A General Framework of Trojan Communication Detection Based on Network Traces

Li, Shicong; Yun, Xiaochun; Zhang, Yongzheng; Xiao, Jun; Wang, Yipeng

doi:10.1109/nas.2012.10

Cited by 12 publications

(9 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Some existing behavior detection techniques for finding the remote control of malware have been proposed [10], [11]. S.Li et al proposed a detection technique, Manto [11], for finding Trojan horses based on the features of their communications, such as the directions and intervals of their packets on a connection and the number of connections between a server and a client. Since RATs are modern type of Trojan horse, Manto should be able to extract RAT connections based on the features.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

RAT-based malicious activities detection on enterprise internal networks

Yamada

Morinaga

Unno

et al. 2015

2015 10th International Conference for Internet Technology and Secured Transactions (ICITST)

View full text Add to dashboard Cite

The detection of APT has recently become an urgent problem needing to be resolved. Attackers use Remote Access Trojan/Remote Administration Tools (RATs), which often bypass general security measures, and the traditional detection techniques don't consider reconnaissance activities after RAT infections. We analyzed the behavior of the reconnaissance for this paper so that RAT-based malicious activities on internal networks can be divided from the operations of normal users. Based on the features of their behaviors, we propose a detection technique that monitors the communications on internal networks and extracts the communication sequences of the reconnaissance. The result from our evaluation showed that the proposed technique can detect 99.26 % of the experimental reconnaissance communications by using the real 34 RATs (29 families) and 4 SMB-based remote management methods, and also work without false-positive on an actual organization's internal network.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Many of its features are shared, as shown in Table II. Manto [11], the existing detection technique for Trojan communications, defines them as features 1, 2, 3, 4, and 5. However, roughly half of RATs do not show the features 2 and 5 in our analysis.…”

Section: A Ratmentioning

confidence: 99%

RAT-based malicious activities detection on enterprise internal networks

Yamada

Morinaga

Unno

et al. 2015

2015 10th International Conference for Internet Technology and Secured Transactions (ICITST)

View full text Add to dashboard Cite

show abstract

“…RATs can automatically send connection requests to the attacker's Command and Control (C&C) server from the Intranet, in order to build an encrypted tunnel to connect two sides through the firewall. Therefore, some of the existing policies like port filtering and Deep Packet Inspection (DPI) [2], [3], [14] are not enough to prevent data leakage problems caused by targeted attacks [3]. The Port filtering policy is limited since RAT can use port 80 or 443 as in some normal sessions.…”

Section: Introductionmentioning

confidence: 99%

“…Li et al [3] propose a detection system to detect Trojans by their original network behaviors, which achieves an accuracy of more than 90%. This system extracts network features from a session that begins from a SYN packet in the TCP three-way handshake and ends with a FIN/RST packet.…”

Section: Introductionmentioning

confidence: 99%

“…Meanwhile, there is also another problem: how to distinguish RATs sessions from legitimate sessions. RATs need to steal confidential information and send it back to the attacker, which means that the outbound traffic is much greater than the inbound [3]. In the recent past, some popular cloud services and P2P applications had similarly great outbound traffic.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Approach to Detect Remote Access Trojan in the Early Stage of Communication

Jiang

Omote

2015

2015 IEEE 29th International Conference on Advanced Information Networking and Applications

View full text Add to dashboard Cite

As data leakage accidents occur every year, the security of confidential information is becoming increasingly important. Remote Access Trojans (RAT), a kind of spyware, are used to invade the PC of a victim through targeted attacks. After the intrusion, the attacker can monitor and control the victim's PC remotely, to wait for an opportunity to steal the confidential information. Since it is hard to prevent the intrusion of RATs completely, preventing confidential information being leaked back to the attacker is the main issue. Various existing approaches introduce different network behaviors of RAT to construct detection systems. Unfortunately, two challenges remain: one is to detect RAT sessions as early as possible, the other is to remain a high accuracy to detect RAT sessions, while there exist normal applications whose traffic behave similarly to RATs. In this paper, we propose a novel approach to detect RAT sessions in the early stage of communication. To differentiate network behaviors between normal applications and RAT, we extract the features from the traffic of a short period of time at the beginning. Afterward, we use machine learning techniques to train the detection model, then evaluate it by K-Fold crossvalidation. The results show that our approach is able to detect RAT sessions with a high accuracy. In particular, our approach achieves over 96% accuracy together with the FNR of 10% by Random Forest algorithm, which means that our approach is valid to detect RAT sessions in the early stage of communication.1550-445X/15 $31.00

show abstract

Early Detection of Remote Access Trojan by Software Network Behavior

Oya

Omote

2019

Information Security and Cryptology

View full text Add to dashboard Cite

A General Framework of Trojan Communication Detection Based on Network Traces

Cited by 12 publications

References 14 publications

RAT-based malicious activities detection on enterprise internal networks

RAT-based malicious activities detection on enterprise internal networks

An Approach to Detect Remote Access Trojan in the Early Stage of Communication

Early Detection of Remote Access Trojan by Software Network Behavior

Contact Info

Product

Resources

About