An Approach to Detect Remote Access Trojan in the Early Stage of Communication

Jiang, Dan; Omote, Kazumasa

doi:10.1109/aina.2015.257

Cited by 26 publications

(14 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Transport Layer features, e.g., communications time, "heartbeat" packet to keep-alive, upload and download traffic [6] .…”

Section: Detection Model Designmentioning

confidence: 99%

Closed-loop Feedback Trojan Detection Technique Based on Hierarchical Model

Jinlong¹,

Gu²,

Xie³

2015

Proceedings of the 2015 Joint International Mechanical, Electronic and Information Technology Conference

View full text Add to dashboard Cite

In recent years, as the representative of APT attack incidents continues to increase, which steal the confidential information. It's a serious threat to network security and user privacy. The key to prevent such attacks is how to detect Trojan behavior from the network traffic of APT attacks. In this paper, we propose a novel approach based closed-loop feedback model and hierarchical detection model. The result we present improved the detection rate and reduced false positives in detecting Trojan behavior from network traffic. Thus, we can protect user privacy effectively and maintain secure of network environment relatively.

show abstract

“…Transport Layer features, e.g., communications time, "heartbeat" packet to keep-alive, upload and download traffic [6] .…”

Section: Detection Model Designmentioning

confidence: 99%

Closed-loop Feedback Trojan Detection Technique Based on Hierarchical Model

Jinlong¹,

Gu²,

Xie³

2015

Proceedings of the 2015 Joint International Mechanical, Electronic and Information Technology Conference

View full text Add to dashboard Cite

show abstract

“…Unfortunately this may not be possible for a variety of reasons. For instance, a company that discovers and promptly contains an infection [14] may not allow communications for the sake of analysis, especially where there is a suspicion of a targeted attack-as such communications would reveal that the target has been reached. A server counterpart may also decline connection attempts when the analysis takes place from an unexpected network origin or time frame.…”

Section: Introductionmentioning

confidence: 99%

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Borzacchiello

Coppa

D’Elia

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

The analysis of a malicious piece of software that involves a remote counterpart that instructs it can be troublesome for security professionals, as they may have to unravel the communication protocol in use to figure out what actions can be carried out on the victim's machine. The possibility to recur to dynamic analysis hinges on the availability of an active remote counterpart, a requirement that may be difficult to meet in several scenarios. In this paper we explore how symbolic execution techniques can be used to synthesize a command-and-control server for a remote access trojan, enabling in-vivo analysis by malware analysts. We evaluate our ideas against two real-world malware instances.

show abstract

“…The communication between RAT master (client) and its slave (server) is either direct which initiated by RAT client or reverse which started by RAT server. Most RATs are conventionally using reverse connections as network security policies prevent external connections [9]. Nevertheless, RAT bots can cause severe damages to infected machines without being detected [10]- [12].…”

Section: Introductionmentioning

confidence: 99%

Collaborative Framework for Early Detection of RAT-Bots Attacks

2019

View full text Add to dashboard Cite

Attackers tend to use Remote Access Trojans (RATs) to compromise and control a targeted computer, which makes the RAT detection as an active research field. This paper introduces a machine learning-based framework for detecting compromised hosts and networks that are infected by the RAT-Bots. The proposed framework consists of two agents that are integrated to achieve reliable early detection of the RAT-bots. The first agent, the host agent, is responsible for monitoring the system behavior of the running host and raising an alarm for any anomalies. The second agent, the network agent, monitors the network traffic to extract any malicious patterns. The integrated approach improves both the detection ratio and accuracy. However, each approach cannot separately achieve the same performance as the proposed RAT-Bots detection framework. The performance of the introduced framework is evaluated by using real-world benchmark datasets. The experimental results show that the proposed approach can achieve an accuracy of 98.83% with 1.45% false positive rate.

show abstract

An Approach to Detect Remote Access Trojan in the Early Stage of Communication

Cited by 26 publications

References 7 publications

Closed-loop Feedback Trojan Detection Technique Based on Hierarchical Model

Closed-loop Feedback Trojan Detection Technique Based on Hierarchical Model

Reconstructing C2 Servers for Remote Access Trojans with Symbolic Execution

Collaborative Framework for Early Detection of RAT-Bots Attacks

Contact Info

Product

Resources

About