An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection
Malware is a sophisticated, malicious, and sometimes unidentifiable application on the network. The classifying network traffic method using machine learning shows to perform well in detecting malware. In the literature, it is reported that this good performance can depend on a reduced set of networ...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Wiley
2022-01-01
|
| Series: | Complexity |
| Online Access: | http://dx.doi.org/10.1155/2022/6760920 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849685206575874048 |
|---|---|
| author | C. Manzano C. Meneses P. Leger H. Fukuda |
| author_facet | C. Manzano C. Meneses P. Leger H. Fukuda |
| author_sort | C. Manzano |
| collection | DOAJ |
| description | Malware is a sophisticated, malicious, and sometimes unidentifiable application on the network. The classifying network traffic method using machine learning shows to perform well in detecting malware. In the literature, it is reported that this good performance can depend on a reduced set of network features. This study presents an empirical evaluation of two statistical methods of reduction and selection of features in an Android network traffic dataset using six supervised algorithms: Naïve Bayes, support vector machine, multilayer perceptron neural network, decision tree, random forest, and K-nearest neighbors. The principal component analysis (PCA) and logistic regression (LR) methods with p value were applied to select the most representative features related to the time properties of flows and features of bidirectional packets. The selected features were used to train the algorithms using binary and multiclass classification. For performance evaluation and comparison metrics, precision, recall, F-measure, accuracy, and area under the curve (AUC-ROC) were used. The empirical results show that random forest obtains an average accuracy of 96% and an AUC-ROC of 0.98 in binary classification. For the case of multiclass classification, again random forest achieves an average accuracy of 87% and an AUC-ROC over 95%, exhibiting better performance than the other machine learning algorithms. In both experiments, the 13 most representative features of a mixed set of flow time properties and bidirectional network packets selected by LR were used. In the case of the other five classifiers, their results in terms of precision, recall, and accuracy, are competitive with those obtained in related works, which used a greater number of input features. Therefore, it is empirically evidenced that the proposed method for the selection of features, based on statistical techniques of reduction and extraction of attributes, allows improving the identification performance of malware traffic, discriminating it from the benign traffic of Android applications. |
| format | Article |
| id | doaj-art-b9abdda8d31b4c06bcbddaf1f90faee2 |
| institution | DOAJ |
| issn | 1099-0526 |
| language | English |
| publishDate | 2022-01-01 |
| publisher | Wiley |
| record_format | Article |
| series | Complexity |
| spelling | doaj-art-b9abdda8d31b4c06bcbddaf1f90faee22025-08-20T03:23:14ZengWileyComplexity1099-05262022-01-01202210.1155/2022/6760920An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature SelectionC. Manzano0C. Meneses1P. Leger2H. Fukuda3Escuela de IngenieríaDepartamento de Ingeniería de Sistemas y ComputaciónEscuela de IngenieríaShibaura Institute of TechnologyMalware is a sophisticated, malicious, and sometimes unidentifiable application on the network. The classifying network traffic method using machine learning shows to perform well in detecting malware. In the literature, it is reported that this good performance can depend on a reduced set of network features. This study presents an empirical evaluation of two statistical methods of reduction and selection of features in an Android network traffic dataset using six supervised algorithms: Naïve Bayes, support vector machine, multilayer perceptron neural network, decision tree, random forest, and K-nearest neighbors. The principal component analysis (PCA) and logistic regression (LR) methods with p value were applied to select the most representative features related to the time properties of flows and features of bidirectional packets. The selected features were used to train the algorithms using binary and multiclass classification. For performance evaluation and comparison metrics, precision, recall, F-measure, accuracy, and area under the curve (AUC-ROC) were used. The empirical results show that random forest obtains an average accuracy of 96% and an AUC-ROC of 0.98 in binary classification. For the case of multiclass classification, again random forest achieves an average accuracy of 87% and an AUC-ROC over 95%, exhibiting better performance than the other machine learning algorithms. In both experiments, the 13 most representative features of a mixed set of flow time properties and bidirectional network packets selected by LR were used. In the case of the other five classifiers, their results in terms of precision, recall, and accuracy, are competitive with those obtained in related works, which used a greater number of input features. Therefore, it is empirically evidenced that the proposed method for the selection of features, based on statistical techniques of reduction and extraction of attributes, allows improving the identification performance of malware traffic, discriminating it from the benign traffic of Android applications.http://dx.doi.org/10.1155/2022/6760920 |
| spellingShingle | C. Manzano C. Meneses P. Leger H. Fukuda An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection Complexity |
| title | An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection |
| title_full | An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection |
| title_fullStr | An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection |
| title_full_unstemmed | An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection |
| title_short | An Empirical Evaluation of Supervised Learning Methods for Network Malware Identification Based on Feature Selection |
| title_sort | empirical evaluation of supervised learning methods for network malware identification based on feature selection |
| url | http://dx.doi.org/10.1155/2022/6760920 |
| work_keys_str_mv | AT cmanzano anempiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT cmeneses anempiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT pleger anempiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT hfukuda anempiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT cmanzano empiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT cmeneses empiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT pleger empiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection AT hfukuda empiricalevaluationofsupervisedlearningmethodsfornetworkmalwareidentificationbasedonfeatureselection |