# Beyond Labeling: Using Clustering to Build Network Behavioral Profiles   of Malware Families

**Authors:** Azqa Nadeem, Christian Hammerschmidt, Carlos H. Ga\~n\'an, Sicco, Verwer

arXiv: 1904.01371 · 2021-01-01

## TL;DR

This paper introduces MalPaCA, an unsupervised clustering method that analyzes malware network traces to generate behavioral profiles, offering more insightful malware characterization than traditional family labels, with promising results on real-world data.

## Contribution

MalPaCA automates malware capability assessment through clustering of network trace behaviors, providing a novel, interpretable approach that surpasses existing labeling methods.

## Key findings

- Successfully identifies malware capabilities like port scans and C&C reuse.
- Reveals discrepancies between behavioral clusters and family labels.
- Achieves an 8.3% error rate using temporal features, outperforming statistical features.

## Abstract

Malware family labels are known to be inconsistent. They are also black-box since they do not represent the capabilities of malware. The current state-of-the-art in malware capability assessment include mostly manual approaches, which are infeasible due to the ever-increasing volume of discovered malware samples. We propose a novel unsupervised machine learning-based method called MalPaCA, which automates capability assessment by clustering the temporal behavior in malware's network traces. MalPaCA provides meaningful behavioral clusters using only 20 packet headers. Behavioral profiles are generated based on the cluster membership of malware's network traces. A Directed Acyclic Graph shows the relationship between malwares according to their overlapping behaviors. The behavioral profiles together with the DAG provide more insightful characterization of malware than current family designations. We also propose a visualization-based evaluation method for the obtained clusters to assist practitioners in understanding the clustering results. We apply MalPaCA on a financial malware dataset collected in the wild that comprises of 1.1k malware samples resulting in 3.6M packets. Our experiments show that (i) MalPaCA successfully identifies capabilities, such as port scans and reuse of Command and Control servers; (ii) It uncovers multiple discrepancies between behavioral clusters and malware family labels; and (iii) It demonstrates the effectiveness of clustering traces using temporal features by producing an error rate of 8.3%, compared to 57.5% obtained from statistical features.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1904.01371/full.md

## Figures

17 figures with captions in the complete paper: https://tomesphere.com/paper/1904.01371/full.md

## References

63 references — full list in the complete paper: https://tomesphere.com/paper/1904.01371/full.md

---
Source: https://tomesphere.com/paper/1904.01371