MalPhase: Fine-Grained Malware Detection Using Network Flow Data

TL;DR

MalPhase is a multi-phase deep learning system that effectively detects and classifies malware from network flow data, even in noisy, real-world traffic conditions, achieving high accuracy and robustness.

Contribution

MalPhase introduces a novel multi-tier architecture with extended features and denoising autoencoders for improved malware detection and classification from aggregated network flows.

Findings

Detects malicious flows with >98% F1 score

Classifies malware type with >93% F1 score

Performs well on mixed benign and malicious traffic

Abstract

Economic incentives encourage malware authors to constantly develop new, increasingly complex malware to steal sensitive data or blackmail individuals and companies into paying large ransoms. In 2017, the worldwide economic impact of cyberattacks is estimated to be between 445 and 600 billion USD, or 0.8% of global GDP. Traditionally, one of the approaches used to defend against malware is network traffic analysis, which relies on network data to detect the presence of potentially malicious software. However, to keep up with increasing network speeds and amount of traffic, network analysis is generally limited to work on aggregated network data, which is traditionally challenging and yields mixed results. In this paper we present MalPhase, a system that was designed to cope with the limitations of aggregated flows. MalPhase features a multi-phase pipeline for malware detection, type and family classification. The use of an extended set of network flow features and a simultaneous multi-tier architecture facilitates a performance improvement for deep learning models, making them able to detect malicious flows (>98% F1) and categorize them to a respective malware type (>93% F1) and family (>91% F1). Furthermore, the use of robust features and denoising autoencoders allows MalPhase to perform well on samples with varying amounts of benign traffic mixed in. Finally, MalPhase detects unseen malware samples with performance comparable to that of known samples, even when interlaced with benign flows to reflect realistic network environments.