A Practical Experiment of the HTTP-Based RAT Detection Method in Proxy Server Logs

Mimura, Mamoru; Otsubo, Yuhei; Tanaka, Hidehiko; Tanaka, Hidema

doi:10.1109/asiajcis.2017.13

Cited by 11 publications

(5 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The alternative approach is classification based on network logs such as DNS records, NetFlow or proxy server logs. There are several methods which use NetFlow [2], [3], DNS records [13], [14], [15], [16] and proxy server logs [4], [5], [17], [18], [19], [20], [21], [22], [23], [24]. Some approaches focus on NN to detect basic network attacks [25], [26], [27].…”

Section: Related Workmentioning

confidence: 99%

“…There are many behavior-based detection methods which extract the features of malicious traffic. These methods extract the features of DbD attacks [1] or C&C traffic [2], [3], [4], and attempt to detect new malicious traffic. Many previous methods, 1 National Defense Academy, Yokosuka, Kanagawa 239-8686, Japan a) mim@nda.ac.jp however, require knowledge of how to extract feature vectors.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Attempt to Read Network Traffic with Doc2vec

Mimura

2019

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Detecting new malicious traffic is a challenging task. There are many behavior-based detection methods which extract the features of malicious traffic. However, many previous methods require knowledge of how to extract feature vectors. If attackers modify the attack techniques, these previous methods may have to extract new feature representation to detect them. To address this problem, neural networks can be applied to perform feature learning. Doc2vec is one of these models that learn fixed-length feature representation from variable-length documents and has been applied to proxy logs. However, some attackers still use protocols other than http or https. In this paper, we extend the previous method to a generic detection method which supports any protocol. The key idea of this research is reading network packets as a natural language. In our method, a protocol analyzer reads network packets, and summarizes the traffic. Our method extracts the feature representation from the summary with Doc2vec. We apply several classifiers to the automatically extracted feature representation, and classify traffic into benign and malicious traffic. In the fundamental experiment, the best F-measure achieves 0.98 in the timeline analysis and 0.97 in the cross-dataset validation. Furthermore, we generate imbalanced datasets which simulate actual network traffic. In the practical experiment, the best F-measure achieves 0.82 in the timeline analysis and 0.73 in the cross-dataset validation.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

An Attempt to Read Network Traffic with Doc2vec

Mimura

2019

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

show abstract

“…Mimura et al [1] categorized proxy server logs by FQDNs to extract feature vectors, and proposed a RAT (Remote Access Trojan or Remote Administration Tool) detection method using machine learning techniques. This method uses the characteristic that RATs continues to access the same path regularly.…”

Section: Analyzing Proxy Server Logsmentioning

confidence: 99%

“…IDS uses fixed strings or regular expression to describe their signatures. Malware used in APT attacks, however, communicates via a standard protocol, and attempts to imitate normal http communication hidema@nda.ac.jp (e.g., Plug X, Emdivi) [1], [2]. Therefore, it is difficult to describe the signatures.…”

Section: Introductionmentioning

confidence: 99%

Leaving All Proxy Server Logs to Paragraph Vector

Mimura

Tanaka

2018

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Cyberattack techniques continue to evolve every day. Detecting unseen drive-by-download attacks or C&C traffic is a challenging task. Pattern-matching-based techniques and using malicious blacklists are not efficient anymore, because attackers easily change the traffic pattern or infrastructure to avoid detection. Therefore, many behaviorbased detection methods have been proposed, which use the immutable characteristic of the traffic. These previous methods, however, focus on the attack technique, and can only detect drive-by-download (DbD) attacks or C&C traffic which have the immutable characteristic. These traditional methods have to devise the feature vectors. This paper proposes a generic detection method, which is independent of attack methods and does not need devising feature vectors. Our method uses Paragraph Vector, an unsupervised algorithm that learns fixed-length feature representations from variable-length texts and classifiers. Our method uses Paragraph Vector to capture the context in proxy server logs. We conducted cross-validation, timeline analysis and cross-dataset validation with multiple datasets. The experimental results show our method can detect unseen DbD attacks and C&C traffic in proxy server logs. The best F-measure achieved 0.97 in the timeline analysis and 0.96 on the other dataset.

show abstract

“…Most RATs are conventionally using reverse connections as network security policies prevent external connections [9]. Nevertheless, RAT bots can cause severe damages to infected machines without being detected [10]- [12]. In addition, intruders can control more than one machine independently from the host's location.…”

Section: Introductionmentioning

confidence: 99%

Collaborative Framework for Early Detection of RAT-Bots Attacks

2019

View full text Add to dashboard Cite

Attackers tend to use Remote Access Trojans (RATs) to compromise and control a targeted computer, which makes the RAT detection as an active research field. This paper introduces a machine learning-based framework for detecting compromised hosts and networks that are infected by the RAT-Bots. The proposed framework consists of two agents that are integrated to achieve reliable early detection of the RAT-bots. The first agent, the host agent, is responsible for monitoring the system behavior of the running host and raising an alarm for any anomalies. The second agent, the network agent, monitors the network traffic to extract any malicious patterns. The integrated approach improves both the detection ratio and accuracy. However, each approach cannot separately achieve the same performance as the proposed RAT-Bots detection framework. The performance of the introduced framework is evaluated by using real-world benchmark datasets. The experimental results show that the proposed approach can achieve an accuracy of 98.83% with 1.45% false positive rate.

show abstract

A Practical Experiment of the HTTP-Based RAT Detection Method in Proxy Server Logs

Cited by 11 publications

References 10 publications

An Attempt to Read Network Traffic with Doc2vec

An Attempt to Read Network Traffic with Doc2vec

Leaving All Proxy Server Logs to Paragraph Vector

Collaborative Framework for Early Detection of RAT-Bots Attacks

Contact Info

Product

Resources

About