Visible to the public "Scalable command and control detection in log data through UF-ICF analysis"Conflict Detection Enabled

Title"Scalable command and control detection in log data through UF-ICF analysis"
Publication TypeConference Paper
Year of Publication2015
AuthorsK. F. Hong, C. C. Chen, Y. T. Chiu, K. S. Chou
Conference Name2015 International Carnahan Conference on Security Technology (ICCST)
Date PublishedSept
ISBN Number978-1-4799-8691-0
Accession Number15729639
Keywordsadvanced persistent threat, antivirus software, APT, benign service, Botnet, C&C server detection, C&C sites, clustering methods, Command and Control (C&C), command and control systems, computer network security, connection behaviors, coverage rate, Decision support systems, domain names, filtering methods, fixed user agent string, Frequency modulation, information filtering, Information security, intrusion prevention systems, invasive software, IP addresses, IP networks, log data, Malware, networking logs, normal user, pattern clustering, pubcrawl170101, scalable command-and-control detection, UF-ICF analysis

During an advanced persistent threat (APT), an attacker group usually establish more than one C&C server and these C&C servers will change their domain names and corresponding IP addresses over time to be unseen by anti-virus software or intrusion prevention systems. For this reason, discovering and catching C&C sites becomes a big challenge in information security. Based on our observations and deductions, a malware tends to contain a fixed user agent string, and the connection behaviors generated by a malware is different from that by a benign service or a normal user. This paper proposed a new method comprising filtering and clustering methods to detect C&C servers with a relatively higher coverage rate. The experiments revealed that the proposed method can successfully detect C&C Servers, and the can provide an important clue for detecting APT.

Citation Key7389699