PORTFILER: Port-Level Network Profiling for Self-Propagating Malware Detection

TL;DR

PORTFILER is a machine learning system that detects self-propagating malware by analyzing port-level network traffic features, using anomaly detection and ensemble models to identify suspicious activities with high precision.

Contribution

The paper introduces PORTFILER, a novel ensemble machine learning approach for port-level network traffic analysis to detect self-propagating malware, demonstrating improved resilience and detection accuracy.

Findings

Detects SPM attacks like WannaCry and Mirai effectively.

Achieves over 0.94 precision in alert ranking.

Outperforms deep-learning autoencoder methods in detection.

Abstract

Recent self-propagating malware (SPM) campaigns compromised hundred of thousands of victim machines on the Internet. It is challenging to detect these attacks in their early stages, as adversaries utilize common network services, use novel techniques, and can evade existing detection mechanisms. We propose PORTFILER (PORT-Level Network Traffic ProFILER), a new machine learning system applied to network traffic for detecting SPM attacks. PORTFILER extracts port-level features from the Zeek connection logs collected at a border of a monitored network, applies anomaly detection techniques to identify suspicious events, and ranks the alerts across ports for investigation by the Security Operations Center (SOC). We propose a novel ensemble methodology for aggregating individual models in PORTFILER that increases resilience against several evasion strategies compared to standard ML baselines. We extensively evaluate PORTFILER on traffic collected from two university networks, and show that it can detect SPM attacks with different patterns, such as WannaCry and Mirai, and performs well under evasion. Ranking across ports achieves precision over 0.94 with low false positive rates in the top ranked alerts. When deployed on the university networks, PORTFILER detected anomalous SPM-like activity on one of the campus networks, confirmed by the university SOC as malicious. PORTFILER also detected a Mirai attack recreated on the two university networks with higher precision and recall than deep-learning-based autoencoder methods.