Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Unsupervised Detection of APT C&C Channels using Web Request Graphs

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10327))

Abstract

HTTP is the main protocol used by attackers to establish a command and control (C&C) channel to infected hosts in a network. Identifying such C&C channels in network traffic is however a challenge because of the large volume and complex structure of benign HTTP requests emerging from regular user browsing activities. A common approach to C&C channel detection has been to use supervised learning techniques which are trained on old malware samples. However, these techniques require large training datasets which are generally not available in the case of advanced persistent threats (APT); APT malware are often custom-built and used against selected targets only, making it difficult to collect malware artifacts for supervised machine learning and thus rendering supervised approaches ineffective at detecting APT traffic.

In this paper, we present a novel and highly effective unsupervised approach to detect C&C channels in Web traffic. Our key observation is that APT malware typically follow a specific communication pattern that is different from regular Web browsing. Therefore, by reconstructing the dependencies between Web requests, that is the Web request graphs, and filtering away the nodes pertaining to regular Web browsing, we can identify malware requests without training a malware model.

We evaluated our approach on real Web traces and show that it can detect the C&C requests of nine APTs with a true positive rate of 99.5–100% and a true negative rate of 99.5–99.7%. These APTs had been used against several hundred organizations for years without being detected.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    430 million malware samples have been released in 2015 according to Symantec’s Internet security threat report [37].

  2. 2.

    We use benign Web traffic generated by scripts accessing the top 250 Web sites for Switzerland and user traffic logs from ClickMiner [25].

References

  1. APT Case RUAG. Technical Report. GovCERT.ch, 23 May 2016. https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf

  2. Contagiodump Blog. http://contagiodump.blogspot.com. Accessed Jan 2017

  3. HTTP Access Control. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS. Accessed Jan 2017

  4. HTTP Method Definitions. https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html. Accessed Jan 2017

  5. Malware Capture Facility Project. http://mcfp.weebly.com. Accessed Jan 2017

  6. Malware-Traffic-Analysis Blog. http://www.malware-traffic-analysis.net. Accessed Jan 2017

  7. pcapanalysis. http://www.pcapanalysis.com. Accessed Jan 2017

  8. Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC 2012, pp. 129–138. ACM (2012)

    Google Scholar 

  9. Bugzilla: Bug 1282878. https://bugzilla.mozilla.org/show_bug.cgi?id=1282878. Accessed Feb 2017

  10. Burghouwt, P., Spruit, M., Sips, H.: Detection of covert botnet command and control channels by causal analysis of traffic flows. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 117–131. Springer, Cham (2013). doi:10.1007/978-3-319-03584-0_10

    Chapter  Google Scholar 

  11. Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44885-4_5

    Google Scholar 

  12. Cylance: Operation cleaver report. http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf. Accessed Feb 2017

  13. FireEye: Evasive Tactics: Taidoor. https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html. Accessed Feb 2017

  14. FireEye: To Russia With Targeted Attack. https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html. Accessed Feb 2017

  15. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the USENIX Security Symposium. USENIX Security 2008 (2008)

    Google Scholar 

  16. Gu, G., Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2008) (2008)

    Google Scholar 

  17. Gugelmann, D., Gasser, F., Ager, B., Lenders, V.: Hviz: Http(s) traffic aggregation and visualization for network forensics. In: Proceedings of the DFRWS Europe (DFRWS 2015 Europe) Digital Investigation 12, Supplement 1, pp. 1–11 (2015)

    Google Scholar 

  18. IETF: Online Certificate Status Protocol - OCSP. https://tools.ietf.org/html/rfc6960. Accessed Feb 2017

  19. Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: picking command and control connections from bot traffic. In: Proceedings of the USENIX Security Symposium. USENIX Security 2011 (2011)

    Google Scholar 

  20. Jones, M.: Protecting privacy with referrers (2010). https://www.facebook.com/notes/facebook-engineering/protecting-privacy-with-referrers/392382738919/. Accessed Feb 2017

  21. Lab, K.: The Nettraveler (aka ‘Travnet’). https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf. Accessed Jan 2017

  22. Kim, S.J., Lee, S., Bae, B.: Has-analyzer: detecting http-based c&c based on the analysis of http activity sets. TIIS 8(5), 1801–1816 (2014)

    Article  Google Scholar 

  23. Lab, K.: The Darkhotel APT, a story of unusual hospitality. https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf. Accessed Feb 2017

  24. Mandiant: APT1 - Exposing One of China’s Cyber Espionage Units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed Feb 2017

  25. Neasbitt, C., Perdisci, R., Li, K., Nelms, T.: Clickminer: towards forensic reconstruction of user-browser interactions from network traces. In: Proceedings of the ACM CCS 2014, pp. 1244–1255. ACM (2014)

    Google Scholar 

  26. Nelms, T., Perdisci, R., Ahamad, M.: Execscent: mining for new c&c domains in live networks with adaptive control protocol templates. In: Proceedings of the USENIX Security Symposium, pp. 589–604. USENIX, Washington, D.C. (2013)

    Google Scholar 

  27. Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: Webwitness: investigating, categorizing, and mitigating malware download paths. In: Proceedings of the USENIX Security Symposium, pp. 1025–1040. USENIX (2015)

    Google Scholar 

  28. NIST: Managing Information Security Risk. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf, nIST Special Publication 800–39

  29. Norman: Operation Hangover. http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf. Accessed Feb 2017

  30. Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: Proceedings of the IEEE/IFIP Int. Conf. on Dependable Systems and Networks, DSN 2015, pp. 45–56. IEEE Computer Society (2015)

    Google Scholar 

  31. Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)

    Article  Google Scholar 

  32. Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., Duchesnay, E.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  33. Perdisci, R., Ariu, D., Giacinto, G.: Scalable fine-grained behavioral clustering of http-based malware. Comput. Netw. 57(2), 487–500 (2013)

    Article  Google Scholar 

  34. Proofpoint: Nettraveler apt targets russian, european interests. https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests. Accessed Jan 2017

  35. Security, F.: Looking at the Sky for a DarkComet. https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf. Accessed Feb 2017

  36. SeleniumHQ: http://www.seleniumhq.org. Accessed Jan 2017

  37. Symantec: Internet security threat report. Technical Report 21, Symantec, April 2016. https://www.symantec.com/security-center/threat-report

  38. Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: Botfinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the International Conference on Emerging Networking Experiments and Technologies (CoNEXT), pp. 349–360. ACM (2012)

    Google Scholar 

  39. TrendMicro: The Taidoor Campaign. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf. Accessed Feb 2017

  40. Vassio, L., Drago, I., Mellia, M.: Detecting user actions from HTTP traces: toward an automatic approach. In: International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 50–55 (2016)

    Google Scholar 

  41. W3C: Referer Policy. https://w3c.github.io/webappsec-referrer-policy. Accessed Feb 2017

  42. Xie, G., Iliofotou, M., Karagiannis, T., Faloutsos, M., Jin, Y.: Resurf: reconstructing web-surfing activity from network traffic. In: Proceedings of the International Conference on Networking, IFIP (2013)

    Google Scholar 

  43. Zhang, H., Banick, W., Yao, D., Ramakrishnan, N.: User intention-based traffic dependence analysis for anomaly detection. In: IEEE Symposium on Security and Privacy Workshops, pp. 104–112, May 2012

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. ETH Zurich, Zurich, Switzerland

    Pavlos Lamprakis, Ruggiero Dargenio, David Gugelmann, Markus Happe & Laurent Vanbever

  2. Armasuisse, Thun, Switzerland

    Vincent Lenders

Authors
  1. Pavlos Lamprakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruggiero Dargenio
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Gugelmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Vincent Lenders
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Markus Happe
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Laurent Vanbever
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Laurent Vanbever .

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Lamprakis, P., Dargenio, R., Gugelmann, D., Lenders, V., Happe, M., Vanbever, L. (2017). Unsupervised Detection of APT C&C Channels using Web Request Graphs. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-60876-1_17

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-60875-4

  • Online ISBN: 978-3-319-60876-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation