Assessing Cyclostationary Malware Detection via Feature Selection and Classification

TL;DR

This study investigates the use of cyclostationary features for malware detection in network traffic, demonstrating that PCA-based feature extraction combined with Random Forest achieves high accuracy, especially on the UGRansome dataset.

Contribution

The paper introduces a cyclostationary malware detection approach utilizing PCA and Boruta for feature selection, and compares classifier performance on multiple datasets, highlighting the effectiveness of PCA and the UGRansome dataset.

Findings

PCA outperforms Boruta in feature extraction for cyclostationary malware detection.

The UGRansome dataset yields higher detection accuracy than KDD99 and NSL-KDD.

Random Forest achieves 99% accuracy on the UGRansome dataset.

Abstract

Cyclostationarity involves periodic statistical variations in signals and processes, commonly used in signal analysis and network security. In the context of attacks, cyclostationarity helps detect malicious behaviors within network traffic, such as traffic patterns in Distributed Denial of Service (DDoS) attacks or hidden communication channels in malware. This approach enhances security by identifying abnormal patterns and informing Network Intrusion Detection Systems (NIDSs) to recognize potential attacks, enhancing protection against both known and novel threats. This research focuses on identifying cyclostationary malware behavior and its detection. The main goal is to pinpoint essential cyclostationary features used in NIDSs. These features are extracted using algorithms such as Boruta and Principal Component Analysis (PCA), and then categorized to find the most significant cyclostationary patterns. The aim of this article is to reveal periodically changing malware behaviors through cyclostationarity. The study highlights the importance of spotting cyclostationary malware in NIDSs by using established datasets like KDD99, NSL-KDD, and the UGRansome dataset. The UGRansome dataset is designed for anomaly detection research and includes both normal and abnormal network threat categories of zero-day attacks. A comparison is made using the Random Forest (RF) and Support Vector Machine (SVM) algorithms, while also evaluating the effectiveness of Boruta and PCA. The findings show that PCA is more promising than using Boruta alone for extracting cyclostationary network feature patterns. Additionally, the analysis identifies the internet protocol as the most noticeable cyclostationary feature pattern used by malware. Notably, the UGRansome dataset outperforms the KDD99 and NSL-KDD, achieving 99% accuracy in signature malware detection using the RF algorithm and 98% with the SVM.