Lurking in the shadows: Unsupervised decoding of beaconing communication for enhanced cyber threat hunting

IF 7.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Journal of Network and Computer Applications Pub Date : 2025-02-07 DOI:10.1016/j.jnca.2025.104127

Arash Mahboubi , Khanh Luong , Geoff Jarrad , Seyit Camtepe , Michael Bewong , Mohammed Bahutair , Ganna Pogrebna

{"title":"Lurking in the shadows: Unsupervised decoding of beaconing communication for enhanced cyber threat hunting","authors":"Arash Mahboubi , Khanh Luong , Geoff Jarrad , Seyit Camtepe , Michael Bewong , Mohammed Bahutair , Ganna Pogrebna","doi":"10.1016/j.jnca.2025.104127","DOIUrl":null,"url":null,"abstract":"<div><div>The escalating prevalence of Advanced Persistent Threats (APTs) necessitates the development of more robust solutions capable of effectively thwarting these attacks by monitoring system activities across individual hosts. Existing cloud-native security applications utilize a combination of rule-based and machine learning-based detection techniques to protect digital assets. However, these approaches have limitations. Rule-based detection depends on predefined rules to identify specific attack patterns. Persistent attackers can often evade detection by carefully ensuring that their behavior circumvents these rules. In contrast, machine learning-based detection techniques, which learn attack patterns from data, rely heavily on the availability of labeled data for training. However, labeled data is often unavailable and can be labor-intensive and costly to obtain. In this paper, we address the challenge of detecting APT attacks more holistically by leveraging attackers’ behavior during communication with Command and Control (C2) servers, a critical phase observed in most APT attacks. We aim to reduce false positive alerts for threat hunters by analyzing system network logs to detect potential network beaconing, a common attribute of various malware. We introduce a novel hybrid approach, called <em><strong>NetSpectra Sentinel</strong></em>, which employs a Continuous Time Hidden Markov Model (CT-HMM) to detect hidden states underlying observed patterns within the network logs and Time Series Decomposition (TSD) to model temporal patterns. We evaluate the effectiveness of our approach using 14 benchmark datasets and one synthetic dataset, comparing our method with other state-of-the-art statistical-based and botnet detection techniques. The results demonstrate that our technique achieves significantly higher accuracy in most cases, and even when existing techniques fail, our approach can still detect beaconing post-initial compromise with up to 90% accuracy. Additionally, we achieve up to four times better performance in terms of precision compared to existing statistical-based techniques.</div></div>","PeriodicalId":54784,"journal":{"name":"Journal of Network and Computer Applications","volume":"236 ","pages":"Article 104127"},"PeriodicalIF":7.7000,"publicationDate":"2025-02-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Network and Computer Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1084804525000244","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The escalating prevalence of Advanced Persistent Threats (APTs) necessitates the development of more robust solutions capable of effectively thwarting these attacks by monitoring system activities across individual hosts. Existing cloud-native security applications utilize a combination of rule-based and machine learning-based detection techniques to protect digital assets. However, these approaches have limitations. Rule-based detection depends on predefined rules to identify specific attack patterns. Persistent attackers can often evade detection by carefully ensuring that their behavior circumvents these rules. In contrast, machine learning-based detection techniques, which learn attack patterns from data, rely heavily on the availability of labeled data for training. However, labeled data is often unavailable and can be labor-intensive and costly to obtain. In this paper, we address the challenge of detecting APT attacks more holistically by leveraging attackers’ behavior during communication with Command and Control (C2) servers, a critical phase observed in most APT attacks. We aim to reduce false positive alerts for threat hunters by analyzing system network logs to detect potential network beaconing, a common attribute of various malware. We introduce a novel hybrid approach, called NetSpectra Sentinel, which employs a Continuous Time Hidden Markov Model (CT-HMM) to detect hidden states underlying observed patterns within the network logs and Time Series Decomposition (TSD) to model temporal patterns. We evaluate the effectiveness of our approach using 14 benchmark datasets and one synthetic dataset, comparing our method with other state-of-the-art statistical-based and botnet detection techniques. The results demonstrate that our technique achieves significantly higher accuracy in most cases, and even when existing techniques fail, our approach can still detect beaconing post-initial compromise with up to 90% accuracy. Additionally, we achieve up to four times better performance in terms of precision compared to existing statistical-based techniques.

查看原文本刊更多论文

潜伏在阴影：信标通信的无监督解码增强网络威胁狩猎

高级持续威胁（apt）的不断升级，需要开发更强大的解决方案，能够通过监控各个主机的系统活动来有效地挫败这些攻击。现有的云原生安全应用程序结合了基于规则和基于机器学习的检测技术来保护数字资产。然而，这些方法有局限性。基于规则的检测依赖于预定义的规则来识别特定的攻击模式。持久攻击者通常可以通过小心翼翼地确保他们的行为绕过这些规则来逃避检测。相比之下，基于机器学习的检测技术从数据中学习攻击模式，严重依赖于标记数据的可用性进行训练。然而，标记数据通常是不可用的，并且可能是劳动密集型的，并且获得成本很高。在本文中，我们通过利用攻击者在与指挥与控制（C2）服务器通信期间的行为来解决更全面地检测APT攻击的挑战，这是大多数APT攻击中观察到的关键阶段。我们的目标是通过分析系统网络日志来检测潜在的网络信标（各种恶意软件的共同属性），从而减少威胁猎人的误报警报。我们介绍了一种新的混合方法，称为NetSpectra Sentinel，它使用连续时间隐马尔可夫模型（CT-HMM）来检测网络日志中观察模式的隐藏状态，并使用时间序列分解（TSD）来建模时间模式。我们使用14个基准数据集和一个合成数据集来评估我们方法的有效性，并将我们的方法与其他最先进的基于统计和僵尸网络的检测技术进行比较。结果表明，我们的技术在大多数情况下实现了显着更高的准确性，即使现有技术失败，我们的方法仍然可以以高达90%的准确率检测初始妥协后的信标。此外，与现有的基于统计的技术相比，我们在精度方面的性能提高了四倍。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Network and Computer Applications 工程技术-计算机：跨学科应用

CiteScore

21.50

自引率

3.40%

发文量

142

审稿时长

37 days

期刊介绍： The Journal of Network and Computer Applications welcomes research contributions, surveys, and notes in all areas relating to computer networks and applications thereof. Sample topics include new design techniques, interesting or novel applications, components or standards; computer networks with tools such as WWW; emerging standards for internet protocols; Wireless networks; Mobile Computing; emerging computing models such as cloud computing, grid computing; applications of networked systems for remote collaboration and telemedicine, etc. The journal is abstracted and indexed in Scopus, Engineering Index, Web of Science, Science Citation Index Expanded and INSPEC.