Network Behavioral Features for Detecting Remote Access Trojans in the Early Stage

Yin, Khin Swe; Khine, May Aye

doi:10.1145/3171592.3171597

Cited by 3 publications

(2 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Features are collected from the traffic of 10 types normal application and 10 remote access Trojans [11].…”

Section: Feature Extractionmentioning

confidence: 99%

Ensemble Learning for Detecting Remote Access Trojans

2019

Proceedings of 2019 the 9th International Workshop on Computer Science and Engineering

View full text Add to dashboard Cite

Machine learn ing algorith ms for network traffic classificat ion has been researche d for several years. They are useful for both encrypted and unencrypted network traffic classification. Nowadays malicious malware like Remote Access Trojans go through network, and they are secretly installed in a victim's computer, they stay in the victim host and communicate back to the attacker. The command and control traffic of Remote Access Trojans can be d ifferentiated fro m normal traffic using machine learning based techniques. This paper compares the performance of nine supervised machine learn ing algorithms for detection of Remote Access Trojans. Both unbalanced and balanced dataset are applied for building model. Four ensemble learning methods give high detection rate. Among them, AdaBoost ensemble learning outperforms the competing methods, and it gets the best accuracy, least false negative rate and least false positive rate.

show abstract

“…Features are collected from the traffic of 10 types normal application and 10 remote access Trojans [11].…”

Section: Feature Extractionmentioning

confidence: 99%

Ensemble Learning for Detecting Remote Access Trojans

2019

Proceedings of 2019 the 9th International Workshop on Computer Science and Engineering

View full text Add to dashboard Cite

show abstract

“…Its detection rate is 97.7%. The unbalanced ratio of normal and malicious sessions is used in [13]- [15]. RATs are run once and captured the traffic to extract features.…”

mentioning

confidence: 99%

Optimal remote access trojans detection based on network behavior

Yin

Khine

2019

IJECE

Self Cite

View full text Add to dashboard Cite

<p>RAT is one of the most infected malware in the hyper-connected world. Data is being leaked or disclosed every day because new remote access Trojans are emerging and they are used to steal confidential data from target hosts. Network behavior-based detection has been used to provide an effective detection model for Remote Access Trojans. However, there is still short comings: to detect as early as possible, some False Negative Rate and accuracy that may vary depending on ratio of normal and malicious RAT sessions. As typical network contains large amount of normal traffic and small amount of malicious traffic, the detection model was built based on the different ratio of normal and malicious sessions in previous works. At that time false negative rate is less than 2%, and it varies depending on different ratio of normal and malicious instances. An unbalanced dataset will bias the prediction model towards the more common class. In this paper, each RAT is run many times in order to capture variant behavior of a Remote Access Trojan in the early stage, and balanced instances of normal applications and Remote Access Trojans are used for detection model. Our approach achieves 99 % accuracy and 0.3% False Negative Rate by Random Forest Algorithm.</p>

show abstract