Abstract
HTTP is the main protocol used by attackers to establish a command and control (C&C) channel to infected hosts in a network. Identifying such C&C channels in network traffic is however a challenge because of the large volume and complex structure of benign HTTP requests emerging from regular user browsing activities. A common approach to C&C channel detection has been to use supervised learning techniques which are trained on old malware samples. However, these techniques require large training datasets which are generally not available in the case of advanced persistent threats (APT); APT malware are often custom-built and used against selected targets only, making it difficult to collect malware artifacts for supervised machine learning and thus rendering supervised approaches ineffective at detecting APT traffic.
In this paper, we present a novel and highly effective unsupervised approach to detect C&C channels in Web traffic. Our key observation is that APT malware typically follow a specific communication pattern that is different from regular Web browsing. Therefore, by reconstructing the dependencies between Web requests, that is the Web request graphs, and filtering away the nodes pertaining to regular Web browsing, we can identify malware requests without training a malware model.
We evaluated our approach on real Web traces and show that it can detect the C&C requests of nine APTs with a true positive rate of 99.5–100% and a true negative rate of 99.5–99.7%. These APTs had been used against several hundred organizations for years without being detected.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
APT Case RUAG. Technical Report. GovCERT.ch, 23 May 2016. https://www.melani.admin.ch/dam/melani/en/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf
Contagiodump Blog. http://contagiodump.blogspot.com. Accessed Jan 2017
HTTP Access Control. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS. Accessed Jan 2017
HTTP Method Definitions. https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html. Accessed Jan 2017
Malware Capture Facility Project. http://mcfp.weebly.com. Accessed Jan 2017
Malware-Traffic-Analysis Blog. http://www.malware-traffic-analysis.net. Accessed Jan 2017
pcapanalysis. http://www.pcapanalysis.com. Accessed Jan 2017
Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC 2012, pp. 129–138. ACM (2012)
Bugzilla: Bug 1282878. https://bugzilla.mozilla.org/show_bug.cgi?id=1282878. Accessed Feb 2017
Burghouwt, P., Spruit, M., Sips, H.: Detection of covert botnet command and control channels by causal analysis of traffic flows. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 117–131. Springer, Cham (2013). doi:10.1007/978-3-319-03584-0_10
Chen, P., Desmet, L., Huygens, C.: A study on advanced persistent threats. In: Decker, B., Zúquete, A. (eds.) CMS 2014. LNCS, vol. 8735, pp. 63–72. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44885-4_5
Cylance: Operation cleaver report. http://cdn2.hubspot.net/hubfs/270968/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf. Accessed Feb 2017
FireEye: Evasive Tactics: Taidoor. https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html. Accessed Feb 2017
FireEye: To Russia With Targeted Attack. https://www.fireeye.com/blog/threat-research/2012/12/to-russia-with-apt.html. Accessed Feb 2017
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the USENIX Security Symposium. USENIX Security 2008 (2008)
Gu, G., Zhang, J., Lee, W.: Botsniffer: detecting botnet command and control channels in network traffic. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2008) (2008)
Gugelmann, D., Gasser, F., Ager, B., Lenders, V.: Hviz: Http(s) traffic aggregation and visualization for network forensics. In: Proceedings of the DFRWS Europe (DFRWS 2015 Europe) Digital Investigation 12, Supplement 1, pp. 1–11 (2015)
IETF: Online Certificate Status Protocol - OCSP. https://tools.ietf.org/html/rfc6960. Accessed Feb 2017
Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: picking command and control connections from bot traffic. In: Proceedings of the USENIX Security Symposium. USENIX Security 2011 (2011)
Jones, M.: Protecting privacy with referrers (2010). https://www.facebook.com/notes/facebook-engineering/protecting-privacy-with-referrers/392382738919/. Accessed Feb 2017
Lab, K.: The Nettraveler (aka ‘Travnet’). https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf. Accessed Jan 2017
Kim, S.J., Lee, S., Bae, B.: Has-analyzer: detecting http-based c&c based on the analysis of http activity sets. TIIS 8(5), 1801–1816 (2014)
Lab, K.: The Darkhotel APT, a story of unusual hospitality. https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf. Accessed Feb 2017
Mandiant: APT1 - Exposing One of China’s Cyber Espionage Units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed Feb 2017
Neasbitt, C., Perdisci, R., Li, K., Nelms, T.: Clickminer: towards forensic reconstruction of user-browser interactions from network traces. In: Proceedings of the ACM CCS 2014, pp. 1244–1255. ACM (2014)
Nelms, T., Perdisci, R., Ahamad, M.: Execscent: mining for new c&c domains in live networks with adaptive control protocol templates. In: Proceedings of the USENIX Security Symposium, pp. 589–604. USENIX, Washington, D.C. (2013)
Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: Webwitness: investigating, categorizing, and mitigating malware download paths. In: Proceedings of the USENIX Security Symposium, pp. 1025–1040. USENIX (2015)
NIST: Managing Information Security Risk. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf, nIST Special Publication 800–39
Norman: Operation Hangover. http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf. Accessed Feb 2017
Oprea, A., Li, Z., Yen, T.F., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: Proceedings of the IEEE/IFIP Int. Conf. on Dependable Systems and Networks, DSN 2015, pp. 45–56. IEEE Computer Society (2015)
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. 31(23–24), 2435–2463 (1999)
Pedregosa, F., Varoquaux, G., Gramfort, A., Michel, V., Thirion, B., Grisel, O., Blondel, M., Prettenhofer, P., Weiss, R., Dubourg, V., Vanderplas, J., Passos, A., Cournapeau, D., Brucher, M., Perrot, M., Duchesnay, E.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Perdisci, R., Ariu, D., Giacinto, G.: Scalable fine-grained behavioral clustering of http-based malware. Comput. Netw. 57(2), 487–500 (2013)
Proofpoint: Nettraveler apt targets russian, european interests. https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests. Accessed Jan 2017
Security, F.: Looking at the Sky for a DarkComet. https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf. Accessed Feb 2017
SeleniumHQ: http://www.seleniumhq.org. Accessed Jan 2017
Symantec: Internet security threat report. Technical Report 21, Symantec, April 2016. https://www.symantec.com/security-center/threat-report
Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: Botfinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the International Conference on Emerging Networking Experiments and Technologies (CoNEXT), pp. 349–360. ACM (2012)
TrendMicro: The Taidoor Campaign. https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf. Accessed Feb 2017
Vassio, L., Drago, I., Mellia, M.: Detecting user actions from HTTP traces: toward an automatic approach. In: International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 50–55 (2016)
W3C: Referer Policy. https://w3c.github.io/webappsec-referrer-policy. Accessed Feb 2017
Xie, G., Iliofotou, M., Karagiannis, T., Faloutsos, M., Jin, Y.: Resurf: reconstructing web-surfing activity from network traffic. In: Proceedings of the International Conference on Networking, IFIP (2013)
Zhang, H., Banick, W., Yao, D., Ramakrishnan, N.: User intention-based traffic dependence analysis for anomaly detection. In: IEEE Symposium on Security and Privacy Workshops, pp. 104–112, May 2012
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Lamprakis, P., Dargenio, R., Gugelmann, D., Lenders, V., Happe, M., Vanbever, L. (2017). Unsupervised Detection of APT C&C Channels using Web Request Graphs. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-60876-1_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60875-4
Online ISBN: 978-3-319-60876-1
eBook Packages: Computer ScienceComputer Science (R0)