Unsupervised Detection of APT C&C Channels using Web Request Graphs

HTTP is the main protocol used by attackers to establish a command and control (CC APT malware are often custom-built and used against selected targets only, making it difficult to collect malware artifacts for supervised machine learning and thus rendering supervised approaches ineffective at detecting APT traffic.

[1]  Henk J. Sips,et al.  Detection of Covert Botnet Command and Control Channels by Causal Analysis of Traffic Flows , 2013, CSS.

[2]  Christopher Krügel,et al.  BotFinder: finding bots in network traffic without deep packet inspection , 2012, CoNEXT '12.

[3]  Roberto Perdisci,et al.  ExecScent: Mining for New C&C Domains in Live Networks with Adaptive Control Protocol Templates , 2013, USENIX Security Symposium.

[4]  Luca Vassio,et al.  Detecting user actions from HTTP traces: Toward an automatic approach , 2016, 2016 International Wireless Communications and Mobile Computing Conference (IWCMC).

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  Naren Ramakrishnan,et al.  User Intention-Based Traffic Dependence Analysis for Anomaly Detection , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[7]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[8]  Michalis Faloutsos,et al.  ReSurf: Reconstructing web-surfing activity from network traffic , 2013, 2013 IFIP Networking Conference.

[9]  Ping Chen,et al.  A Study on Advanced Persistent Threats , 2014, Communications and Multimedia Security.

[10]  Roberto Perdisci,et al.  WebWitness: Investigating, Categorizing, and Mitigating Malware Download Paths , 2015, USENIX Security Symposium.

[11]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[12]  Bernhard Ager,et al.  Hviz: HTTP(S) traffic aggregation and visualization for network forensics , 2015, Digit. Investig..

[13]  A Saritha,et al.  A system for detecting network intruders in real-time , 2016 .

[14]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[15]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[16]  Sung-Jin Kim,et al.  HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets , 2014, KSII Trans. Internet Inf. Syst..

[17]  Kang Li,et al.  ClickMiner: Towards Forensic Reconstruction of User-Browser Interactions from Network Traces , 2014, CCS.

[18]  Roberto Perdisci,et al.  Scalable fine-grained behavioral clustering of HTTP-based malware , 2013, Comput. Networks.

[19]  Zhou Li,et al.  Detection of Early-Stage Enterprise Infection by Mining Large-Scale Log Data , 2014, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[20]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[21]  Christopher Krügel,et al.  JACKSTRAWS: Picking Command and Control Connections from Bot Traffic , 2011, USENIX Security Symposium.