M. Mimura, Yuhei Otsubo, Hidehiko Tanaka, Hidema Tanaka
{"title":"基于http的代理服务器日志RAT检测方法的实验研究","authors":"M. Mimura, Yuhei Otsubo, Hidehiko Tanaka, Hidema Tanaka","doi":"10.1109/AsiaJCIS.2017.13","DOIUrl":null,"url":null,"abstract":"Detecting RAT (Remote Access Trojan or Remote Administration Tool) used in APT (Advanced Persistent Threat) attacks is a challenging task. Many previous methods to detect RATs on the network require monitoring all network traffic. However, it is difficult to keep all network traffic because the size is too huge. Actually, we would have to detect RAT activity through insufficient information such as proxy server logs. Therefore, we proposed how to detect RAT activity in proxy server logs. Our method uses only the behavior and does not use pattern matching. While the behavior is not defined by character strings or regular expressions, is defined by network traffic patterns such as the sizes of the object returned to the client or the intervals of the logged time. The classification performance in general condition is good. However, the performance in practical condition is not certain. In practical condition, we have to choose arbitrary training data. In this paper, we apply this method to actual proxy server logs in practical condition, and show that this method can detect more than 95 percent of malicious communications with few false positives in APT attacks. This method does not require monitoring all network traffic, uses only standard proxy server logs. Moreover, this method can also detect http based RATs in real time.","PeriodicalId":108636,"journal":{"name":"2017 12th Asia Joint Conference on Information Security (AsiaJCIS)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2017-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":"{\"title\":\"A Practical Experiment of the HTTP-Based RAT Detection Method in Proxy Server Logs\",\"authors\":\"M. Mimura, Yuhei Otsubo, Hidehiko Tanaka, Hidema Tanaka\",\"doi\":\"10.1109/AsiaJCIS.2017.13\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Detecting RAT (Remote Access Trojan or Remote Administration Tool) used in APT (Advanced Persistent Threat) attacks is a challenging task. Many previous methods to detect RATs on the network require monitoring all network traffic. However, it is difficult to keep all network traffic because the size is too huge. Actually, we would have to detect RAT activity through insufficient information such as proxy server logs. Therefore, we proposed how to detect RAT activity in proxy server logs. Our method uses only the behavior and does not use pattern matching. While the behavior is not defined by character strings or regular expressions, is defined by network traffic patterns such as the sizes of the object returned to the client or the intervals of the logged time. The classification performance in general condition is good. However, the performance in practical condition is not certain. In practical condition, we have to choose arbitrary training data. In this paper, we apply this method to actual proxy server logs in practical condition, and show that this method can detect more than 95 percent of malicious communications with few false positives in APT attacks. This method does not require monitoring all network traffic, uses only standard proxy server logs. Moreover, this method can also detect http based RATs in real time.\",\"PeriodicalId\":108636,\"journal\":{\"name\":\"2017 12th Asia Joint Conference on Information Security (AsiaJCIS)\",\"volume\":\"13 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2017-08-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"12\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2017 12th Asia Joint Conference on Information Security (AsiaJCIS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/AsiaJCIS.2017.13\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 12th Asia Joint Conference on Information Security (AsiaJCIS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AsiaJCIS.2017.13","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Practical Experiment of the HTTP-Based RAT Detection Method in Proxy Server Logs
Detecting RAT (Remote Access Trojan or Remote Administration Tool) used in APT (Advanced Persistent Threat) attacks is a challenging task. Many previous methods to detect RATs on the network require monitoring all network traffic. However, it is difficult to keep all network traffic because the size is too huge. Actually, we would have to detect RAT activity through insufficient information such as proxy server logs. Therefore, we proposed how to detect RAT activity in proxy server logs. Our method uses only the behavior and does not use pattern matching. While the behavior is not defined by character strings or regular expressions, is defined by network traffic patterns such as the sizes of the object returned to the client or the intervals of the logged time. The classification performance in general condition is good. However, the performance in practical condition is not certain. In practical condition, we have to choose arbitrary training data. In this paper, we apply this method to actual proxy server logs in practical condition, and show that this method can detect more than 95 percent of malicious communications with few false positives in APT attacks. This method does not require monitoring all network traffic, uses only standard proxy server logs. Moreover, this method can also detect http based RATs in real time.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
