Malware Classification Method Based on Sequence of Traffic Flow

Hyoyoung Lim, Yukiko Yamaguchi, Hajime Shimada, Hiroki Takakura


Network-based malware classification plays an important role in improving system security than system-based malware classification. The vast majority of malware needs a network activity in order to accomplish its purpose (e.g., downloading malware, connecting to a C&C server, etc.). Many malware classification approaches based on network behavior have thus been proposed. Nevertheless, they merely rely on either a request URL or payload for signature matching. To classify the network activity of malware, the patterns of network behavior must be understood and the changes in behavior observed. Therefore, the sequence of flows and their correlation caused by the malware should be analysed. In this paper, we present a novel malware classification method based on clustering of flow features and sequence alignment algorithms for computing sequence similarity, which represents network behavior of malware. We focus on analysing the sequence similarity between the sequence patterns of malware traffic flow generated by executing malware on the dynamic analysing system. We also performed an evaluation by using malware traffic collected from a real environment. On the basis of our experimental results, we identified the most appropriate method for classifying malware by similarity of network activity.


  1. Aoki, K., Kawakoya, Y., Iwamura, M., and Itoh, M. (2010). Investigation about malware execution time in dynamic analysis. In Computer Security Symposium.
  2. Berger-Sabbatel, G. and Duda, A. (2012). Classification of malware network activity. In Multimedia Communications, Services and Security, pages 24-35. Springer.
  3. Coull, S., Branch, J., Szymanski, B., and Breimer, E. (2003). Intrusion detection: A bioinformatics approach. In Computer Security Applications Conference, 2003. Proceedings. 19th Annual. IEEE.
  4. Coull, S. E. and Szymanski, B. K. (2008). Sequence alignment for masquerade detection. Computational Statistics & Data Analysis, 52(8):4116-4131.
  5. Erman, J., Arlitt, M., and Mahanti, A. (2006). Traffic classification using clustering algorithms. In Proceedings of the 2006 SIGCOMM workshop on Mining network data, pages 281-286. ACM.
  6. Iwamoto, K. and Wasaki, K. (2012). Malware classification based on extracted api sequences using static analysis. In Proceedings of the Asian Internet Engineeering Conference, AINTEC 7812, pages 31-38, New York, NY, USA. ACM.
  7. McAfee (2014). Mcafee labs threats report: June 2014.
  8. Nari, S. and Ghorbani, A. A. (2013). Automated malware classification based on network behavior. In Computing, Networking and Communications (ICNC), 2013 International Conference on, pages 642-647. IEEE.
  9. Needleman, S. B. and Wunsch, C. D. (1970). A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 48(3):443-453.
  10. Pedersen, J., Bastola, D., Dick, K., Gandhi, R., and Mahoney, W. (2013). Fingerprinting malware using bioinformatics tools building a classifier for the zeus virus. The 2013 International Conference on Security & Management (SAM2013).
  11. Perdisci, R., Lee, W., and Feamster, N. (2010). Behavioral clustering of http-based malware and signature generation using malicious network traces. In NSDI.
  12. Rafique, M. Z., Chen, P., Huygens, C., and Joosen, W. (2014). Evolutionary algorithms for classification of malware families through different network behaviors. In Proceedings of the 2014 conference on Genetic and evolutionary computation, pages 1167- 1174. ACM.
  13. Shankarapani, M. K., Ramamoorthy, S., Movva, R. S., and Mukkamala, S. (2011). Malware detection using assembly and api call sequences. Journal in computer virology, 7(2):107-119.
  14. Smith, T. F. and Waterman, M. S. (1981). Identification of common molecular subsequences. Journal of molecular biology, 147(1):195-197.
  15. Stakhanova, N., Couture, M., and Ghorbani, A. A. (2011). Exploring network-based malware classification. In Malicious and Unwanted Software (MALWARE), 2011 6th International Conference on, pages 14-20. IEEE.

Paper Citation

in Harvard Style

Lim H., Yamaguchi Y., Shimada H. and Takakura H. (2015). Malware Classification Method Based on Sequence of Traffic Flow . In Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-081-9, pages 230-237. DOI: 10.5220/0005235002300237

in Bibtex Style

author={Hyoyoung Lim and Yukiko Yamaguchi and Hajime Shimada and Hiroki Takakura},
title={Malware Classification Method Based on Sequence of Traffic Flow},
booktitle={Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},

in EndNote Style

JO - Proceedings of the 1st International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Malware Classification Method Based on Sequence of Traffic Flow
SN - 978-989-758-081-9
AU - Lim H.
AU - Yamaguchi Y.
AU - Shimada H.
AU - Takakura H.
PY - 2015
SP - 230
EP - 237
DO - 10.5220/0005235002300237