Proceedings of the 33rd Annual Computer Security Applications Conference 2017
DOI: 10.1145/3134600.3134605
|View full text |Cite
|
Sign up to set email alerts
|

DECANTeR

Abstract: We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a host's network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
17
0

Year Published

2019
2019
2024
2024

Publication Types

Select...
5
3
1

Relationship

1
8

Authors

Journals

citations
Cited by 23 publications
(17 citation statements)
references
References 28 publications
0
17
0
Order By: Relevance
“…Li [15] performed a large-scale measurement for millions of fingerprints to figure out fingerprint dynamics in a real-world website and they found that state-of-the-art fingerprinting tools performs poorly in real-world setting. Bortolameotti et al [16] propose a detection framework of anomalous outbound HTTP traffic by passive application fingerprinting. They focus on different cases like background applications and browser applications to detect anomalous communications.…”
Section: Related Workmentioning
confidence: 99%
“…Li [15] performed a large-scale measurement for millions of fingerprints to figure out fingerprint dynamics in a real-world website and they found that state-of-the-art fingerprinting tools performs poorly in real-world setting. Bortolameotti et al [16] propose a detection framework of anomalous outbound HTTP traffic by passive application fingerprinting. They focus on different cases like background applications and browser applications to detect anomalous communications.…”
Section: Related Workmentioning
confidence: 99%
“…Fingerprinting of HTTP network traffic can be used to create models of applications present in a monitored network and used as a baseline for detecting unknown applications that can be malicious. Bortolameotti et al presented in [7] DECANTeR a system for detection of HTTP network traffic that is anomalous for analyzed host. It passively extracts fingerprints of benign applications running on the host.…”
Section: Proposed Research Solutionsmentioning
confidence: 99%
“…Relying on TCP stream based statistical features, Petagna et al [25] demonstrate that it is possible to accurately identify apps in traffic anonymized through Tor, and that web browsers play thereby a crucial role as traffic patterns differentiate strongly between browser versions. Finally, the authors of [26] have proposed DECANTeR, which builds real-time fingerprints from desktop apps exploiting the headers of the HTTP messages.…”
Section: Related Workmentioning
confidence: 99%