开源命令与控制框架的深入研究

2018 13th International Conference on Malicious and Unwanted Software (MALWARE) Pub Date : 2018-10-01 DOI:10.1109/MALWARE.2018.8659361

Julien Piet, Blake Anderson, D. McGrew

{"title":"开源命令与控制框架的深入研究","authors":"Julien Piet, Blake Anderson, D. McGrew","doi":"10.1109/MALWARE.2018.8659361","DOIUrl":null,"url":null,"abstract":"Previous work has intensely studied the prevention and detection of malicious network traffic, but current solutions still lack the efficacy needed to detect Remote Access Trojan (RAT) network activity. This deficiency is becoming more of a threat with the releases of open-source implementations that emphasize ease of use while maintaining stealth and modularity. In this paper, we provide a detailed design and analysis of network-based methods that can detect generic RAT behaviors such as polling, and specific detection techniques targeting three popular open-source RATs: Metasploit, Empire, and Pupy. Our methods rely on passive monitoring as well as semi-active scans targeting suspicious servers that are triggered by the passive monitoring system. Our complete classification system achieves a ~98.5% true positive rate and a ~0.01% false positive rate, validating our approach to RAT detection.","PeriodicalId":200928,"journal":{"name":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"An In-Depth Study of Open-Source Command and Control Frameworks\",\"authors\":\"Julien Piet, Blake Anderson, D. McGrew\",\"doi\":\"10.1109/MALWARE.2018.8659361\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Previous work has intensely studied the prevention and detection of malicious network traffic, but current solutions still lack the efficacy needed to detect Remote Access Trojan (RAT) network activity. This deficiency is becoming more of a threat with the releases of open-source implementations that emphasize ease of use while maintaining stealth and modularity. In this paper, we provide a detailed design and analysis of network-based methods that can detect generic RAT behaviors such as polling, and specific detection techniques targeting three popular open-source RATs: Metasploit, Empire, and Pupy. Our methods rely on passive monitoring as well as semi-active scans targeting suspicious servers that are triggered by the passive monitoring system. Our complete classification system achieves a ~98.5% true positive rate and a ~0.01% false positive rate, validating our approach to RAT detection.\",\"PeriodicalId\":200928,\"journal\":{\"name\":\"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)\",\"volume\":\"27 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MALWARE.2018.8659361\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 13th International Conference on Malicious and Unwanted Software (MALWARE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MALWARE.2018.8659361","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

摘要

以前的工作已经深入研究了恶意网络流量的预防和检测，但目前的解决方案仍然缺乏检测远程访问木马(RAT)网络活动所需的有效性。随着开源实现的发布，强调易用性，同时保持隐蔽性和模块化，这一缺陷正变得越来越严重。在本文中，我们提供了基于网络的方法的详细设计和分析，这些方法可以检测一般的RAT行为，如轮询，以及针对三种流行的开源RAT的特定检测技术:Metasploit, Empire和Pupy。我们的方法依赖于被动监控以及针对由被动监控系统触发的可疑服务器的半主动扫描。我们完整的分类系统达到了98.5%的真阳性率和0.01%的假阳性率，验证了我们的RAT检测方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

An In-Depth Study of Open-Source Command and Control Frameworks

Previous work has intensely studied the prevention and detection of malicious network traffic, but current solutions still lack the efficacy needed to detect Remote Access Trojan (RAT) network activity. This deficiency is becoming more of a threat with the releases of open-source implementations that emphasize ease of use while maintaining stealth and modularity. In this paper, we provide a detailed design and analysis of network-based methods that can detect generic RAT behaviors such as polling, and specific detection techniques targeting three popular open-source RATs: Metasploit, Empire, and Pupy. Our methods rely on passive monitoring as well as semi-active scans targeting suspicious servers that are triggered by the passive monitoring system. Our complete classification system achieves a ~98.5% true positive rate and a ~0.01% false positive rate, validating our approach to RAT detection.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 13th International Conference on Malicious and Unwanted Software (MALWARE)

自引率

0.00%

发文量