MBTree: Detecting Encryption RAT Communication Using Malicious Behavior Tree
Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel pith:IT6BDXX3record.jsonopen to challenge →
read the original abstract
Network trace signature matching is one reliable approach to detect active Remote Control Trojan, (RAT). Compared to statistical-based detection of malicious network traces in the face of known RATs, the signature-based method can achieve more stable performance and thus more reliability. However, with the development of encrypted technologies and disguise tricks, current methods suffer inaccurate signature descriptions and inflexible matching mechanisms. In this paper, we propose to tackle above problems by presenting MBTree, an approach to detect encryption RATs Command and Control (C&C) communication based on host-level network trace behavior. MBTree first models the RAT network behaviors as the malicious set by automatically building the multiple level tree, MLTree from distinctive network traces of each sample. Then, MBTree employs a detection algorithm to detect malicious network traces that are similar to any MLTrees in the malicious set. To illustrate the effectiveness of our proposed method, we adopt theoretical analysis of MBTree from the probability perspective. In addition, we have implemented MBTree to evaluate it on five datasets which are reorganized in a sophisticated manner for comprehensive assessment. The experimental results demonstrate the accurate and robust of MBTree, especially in the face of new emerging benign applications.
This paper has not been read by Pith yet.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.