A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches

Ji, Yuede; He, Yukun; Zhu, De-Wei; Li, Qiang; Guo, Dong

doi:10.1007/978-3-319-06320-1_7

Cited by 15 publications

(5 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The authors incorporate spatial and temporal correlations to identify patterns of the social bots. They gathered source code, builders, and execution patterns from established social botnets, including Twitterbot (Singh [22]), Twebot (Burghouwt et al [23]), Yazanbot (Boshmaf et al [24]), Nazbot (Kartaltepe et al [11]), wbbot (Ji et al [25]), and fbbot. Their objective was to scrutinize the techniques these bots employ to bypass current detection systems.…”

Section: Ml-based Detectionmentioning

confidence: 99%

Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure

Al lelah,

Theodorakopoulos,

Javed

et al. 2023

JCP

View full text Add to dashboard Cite

The proliferation of cloud and public legitimate services (CLS) on a global scale has resulted in increasingly sophisticated malware attacks that abuse these services as command-and-control (C&C) communication channels. Conventional security solutions are inadequate for detecting malicious C&C traffic because it blends with legitimate traffic. This motivates the development of advanced detection techniques. We make the following contributions: First, we introduce a novel labeled dataset. This dataset serves as a valuable resource for training and evaluating detection techniques aimed at identifying malicious bots that abuse CLS as C&C channels. Second, we tailor our feature engineering to behaviors indicative of CLS abuse, such as connections to known CLS domains and potential C&C API calls. Third, to identify the most relevant features, we introduced a custom feature elimination (CFE) method designed to determine the exact number of features needed for filter selection approaches. Fourth, our approach focuses on both static and derivative features of Portable Executable (PE) files. After evaluating various machine learning (ML) classifiers, the random forest emerges as the most effective classifier, achieving a 98.26% detection rate. Fifth, we introduce the “Replace Misclassified Parameter (RMCP)” adversarial attack. This white-box strategy is designed to evaluate our system’s detection robustness. The RMCP attack modifies feature values in malicious samples to make them appear as benign samples, thereby bypassing the ML model’s classification while maintaining the malware’s malicious capabilities. The results of the robustness evaluation demonstrate that our proposed method successfully maintains a high accuracy level of 84%. In sum, our comprehensive approach offers a robust solution to the growing threat of malware abusing CLS as C&C infrastructure.

show abstract

Section: Ml-based Detectionmentioning

confidence: 99%

Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure

Al lelah,

Theodorakopoulos,

Javed

et al. 2023

JCP

View full text Add to dashboard Cite

show abstract

“…Ji et al [117] conducted an empirical evaluation of several previously documented abusive social bots. They collected source codes, builders, and execution traces of existing social botnets, such as Twitterbot (Singh [120]), Twebot (Burghouwt et al [121]), Yazanbot (Boshmaf et al [122]), Nazbot (Kartaltepe et al [32]), wbbot (Ji et al [123]), and fbbot. Their aim was to analyze the mechanisms these bots utilize to evade existing detection approaches.…”

Section: Abuse Detection Mechanismmentioning

confidence: 99%

Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature Review

Al lelah,

Theodorakopoulos,

Reinecke

et al. 2023

JCP

View full text Add to dashboard Cite

The widespread adoption of cloud-based and public legitimate services (CPLS) has inadvertently opened up new avenues for cyber attackers to establish covert and resilient command-and-control (C&C) communication channels. This abuse poses a significant cybersecurity threat, as it allows malicious traffic to blend seamlessly with legitimate network activities. Traditional detection systems are proving inadequate in accurately identifying such abuses, emphasizing the urgent need for more advanced detection techniques. In our study, we conducted an extensive systematic literature review (SLR) encompassing the academic and industrial literature from 2008 to July 2023. Our review provides a comprehensive categorization of the attack techniques employed in CPLS abuses and offers a detailed overview of the currently developed detection strategies. Our findings indicate a substantial increase in cloud-based abuses, facilitated by various attack techniques. Despite this alarming trend, the focus on developing detection strategies remains limited, with only 7 out of 91 studies addressing this concern. Our research serves as a comprehensive review of CPLS abuse for the C&C infrastructure. By examining the emerging techniques used in these attacks, we aim to make a significant contribution to the development of effective botnet defense strategies.

show abstract

“…and has seen multiple uses in the wild over the years [15]. As we mentioned in Section 1, a rather rich academic literature explores variants of this idea: initially to thwart signature scanning [39], but soon enough behavioral detection became the main target (e.g., [26,21,15]). Multi-process execution can be effective against behavioral analyses as their "dynamic" signatures often involve sequences of events that are not short (or the risk of false positives could be very high [26]): henceforth attackers may spread smaller parts to separate execution units.…”

Section: Distributed Malwarementioning

confidence: 99%

“…This approach requires partitioning a payload into coordinated components so that no one of them causes an AV/EDR system to raise an alert [40]. Some academic literature [40,26,21,8] explores distributed malware execution designs that, using manual or automated methods, craft components that execute as independent processes and coordinate between themselves, possibly through covert channels. Using dedicated processes as units, however, is a conspicuous trait that exposes every process to immediate analysis and, depending on the ignition method, to correlation attempts from security solutions.…”

Section: Introductionmentioning

confidence: 99%

Rope: Covert Multi-process Malware Execution with Return-Oriented Programming

D’Elia

Invidia

Querzoni

2021

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Distributed execution designs challenge behavioral analyses of anti-malware solutions by spreading seemingly benign chunks of a malicious payload to multiple processes. Researchers have explored methods to chop payloads, spread chunks to victim applications through process injection techniques, and orchestrate the execution. However, these methods can hardly be practical as they exhibit conspicuous features and make use of primitives that anti-malware solutions and operating system mitigations readily detect. In this paper we reason on fundamental requirements and properties for a stealth implementation of distributed malware. We propose a new covert design, Rope, that minimizes its footprint by making use of commodity techniques like transacted files and return-oriented programming for covert communication and payload distribution. We report on how synthetic Rope samples eluded a number of state-of-the-art anti-virus and endpoint security solutions, and bypassed the opt-in mitigations of Windows 10 for hardening applications. We then discuss directions and practical remediations to mitigate such threats.

show abstract

A Mulitiprocess Mechanism of Evading Behavior-Based Bot Detection Approaches

Cited by 15 publications

References 12 publications

Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure

Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure

Abuse of Cloud-Based and Public Legitimate Services as Command-and-Control (C&C) Infrastructure: A Systematic Literature Review

Rope: Covert Multi-process Malware Execution with Return-Oriented Programming

Contact Info

Product

Resources

About