Malware on Internet of UAVs Detection Combining String Matching and Fourier Transformation

Advanced persistent threat (APT), with intense penetration, long duration, and high customization, has become one of the most grievous threats to cybersecurity. Furthermore, the design and development of Internet-of-Things (IoT) devices often do not focus on security, leading APT to extend to IoT, such as the Internet of emerging unmanned aerial vehicles (UAVs). Whether malware with attack payload can be successfully implanted into UAVs or not is the key to APT on the Internet of UAVs. APT malware on UAVs establishes communication with the command and control (C&C) server to achieve remote control for UAVs-aware information stealing. Existing effective methods detect malware by analyzing malicious behaviors generated during C&C communication. However, APT malware usually adopts a low-traffic attack mode, a large amount of normal traffic is mixed in each attack step, to avoid virus checking and killing. Therefore, it is difficult for traditional malware detection methods to discover APT malware on UAVs that carry weak abnormal signals. Fortunately, we found that most APT attacks use domain name system (DNS) to locate C&C server of malware for information transmission periodically. This behavior will leave some records in the network flow and DNS logs, which provides us with an opportunity to identify infected internal UAVs and external malicious domain names. This article proposes an APT malware on the Internet of UAVs detection method combining string matching and Fourier transformation based on DNS traffic, which is able to handle encrypted and obfuscated traffic due to packet payloads independence. We preprocessed the collected network traffic by converting DNS timestamps of DNS request to strings and used the trained random forest model to discover APT malware domain names based on features extracted through string-matching-based periodicity detection and Fourier transformation-based periodicity detection. The proposed method has been evaluated on the data set, including part of normal domains from the normal traffic and malicious domains marked by security experts from APT malware traffic. Experimental results have shown that our proposed detection method can achieve the accuracy of 94%, which is better than the periodicity detection algorithm alone. Moreover, the proposed method does not need to set the confidence to filter the periodicity with high confidence.

[1]  Shahryar Sarkani,et al.  Unmanned aerial vehicle smart device ground control station cyber security threat model , 2013, 2013 IEEE International Conference on Technologies for Homeland Security (HST).

[2]  Zheng Yan,et al.  A Survey on Network Security-Related Data Collection Technologies , 2018, IEEE Access.

[3]  Mehmet Karakose,et al.  A Cyber Security Analysis Used for Unmanned Aerial Vehicles in the Smart City , 2019, 2019 1st International Informatics and Software Engineering Conference (UBMYK).

[4]  Mohamed Ayoub Messous,et al.  How to Detect Cyber-Attacks in Unmanned Aerial Vehicles Network? , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[5]  Suphannee Sivakorn,et al.  Countering Malicious Processes with Process-DNS Association , 2019, NDSS.

[6]  Roberto Baldoni,et al.  Survey on the Usage of Machine Learning Techniques for Malware Analysis , 2017, Comput. Secur..

[7]  Katrin Franke,et al.  Malware Beaconing Detection by Mining Large-scale DNS Logs for Targeted Attack Identification , 2016 .

[8]  Walid G. Aref,et al.  Multiple and Partial Periodicity Mining in Time Series Databases , 2002, ECAI.

[9]  Daejun Park,et al.  Security Authentication System Using Encrypted Channel on UAV Network , 2017, 2017 First IEEE International Conference on Robotic Computing (IRC).

[10]  Charan Gudla,et al.  Defense Techniques Against Cyber Attacks on Unmanned Aerial Vehicles , 2018 .

[11]  Walid G. Aref,et al.  WARP: time warping for periodicity detection , 2005, Fifth IEEE International Conference on Data Mining (ICDM'05).

[12]  Keisuke Ishibashi,et al.  Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries , 2010, LEET.

[13]  Jiyong Jang,et al.  BAYWATCH: Robust Beaconing Detection to Identify Infected Hosts in Large-Scale Enterprise Networks , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[14]  Walid G. Aref,et al.  Periodicity detection in time series databases , 2005, IEEE Transactions on Knowledge and Data Engineering.

[15]  Qiang Li,et al.  AULD: Large Scale Suspicious DNS Activities Detection via Unsupervised Learning in Advanced Persistent Threats , 2019, Sensors.

[16]  Jaouhar Fattahi,et al.  Fusion of ANN and SVM classifiers for network attack detection , 2017, 2017 18th International Conference on Sciences and Techniques of Automatic Control and Computer Engineering (STA).

[17]  Juan Caballero,et al.  FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors , 2013, RAID.

[18]  Ting Yu,et al.  Discovering Malicious Domains through Passive DNS Data Graph Analysis , 2016, AsiaCCS.

[19]  Blake Anderson,et al.  Machine Learning for Encrypted Malware Traffic Classification: Accounting for Noisy Labels and Non-Stationarity , 2017, KDD.

[20]  Mahbub Hassan,et al.  Survey on UAV Cellular Communications: Practical Aspects, Standardization Advancements, Regulation, and Security Challenges , 2018, IEEE Communications Surveys & Tutorials.

[21]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[22]  Jong Hyuk Park,et al.  DTB-IDS: an intrusion detection system based on decision tree using behavior analysis for preventing APT attacks , 2015, The Journal of Supercomputing.

[23]  Junho Choi,et al.  Ontology modeling for APT attack detection in an IoT-based power system , 2018, RACS.

[24]  Sandeep Yadav,et al.  Detecting Malicious Domains via Graph Inference , 2014, AISec '14.

[25]  Jiawei Han,et al.  Efficient mining of partial periodic patterns in time series database , 1999, Proceedings 15th International Conference on Data Engineering (Cat. No.99CB36337).

[26]  Aiko Pras,et al.  Exploring security vulnerabilities of unmanned aerial vehicles , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.

[27]  Rameez Asif,et al.  Drone Hacking with Raspberry-Pi 3 and WiFi Pineapple: Security and Privacy Threats for the Internet-of-Things , 2019, 2019 1st International Conference on Unmanned Vehicle Systems-Oman (UVS).

[28]  Zou Futai,et al.  Hybrid detection and tracking of fast-flux botnet on domain name system traffic , 2013, China Communications.

[29]  Han-Lim Choi,et al.  Distributed Unknown-Input-Observers for Cyber Attack Detection and Isolation in Formation Flying UAVs , 2017, ArXiv.

[30]  Khaled M. Rabie,et al.  Detection of advanced persistent threat using machine-learning correlation analysis , 2018, Future Gener. Comput. Syst..

[31]  Reda Alhajj,et al.  STNR: A suffix tree based noise resilient algorithm for periodicity detection in time series databases , 2010, Applied Intelligence.

[32]  Heejo Lee,et al.  GMAD: Graph-based Malware Activity Detection by DNS traffic analysis , 2014, Comput. Commun..

[33]  Nick Feamster,et al.  Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[34]  Menaka Pushpa Arthur Detecting Signal Spoofing and Jamming Attacks in UAV Networks using a Lightweight IDS , 2019, 2019 International Conference on Computer, Information and Telecommunication Systems (CITS).

[35]  Noureddine Boudriga,et al.  Packet Insertion Attack Detection in Optical UAV Networks , 2018, 2018 20th International Conference on Transparent Optical Networks (ICTON).

[36]  Doru Calin,et al.  On the Split-TCP Performance over Real 4G LTE and 3G Wireless Networks , 2017, IEEE Communications Magazine.

[37]  Ting Yu,et al.  A Survey on Malicious Domains Detection through DNS Data Analysis , 2018, ACM Comput. Surv..

[38]  Dimitris Gritzalis,et al.  Using side channel TCP features for real-time detection of malware connections , 2019, J. Comput. Secur..

[39]  Mamoun Alazab,et al.  A Visualized Botnet Detection System Based Deep Learning for the Internet of Things Networks of Smart Cities , 2020, IEEE Transactions on Industry Applications.

[40]  Bin Cao,et al.  Securing commercial WiFi-based UAVs from common security attacks , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[41]  Mohsen Guizani,et al.  Drone-Assisted Public Safety Networks: The Security Aspect , 2017, IEEE Communications Magazine.

[42]  Ahmad Jakalan,et al.  Identifying Fast-Flux Botnet With AGD Names at the Upper DNS Hierarchy , 2018, IEEE Access.

[43]  Zhen Ma,et al.  Discovering Suspicious APT Families Through a Large-Scale Domain Graph in Information-Centric IoT , 2019, IEEE Access.

[44]  Karl R. Abrahamson Generalized String Matching , 1987, SIAM J. Comput..

[45]  B. Wu,et al.  Detecting APT Malware Infections Based on Malicious DNS and Traffic Analysis , 2015, IEEE Access.