"Scalable command and control detection in log data through UF-ICF analysis"
| Title | "Scalable command and control detection in log data through UF-ICF analysis" |
| Publication Type | Conference Paper |
| Year of Publication | 2015 |
| Authors | K. F. Hong, C. C. Chen, Y. T. Chiu, K. S. Chou |
| Conference Name | 2015 International Carnahan Conference on Security Technology (ICCST) |
| Date Published | Sept |
| Publisher | IEEE |
| ISBN Number | 978-1-4799-8691-0 |
| Accession Number | 15729639 |
| Keywords | advanced persistent threat, antivirus software, APT, benign service, Botnet, C&C server detection, C&C sites, clustering methods, Command and Control (C&C), command and control systems, computer network security, connection behaviors, coverage rate, Decision support systems, domain names, filtering methods, fixed user agent string, Frequency modulation, information filtering, Information security, intrusion prevention systems, invasive software, IP addresses, IP networks, log data, Malware, networking logs, normal user, pattern clustering, pubcrawl170101, scalable command-and-control detection, UF-ICF analysis |
| Abstract | During an advanced persistent threat (APT), an attacker group usually establish more than one C&C server and these C&C servers will change their domain names and corresponding IP addresses over time to be unseen by anti-virus software or intrusion prevention systems. For this reason, discovering and catching C&C sites becomes a big challenge in information security. Based on our observations and deductions, a malware tends to contain a fixed user agent string, and the connection behaviors generated by a malware is different from that by a benign service or a normal user. This paper proposed a new method comprising filtering and clustering methods to detect C&C servers with a relatively higher coverage rate. The experiments revealed that the proposed method can successfully detect C&C Servers, and the can provide an important clue for detecting APT. |
| URL | http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7389699&isnumber=7389647 |
| DOI | 10.1109/CCST.2015.7389699 |
| Citation Key | 7389699 |
- fixed user agent string
- UF-ICF analysis
- scalable command-and-control detection
- pubcrawl170101
- pattern clustering
- normal user
- networking logs
- malware
- log data
- IP networks
- IP addresses
- invasive software
- intrusion prevention systems
- information security
- information filtering
- Frequency modulation
- advanced persistent threat
- filtering methods
- domain names
- Decision support systems
- coverage rate
- connection behaviors
- computer network security
- command and control systems
- Command and Control (C&C)
- clustering methods
- C&C sites
- C&C server detection
- botnet
- benign service
- APT
- antivirus software