Unsupervised Detection of APT C&C Channels using Web Request Graphs

Authors: Pavlos Lamprakis, Ruggiero Dargenio, David Gugelmann, Vincent Lenders, Markus Happe, and Laurent Vanbever
Detection of Intrusions and Malware, and Vulnerability Assessment


HTTP is the main protocol used by attackers to establish a command and control (C&C) channel to infected hosts in a network. Identifying such C&C channels in network traffic is however a challenge because of the large volume and complex structure of benign HTTP requests emerging from regular user browsing activities. A common approach to C&C channel detection has been to use supervised learning techniques which are trained on old malware samples. However, these techniques require large training datasets which are generally not available in the case of advanced persistent threats (APT); APT malware are often custom-built and used against selected targets only, making it difficult to collect malware artifacts for supervised machine learning and thus rendering supervised approaches ineffective at detecting APT traffic.

In this paper, we present a novel and highly effective unsupervised approach to detect C&C channels in Web traffic. Our key observation is that APT malware typically follow a specific communication pattern that is different from regular Web browsing. Therefore, by reconstructing the dependencies between Web requests, that is the Web request graphs, and filtering away the nodes pertaining to regular Web browsing, we can identify malware requests without training a malware model.

We evaluated our approach on real Web traces and show that it can detect the C&C requests of nine APTs with a true positive rate of 99.5–100% and a true negative rate of 99.5–99.7%. These APTs had been used against several hundred organizations for years without being detected.



	isbn = {978-3-319-60875-4},
	abbrev_source_title = {LNCS},
	doi = {10.1007/978-3-319-60876-1_17},
	year = {2017},
	booktitle = {Detection of Intrusions and Malware, and Vulnerability Assessment},
	volume = {10327},
	type = {Conference Paper},
	journal = {Lecture Notes in Computer Science},
	author = {Lamprakis, Pavlos and Dargenio, Ruggiero and Gugelmann, David and Lenders, Vincent and Happe, Markus and Vanbever, Laurent},
	issn = {0302-9743},
	keywords = {Malware detection; Web request graph; Command and control channel; Click detection; Graph analysis; Advanced persistent threat},
	language = {en},
	address = {Cham},
	publisher = {Springer},
	title = {Unsupervised Detection of APT C&C Channels using Web Request Graphs},
	PAGES = {366 - 387},
	Note = {14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2017); Conference Location: Bonn, Germany; Conference Date: July 6-7, 2017}

Research Collection: 20.500.11850/228527