Flow-based Detection and Proxy-based Evasion of Encrypted Malware C2 Traffic

Novo, Carlos; Morla, Ricardo

doi:10.1145/3411508.3421379

Cited by 21 publications

(8 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We do not present results for elapsed time since the start of the flow because its results are worse than IAT. Previous work [33] show that tampering with IAT and elapsed time since the flow start using a proxy yields a performance decrease. We thus only consider packet size with direction and byte burst as relevant features for the remainder of the paper.…”

Section: Feature Comparisonmentioning

confidence: 97%

ML-based tunnel detection and tunneled application classification

Mazel¹,

Saudrais²,

Hervieu³

2022

Preprint

View full text Add to dashboard Cite

Encrypted tunneling protocols are widely used. Beyond business and personal uses, malicious actors also deploy tunneling to hinder the detection of Command and Control and data exfiltration. A common approach to maintain visibility on tunneling is to rely on network traffic metadata and machine learning to analyze tunnel occurrence without actually decrypting data. Existing work that address tunneling protocols however exhibit several weaknesses: their goal is to detect application inside tunnels and not tunnel identification, they exhibit limited protocol coverage (e.g. OpenVPN and Wireguard are not addressed), and both inconsistent features and diverse machine learning techniques which makes performance comparison difficult.Our work makes four contributions that address these limitations and provide further analysis. First, we address Open-VPN and Wireguard. Second, we propose a complete pipeline to detect and classify tunneling protocols and tunneled applications. Third, we present a thorough analysis of the performance of both network traffic metadata features and machine learning techniques. Fourth, we provide a novel analysis of domain generalization regarding background untunneled traffic, and, both domain generalization and adversarial learning regarding Maximum Transmission Unit (MTU).

show abstract

Section: Feature Comparisonmentioning

confidence: 97%

ML-based tunnel detection and tunneled application classification

Mazel¹,

Saudrais²,

Hervieu³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Generation This is the task of creating content that fits a target distribution which, in some cases, requires realism in the eyes of a human. Examples of generation for offensive uses include the tampering of media evidence [155,192], intelligent password guessing [75,89], and traffic shaping to avoid detection [85,166]. Deepfakes are another instance of offensive AI in this category.…”

Section: Attacks Using Aimentioning

confidence: 99%

“…AI-based tools are programs which performs a specific task in adversary's arsenal. For example, a tool for intelligently predicting passwords [75,89], obfuscating malware code [59], traffic shaping for evasion [85,121,166], puppeting a persona [154], and so on. These tools are typically in the form of a machine learning model.…”

Section: New Attack Goals In Addition To the Conventional Attack Goal...mentioning

confidence: 99%

“…Bots trying to contact their C2 server can generate URLs that appear legitimate to humans [175], or that can evade malicious-URL detectors [208]. To evade traffic-based NIDSs, adversaries can shape their traffic [85,166] or change their timing to hide it [200].…”

Section: Evading Nids (Network Intrusion Detection Systems)mentioning

confidence: 99%

“…Surprisingly, both academia and industry consider the use of AI for stealth as the least threatening OAC category in general. Even though there has been a great deal of work showing how IDS models are vulnerable [166,213], IDS evasion approaches were considered the second most defeatable OAC after intelligent scanning. This may have to do with the fact that the adversary cannot evaluate its AI-based evasion techniques inside the actual network, and thus risks detection.…”

Section: Threat Rankingmentioning

confidence: 99%

See 2 more Smart Citations

The Threat of Offensive AI to Organizations

Mirsky¹,

Demontis²,

Kotak³

et al. 2021

Preprint

View full text Add to dashboard Cite

and Pluribus One, Italy AI has provided us with the ability to automate tasks, extract information from vast amounts of data, and synthesize media that is nearly indistinguishable from the real thing. However, positive tools can also be used for negative purposes. In particular, cyber adversaries can use AI to enhance their attacks and expand their campaigns.Although offensive AI has been discussed in the past, there is a need to analyze and understand the threat in the context of organizations. For example, how does an AI-capable adversary impact the cyber kill chain? Does AI benefit the attacker more than the defender? What are the most significant AI threats facing organizations today and what will be their impact on the future?In this survey, we explore the threat of offensive AI on organizations. First, we present the background and discuss how AI changes the adversary's methods, strategies, goals, and overall attack model. Then, through a literature review, we identify 33 offensive AI capabilities which adversaries can use to enhance their attacks. Finally, through a user study spanning industry and academia, we rank the AI threats and provide insights on the adversaries.

show abstract

Toward situational awareness in threat detection. A survey

Rendall

Mylonas

Vidalis

2021

WIREs Forensic Science

View full text Add to dashboard Cite

The pervasiveness of the Internet did not come without security risk. The current threat landscape is characterized by the rise of sophisticated cyber attacks, which target user devices and corporate infrastructure. To tackle the risk of compromise, data-driven detection strategies have become increasingly mainstream. The relevant literature includes many works that leverage opensource datasets, supervised learning or, less commonly, unsupervised learning. However, advanced network attacks' spatial and temporal characteristics prove standalone threat detection systems inadequate, especially for detecting a multi-stage attack and often stealthy techniques. Moreover, attackers have been demonstrating adversarial effects that are caused by deception and contaminating data-driven methods with adversarial learning. For these reasons, recent research in threat detection is moving away from commonly, and often obsolete, datasets as well as adopting more multi-layered decision strategies.As such, this article provides a comprehensive review of decision strategies. We also examine their ability to support cyber situational awareness (CSA), providing to security analysts CSA properties such as situation assessment and system refinement.

show abstract

Flow-based Detection and Proxy-based Evasion of Encrypted Malware C2 Traffic

Cited by 21 publications

References 11 publications

ML-based tunnel detection and tunneled application classification

ML-based tunnel detection and tunneled application classification

The Threat of Offensive AI to Organizations

Toward situational awareness in threat detection. A survey

Contact Info

Product

Resources

About