C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks

IF 2.4 4区计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

International Journal of Information Security Pub Date : 2024-04-29 DOI:10.1007/s10207-024-00850-y

Raja Zeeshan Haider, Baber Aslam, Haider Abbas, Zafar Iqbal

{"title":"C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks","authors":"Raja Zeeshan Haider, Baber Aslam, Haider Abbas, Zafar Iqbal","doi":"10.1007/s10207-024-00850-y","DOIUrl":null,"url":null,"abstract":"<p>Supply chain attacks are potent cyber attacks for widespread ramifications by compromising supply chains. Supply chain attacks are difficult to detect as the malware is installed through trustworthy supply chains, missing signs of infection and making deployed security controls ineffective. Recent increases in supply chain attacks warrant a Zero-trust model and innovative solutions for detecting supply chain attacks. Supply chain malware need to establish a Command and Control (C2) connection as a communication link with the attacker to proceed on the privileged pathway. Discovery of the C2 channel between the attacker and supply chain malware can lead to detection of the attack. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these with associated network activity for early discovery of C2 connection. Proposed framework has introduced a novel approach of detecting C2 over DNS by incorporating host-based activity with corresponding network activity coupled with threat intelligence. C2-Eye integrates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and real time threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the exploitation of C2 channel for probable data exfiltration. C2-Eye has introduced a distinctive featureset with 22 novel features specific to supply chain attack, enabling detection of the attack with F1-score of 98.70%.</p>","PeriodicalId":50316,"journal":{"name":"International Journal of Information Security","volume":"32 1","pages":""},"PeriodicalIF":2.4000,"publicationDate":"2024-04-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Information Security","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10207-024-00850-y","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Supply chain attacks are potent cyber attacks for widespread ramifications by compromising supply chains. Supply chain attacks are difficult to detect as the malware is installed through trustworthy supply chains, missing signs of infection and making deployed security controls ineffective. Recent increases in supply chain attacks warrant a Zero-trust model and innovative solutions for detecting supply chain attacks. Supply chain malware need to establish a Command and Control (C2) connection as a communication link with the attacker to proceed on the privileged pathway. Discovery of the C2 channel between the attacker and supply chain malware can lead to detection of the attack. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these with associated network activity for early discovery of C2 connection. Proposed framework has introduced a novel approach of detecting C2 over DNS by incorporating host-based activity with corresponding network activity coupled with threat intelligence. C2-Eye integrates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and real time threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the exploitation of C2 channel for probable data exfiltration. C2-Eye has introduced a distinctive featureset with 22 novel features specific to supply chain attack, enabling detection of the attack with F1-score of 98.70%.

Abstract Image

查看原文本刊更多论文

C2-Eye：检测供应链攻击的指挥与控制（C2）连接的框架

供应链攻击是通过破坏供应链而造成广泛影响的强大网络攻击。供应链攻击难以检测，因为恶意软件是通过可信的供应链安装的，错过了感染迹象，使已部署的安全控制失效。最近，供应链攻击的增加要求采用 "零信任 "模式和创新解决方案来检测供应链攻击。供应链恶意软件需要建立一个指挥与控制（C2）连接，作为与攻击者之间的通信链路，才能通过特权途径继续攻击。发现攻击者与供应链恶意软件之间的 C2 通道可导致对攻击的检测。检测供应链攻击的最有前途的技术是监控基于主机的指标，并将这些指标与相关网络活动关联起来，以尽早发现 C2 连接。所提出的框架通过将基于主机的活动与相应的网络活动和威胁情报相结合，引入了一种通过 DNS 检测 C2 的新方法。C2-Eye 集成了特定进程的主机特征、相关网络活动、DNS 元数据、DNS 语义分析和来自公开资源的实时威胁情报，用于检测供应链中的 C2 攻击。此外，C2-Eye 还能监控 C2 通道的利用情况，以防数据外泄。C2-Eye 引入了一个独特的特征集，其中包括 22 个针对供应链攻击的新特征，使攻击检测的 F1 分数达到 98.70%。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

International Journal of Information Security 工程技术-计算机：理论方法

CiteScore

6.30

自引率

3.10%

发文量

审稿时长

12 months

期刊介绍： The International Journal of Information Security is an English language periodical on research in information security which offers prompt publication of important technical work, whether theoretical, applicable, or related to implementation. Coverage includes system security: intrusion detection, secure end systems, secure operating systems, database security, security infrastructures, security evaluation; network security: Internet security, firewalls, mobile security, security agents, protocols, anti-virus and anti-hacker measures; content protection: watermarking, software protection, tamper resistant software; applications: electronic commerce, government, health, telecommunications, mobility.