Detecting Malware C&C Communication Traffic Using Artificial Intelligence Techniques

Banking malware poses a significant threat to users by infecting their computers and then attempting to perform malicious activities such as surreptitiously stealing confidential information from them. Banking malware variants also continue to evolve and have been increasing in numbers for many years. Amongst these, the banking malware Zeus and its variants are the most prevalent banking malware variants discovered. This prevalence was expedited by the fact that the Zeus source code was inadvertently released to the public in 2004, allowing malware developers to reproduce the Zeus banking malware and develop variants of this malware and examples of these include Ramnit, Citadel and Zeus Panda. Tools such as anti-malware programs do exist and are able to detect banking malware variants, however, they do have limitations. The reliance on regular updates to incorporate new malware signatures or patterns means that they can only identify known banking malware variants. This constraint inherently restricts their capability to detect novel, previously unseen malware variants. Adding to this challenge is the growing ingenuity of malicious actors who craft malware specifically developed to bypass signature-based anti-malware systems. This paper presents an overview of the Zeus, Zeus Panda and Ramnit banking malware variants, and discusses their communication architecture. Subsequently, a methodology is proposed for detecting the banking malware C&C communication traffic and this methodology is tested using several feature selection algorithms to determine which feature selection algorithm performs the best. The feature selection algorithms are also compared with a manual feature selection approach to determine whether a manual, automated or hybrid feature selection approach would be more suitable for this type of problem.