This is the GitHub repository for the Malware Classification project I did for Metis. I used scikit-learn to train classification models (Random Forests, Logistic Regression, and SVM) using bi-directional packet flows. In my Jupyter notebook for the project, you will see how I trained the model and pickled them in the live folder.
The training data was gathered from the Malware Capture Facility Project (MCFP) from the Czech Technical University (CTU). Right now, the model seems to work well on classifying the Neris malware strain, but has not been tested on any other types. As I move on to other projects, I am very interested if people can test this model and generalize it to more malware types.
Packet flows are created using Argus and a packet capture file which you can generate using Wireshark or tcpdump.
Check out the Argus documentation and you will find that it is easy to generate packet flow records using Argus and Radium.
Make sure you use the configuration files in the live folder when generating your flow records for testing.
Once you have generated the packet flow CSV using Argus and the corresponding configuration files found in the live folder, use the command below to output the results of the classification model to your console.
./live_test.py --input_csv live/live.csv
If you have any questions or comments on this project, you can find me below:
E-mail: hasan.haq@gmail.com