Visible to the public Mining Malware Command and Control Traces

TitleMining Malware Command and Control Traces
Publication TypeConference Paper
Year of Publication2017
AuthorsMcLaren, P., Russell, G., Buchanan, B.
Conference Name2017 Computing Conference
ISBN Number978-1-5090-5443-5
Keywordsadvanced persistent threat, advanced persistent threats, anomaly based detection, Botnet, Classification algorithms, command and control, command and control systems, control channel, control payloads, control traces, controller commands, data mining, detecting botnets, effective anomaly based detection technique, Human Behavior, invasive software, Malware, malware detection rates, malware threats, Metrics, pattern classification, Pattern recognition, Payloads, pubcrawl, resilience, Resiliency, Scalability, security of data, telecommunication traffic

Detecting botnets and advanced persistent threats is a major challenge for network administrators. An important component of such malware is the command and control channel, which enables the malware to respond to controller commands. The detection of malware command and control channels could help prevent further malicious activity by cyber criminals using the malware. Detection of malware in network traffic is traditionally carried out by identifying specific patterns in packet payloads. Now bot writers encrypt the command and control payloads, making pattern recognition a less effective form of detection. This paper focuses instead on an effective anomaly based detection technique for bot and advanced persistent threats using a data mining approach combined with applied classification algorithms. After additional tuning, the final test on an unseen dataset, false positive rates of 0% with malware detection rates of 100% were achieved on two examined malware threats, with promising results on a number of other threats.

Citation Keymclaren_mining_2017