Malware traffic detection using tamper resistant features

Z. Berkay Celik, Robert J. Walls, Patrick McDaniel, Ananthram Swami

Research output: Chapter in Book/Report/Conference proceedingConference contribution

37 Scopus citations


This paper presents a framework for evaluating the transport layer feature space of malware heartbeat traffic. We utilize these features in a prototype detection system to distinguish malware traffic from traffic generated by legitimate applications. In contrast to previous work, we eliminate features at risk of producing overly optimistic detection results, detect previously unobserved anomalous behavior, and rely only on tamper-resistant features making it difficult for sophisticated malware to avoid detection. Further, we characterize the evolution of malware evasion techniques over time by examining the behavior of 16 malware families. In particular, we highlight the difficultly of detecting malware that use traffic-shaping techniques to mimic legitimate traffic.

Original languageEnglish (US)
Title of host publication2015 IEEE Military Communications Conference, MILCOM 2015
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages6
ISBN (Electronic)9781509000739
StatePublished - Dec 14 2015
Event34th Annual IEEE Military Communications Conference, MILCOM 2015 - Tampa, United States
Duration: Oct 26 2015Oct 28 2015

Publication series

NameProceedings - IEEE Military Communications Conference MILCOM


Other34th Annual IEEE Military Communications Conference, MILCOM 2015
Country/TerritoryUnited States

All Science Journal Classification (ASJC) codes

  • Electrical and Electronic Engineering


Dive into the research topics of 'Malware traffic detection using tamper resistant features'. Together they form a unique fingerprint.

Cite this