Abstract
We analyzed traffic data after a malware infection and clarified which features would be the most effective in the detection of infection. The focus is on the use of traffic data to detect infections and on the use of features that do not change much over time from those of the training data. The characteristics of features that are effective for detecting malware infections are also described. Experimental results clarified the effects of the time difference, and the effective features that were little affected by the time difference were identified. There is thus a need to focus on the effect of the time difference when investigating malware infection detection.
