{"id":20932519,"url":"https://github.com/adulau/malwareclassifier","last_synced_at":"2025-05-13T20:30:37.967Z","repository":{"id":25631830,"uuid":"29067124","full_name":"adulau/MalwareClassifier","owner":"adulau","description":"Malware Classifier From Network Captures","archived":false,"fork":false,"pushed_at":"2017-01-27T20:42:26.000Z","size":541,"stargazers_count":82,"open_issues_count":0,"forks_count":13,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-05-08T01:42:36.711Z","etag":null,"topics":["malware","malware-classifier","network-capture","python","tshark","visualization"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adulau.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-01-10T18:49:03.000Z","updated_at":"2025-01-09T20:29:40.000Z","dependencies_parsed_at":"2022-08-24T14:09:53.885Z","dependency_job_id":null,"html_url":"https://github.com/adulau/MalwareClassifier","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adulau%2FMalwareClassifier","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adulau%2FMalwareClassifier/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adulau%2FMalwareClassifier/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adulau%2FMalwareClassifier/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adulau","download_url":"https://codeload.github.com/adulau/MalwareClassifier/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254020902,"owners_count":22000805,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["malware","malware-classifier","network-capture","python","tshark","visualization"],"created_at":"2024-11-18T21:48:56.315Z","updated_at":"2025-05-13T20:30:37.163Z","avatar_url":"https://github.com/adulau.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Malware Classifier From Network Capture\n\n*Malware Classifier* is a simple free software project done during an [university workshop of 4 hours](http://www.foo.be/cours/dess-20142015/Redis-Introduction.pdf). The objective of the 4 hours workshop was to introduce network forensic and simple techniques to classify malware network capture (from their execution in a virtual machine). So the software was kept very simple while using and learning existing tools ([networkx](https://networkx.github.io/), [redis](http://www.redis.io/) and [Gephi](http://gephi.github.io/)).\n\n## Requirements\n\n * Python 2.7\n * networkx and redis modules (pip install -r REQUIREMENTS)\n * tshark (part of Wireshark)\n * a Redis server\n\n# How to use the Malware Classifier\n\nYou'll need of a set of network packet captures. In the workshop, we use a dataset with more than 5000 pcap files generated from the execution of malware in virtual machines.\n\n```\n...\n0580c82f6f90b75fcf81fd3ac779ae84.pcap\n05a0f4f7a72f04bda62e3a6c92970f6e.pcap\n05b4a945e5f1f7675c19b74748fd30d1.pcap\n05b57374486ce8a5ce33d3b7d6c9ba48.pcap\n05bbddc8edac3615754f93139cf11674.pcap\n...\n```\n\nThe filename includes the MD5 malware executed in the virtual machine.\n\nIf you want to classify malware communications based on the Server HTTP headers of the (potential) C\u0026C communication.\n\n```shell\ncd capture\nls -1 . | parallel --gnu \"cat {1} | tshark -E header=yes -E separator=, -Tfields -e http.server -r {1} | python ./bin/import.py  -f {1} \"\n```\n\nYou can add additional attributes like any fields from the dissectors available within tshark (tshark -G fields). You can add additional fields in the command above. This will update the redis data structure. Then when you have enough attributes, you can dump a graph out of the relationships between the attributes and the malware packet captures.\n\n```shell\npython ./bin/graph.py\n```\n\ngraph.py generates a GEXF file that you can import in [gephi](https://gephi.org).\n\nThe output in Gephi can look like this:\n\n![a sample graph of clustering per User-Agent of each malware activity](./doc/graph.png)\n\n## Redis data structure\n\n![An overview of the Redis data structure used in MalwareClassifier](https://raw.github.com/adulau/MalwareClassifier/master/doc/redis-datastruct.png)\n## Notes for the student\n\nCheck the git log and the commits, these include the steps performed during the workshop especially regarding the improvement of the Python scripts.\n\n## Slides of the training session\n\n[Classifying malware using network traffic analysis.  Or how to learn Redis, git, tshark and Python in 4 hours.](https://www.foo.be/cours/dess-20162017/pub/Redis-Introduction.pdf)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadulau%2Fmalwareclassifier","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadulau%2Fmalwareclassifier","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadulau%2Fmalwareclassifier/lists"}