Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure-Reference-Cited by-同舟云学术

Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure

Published:2023-12-01 Issue:4 Volume:3 Page:858-881
ISSN:2624-800X
Container-title:Journal of Cybersecurity and Privacy
language:en
Short-container-title:JCP

Author:

Al lelah Turki¹^ORCID,Theodorakopoulos George¹^ORCID,Javed Amir¹,Anthi Eirini¹

Affiliation:

1. School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK

Abstract

The proliferation of cloud and public legitimate services (CLS) on a global scale has resulted in increasingly sophisticated malware attacks that abuse these services as command-and-control (C&C) communication channels. Conventional security solutions are inadequate for detecting malicious C&C traffic because it blends with legitimate traffic. This motivates the development of advanced detection techniques. We make the following contributions: First, we introduce a novel labeled dataset. This dataset serves as a valuable resource for training and evaluating detection techniques aimed at identifying malicious bots that abuse CLS as C&C channels. Second, we tailor our feature engineering to behaviors indicative of CLS abuse, such as connections to known CLS domains and potential C&C API calls. Third, to identify the most relevant features, we introduced a custom feature elimination (CFE) method designed to determine the exact number of features needed for filter selection approaches. Fourth, our approach focuses on both static and derivative features of Portable Executable (PE) files. After evaluating various machine learning (ML) classifiers, the random forest emerges as the most effective classifier, achieving a 98.26% detection rate. Fifth, we introduce the “Replace Misclassified Parameter (RMCP)” adversarial attack. This white-box strategy is designed to evaluate our system’s detection robustness. The RMCP attack modifies feature values in malicious samples to make them appear as benign samples, thereby bypassing the ML model’s classification while maintaining the malware’s malicious capabilities. The results of the robustness evaluation demonstrate that our proposed method successfully maintains a high accuracy level of 84%. In sum, our comprehensive approach offers a robust solution to the growing threat of malware abusing CLS as C&C infrastructure.

Publisher

MDPI AG

Subject

General Earth and Planetary Sciences,General Environmental Science

Link

https://www.mdpi.com/2624-800X/3/4/39/pdf

Reference41 articles.

1. (2023, February 14). Announcing the Public Cloud Market Outlook, 2022 to 2026 Public Cloud’s Stormy Path to Growth. Available online: https://www.forrester.com/blogs/announcing-the-public-cloud-market-outlook-2022-to-2026/.

2. (2023, February 14). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group|FireEye. Available online: https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html.

3. (2023, February 14). Operation Ghost: The Dukes Aren’t Back—They Never Left|WeLiveSecurity. Available online: https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/.

4. Pernet, C., Cao, E., Horejsi, J., Chen, J.C., and Sanchez, W.G. (2023, February 14). New SLUB Backdoor Uses GitHub, Communicates via Slack. Available online: https://www.trendmicro.com/en_gb/research/19/c/new-slub-backdoor-uses-github-communicates-via-slack.html.

5. Robert Falcone, B.L. (2023, February 14). DarkHydrus Delivers New Trojan That Can Use Google Drive for C2 Communications. Available online: https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/.