses on synchronizing the spatiotemporal features seen when malware infection spreads and detects abnormally synchronous spatial features (source hosts and destination ports) automatically in near real-time. Dark-NMF measures the synchronization of spatial features by decomposing spatiotemporal patterns from darknet traffic using NMF. We tuned the hyperparameters of Dark- Nmfand evaluated the detection performance of malware activities against the performance of existing methods such as GLASSO and ChangeFinder using a human-labeled ground truth. We found that Dark-NMF detects all malware activities that should be detected in the ground truth without a miss. We also showed that Dark- Nmfhas many advantages over existing methods and provided a highly practical operation guideline. Consequently, Dark-NMF is expected to contribute as threat intelligence information for rapid response to malware activity.</abstract><pub>IEEE</pub><doi>10.1109/TrustCom53373.2021.00085</doi><tpages>9</tpages></addata></record>
fulltext fulltext_linktorsrc
identifier EISSN: 2324-9013
ispartof 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 2021, p.548-556
issn 2324-9013
language eng
recordid cdi_ieee_primary_9724358
source IEEE Xplore All Conference Series
subjects darknet
Feature extraction
Malware
malware activity
network scan
non-negative matrix factorization
Privacy
Real-time systems
Security
spatiotemporal feature
Spatiotemporal phenomena
Synchronization
title Automated Detection of Malware Activities Using Nonnegative Matrix Factorization
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-07T16%3A40%3A06IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-ieee_CHZPO&rft_val_fmt=info:ofi/fmt:kev:mtx:book&rft.genre=proceeding&rft.atitle=Automated%20Detection%20of%20Malware%20Activities%20Using%20Nonnegative%20Matrix%20Factorization&rft.btitle=2021%20IEEE%2020th%20International%20Conference%20on%20Trust,%20Security%20and%20Privacy%20in%20Computing%20and%20Communications%20(TrustCom)&rft.au=Han,%20Chansu&rft.date=2021-01-01&rft.spage=548&rft.epage=556&rft.pages=548-556&rft.eissn=2324-9013&rft.coden=IEEPAD&rft_id=info:doi/10.1109/TrustCom53373.2021.00085&rft.eisbn=1665416580&rft.eisbn_list=9781665416580&rft_dat=%3Cieee_CHZPO%3E9724358%3C/ieee_CHZPO%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-i269t-a5004d36f46319064e2d3152df7920fbadec5e9eb12b468d0f0b211973c13b583%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=9724358&rfr_iscdi=true