survey

On the Security of Machine Learning in Malware C&C Detection: A Survey

Authors:
Joseph Gardiner

Lancaster University, Lancaster, UK

Lancaster University, Lancaster, UK

0000-0003-4748-4228
View Profile

,
Shishir Nagaraja

Lancaster University, Lancaster, UK

Lancaster University, Lancaster, UK
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 49 Issue 3Article No.: 59pp 1–39https://doi.org/10.1145/3003816

Published:13 December 2016Publication History

ACM Computing Surveys

Abstract

One of the main challenges in security today is defending against malware attacks. As trends and anecdotal evidence show, preventing these attacks, regardless of their indiscriminate or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organizations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and are essential for the successful progression of the attack. In particular, several approaches and techniques have been proposed to identify the command and control (C8C) channel that a compromised system establishes to communicate with its controller.

A major oversight of many of these detection techniques is the design’s resilience to evasion attempts by the well-motivated attacker. C8C detection techniques make widespread use of a machine learning (ML) component. Therefore, to analyze the evasion resilience of these detection techniques, we first systematize works in the field of C8C detection and then, using existing models from the literature, go on to systematize attacks against the ML components used in these approaches.

References

Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the USENIX Security Symposium. ACM, New York, NY, 273--290. Google ScholarDigital Library
Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium. 1--16. Google ScholarDigital Library
Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the USENIX Security Symposium. 491--506. Google ScholarDigital Library
M. Barreno, P. L. Bartlett, F. J. Chi, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, U. Saini, and J. D. Tygar. 2008. Open problems in the security of learning. In Proceedings of the 1st ACM Workshop on Artificial Intelligence and Security (AISec’08). ACM, New York, NY, 19--26. Google ScholarDigital Library
M. Barreno, B. Nelson, A. D. Joseph, and J. D. Tygar. 2010. The security of machine learning. Machine Learning 81, 2, 121--148. Google ScholarDigital Library
M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. 2006. Can machine learning be secure? In Proceedings of the 2006 ACM Symposium on Information, Computer, and Communications Security (ASIACCS’06). ACM, New York, NY, 16--25. Google ScholarDigital Library
Chiranji Bhattacharyya. 2004. Robust classification of noisy data using second order cone programming approach. In Proceedings of the International Conference on Intelligent Sensing and Information Processing. IEEE, Los Alamitos, CA, 433--438.Google ScholarCross Ref
Battista Biggio, Samuel Rota Bulo, Ignazio Pillai, Michele Mura, Eyasu Zemene Mequanint, Marcello Pelillo, and Fabio Roli. 2014a. Poisoning complete-linkage hierarchical clustering. In Structural, Syntactic, and Statistical Pattern Recognition. Lecture Notes in Computer Science, Vol. 8621. Springer, 42--52. Google ScholarDigital Library
Battista Biggio, Igino Corona, Zhi-Min He, Patrick P. K. Chan, Giorgio Giacinto, Daniel S. Yeung, and Fabio Roli. 2015. One-and-a-Half-Class Multiple Classifier Systems for Secure Learning Against Evasion Attacks at Test Time. Springer, Cham, Switzerland, 168--180.Google Scholar
Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013a. Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases. Lecture Notes in Computer Science, Vol. 8190. Springer, 387--402.Google Scholar
Battista Biggio, Giorgio Fumera, and Fabio Roli. 2010. Multiple classifier systems for robust classifier design in adversarial environments. International Journal of Machine Learning and Cybernetics 1, 1, 27--41.Google ScholarCross Ref
Battista Biggio, Giorgio Fumera, and Fabio Roli. 2011a. Design of robust classifiers for adversarial environments. In Proceedings of the 2011 IEEE International Conference on Systems, Man, and Cybernetics (SMC’11). IEEE, Los Alamitos, CA, 977--982.Google ScholarCross Ref
Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014b. Pattern recognition systems under attack: Design issues and research challenges. International Journal of Pattern Recognition and Artificial Intelligence 28, 07, 1--21.Google ScholarCross Ref
Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014c. Security evaluation of pattern classifiers under attack. IEEE Transactions on Knowledge and Data Engineering 1, 984--996. Google ScholarDigital Library
Battista Biggio, Blaine Nelson, and Pavel Laskov. 2011b. Support vector machines under adversarial label noise. In Proceedings of the 3rd Asian Conference on Machine Learning (ACML’11). 97--112.Google Scholar
Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines. In Proceedings of the International Conference on Machine Learning (ICML’12).Google Scholar
Battista Biggio, Ignazio Pillai, Samuel Rota Bulò, Davide Ariu, Marcello Pelillo, and Fabio Roli. 2013b. Is data clustering in adversarial settings secure? In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security (AISec’13). ACM, New York, NY, 87--98. Google ScholarDigital Library
Battista Biggio, Konrad Rieck, Davide Ariu, Christian Wressnegger, Igino Corona, Giorgio Giacinto, and Fabio Roli. 2014d. Poisoning behavioral malware clustering. In Proceedings of the 2014 Workshop on Artificial Intelligence and Security (AISec’14). ACM, New York, NY, 27--36. Google ScholarDigital Library
Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. 2012. Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 129--138. Google ScholarDigital Library
Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’11).Google Scholar
Christian Böhm, Christos Faloutsos, Jia-Yu Pan, and Claudia Plant. 2006. Robust information-theoretic clustering. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’06). ACM, New York, NY, 65--75. Google ScholarDigital Library
Michael Brückner, Christian Kanzow, and Tobias Scheffer. 2012. Static prediction games for adversarial learning problems. Journal of Machine Learning Research 13, 1, 2617--2654. Google ScholarDigital Library
Michael Brückner and Tobias Scheffer. 2009. Nash equilibria of static prediction games. In Advances in Neural Information Processing Systems 22. Curran Associates, Red Hook, NY, 171--179. Google ScholarDigital Library
Michael Brückner and Tobias Scheffer. 2011. Stackelberg games for adversarial prediction problems. In Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’11). ACM, New York, NY, 547--555. Google ScholarDigital Library
Samuel Rota Bulò, Battista Biggio, Ignazio Pillai, Marcello Pelillo, and Fabio Roli. 2016. Randomized prediction games for adversarial machine learning. IEEE Transactions on Neural Networks and Learning Systems PP, 99, 1--13.Google Scholar
Yinzhi Cao and Junfeng Yang. 2015. Towards making systems forget with machine unlearning. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S8P’15). IEEE, Los Alamitos, CA, 463--480. Google ScholarDigital Library
Krishna K. Chintalapudi and Moshe Kam. 1998. A noise-resistant fuzzy C means algorithm for clustering. In Proceedings of the IEEE World Congress on Computational Intelligence and the International Conference on Fuzzy Systems. IEEE, Los Alamitos, CA, 1458--1463.Google Scholar
Simon P. Chung and Aloysius K. Mok. 2006. Allergy attack against automatic signature generation. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 4219. Springer, 61--80. Google ScholarDigital Library
Simon P. Chung and Aloysius K. Mok. 2007. Advanced allergy attacks: Does a corpus really help? In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID’07). 236--255. Google ScholarDigital Library
Cisco Systems Inc. 2016. Cisco IOS Netflow. Retrieved October 22, 2016, from http://www.cisco. com/web/go/netflow.Google Scholar
M. Patrick Collins and Michael K. Reiter. 2007. Hit-list worm detection and bot identification in large networks using protocol graphs. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 4637. Springer, 276--295. Google ScholarDigital Library
Igino Corona, Giorgio Giacinto, and Fabio Roli. 2013. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues. Information Sciences 239, 201--225. Google ScholarDigital Library
Chuck Cranor, Theodore Johnson, Oliver Spataschek, and Vladislav Shkapenyuk. 2003. Gigascope: A stream database for network applications. In Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data (SIGMOD’03). ACM, New York, NY, 647--651. Google ScholarDigital Library
Nilesh Dalvi, Pedro Domingos, Mausam, Sumit Sanghai, and Deepak Verma. 2004. Adversarial classification. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’04). ACM, New York, NY, 99--108. Google ScholarDigital Library
V. Denchev, N. Ding, H. Neven, and S. V. N. Vishwanathan. 2012. Robust classification with adiabatic quantum optimization. In Proceedings of the 29th International Conference on Machine Learning (ICML’12).Google Scholar
Manul Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware analysis techniques and tools. ACM Computing Surveys 44, 2, 6:1--6:42. Google ScholarDigital Library
Peter Ferrie. 2007. Attacks on More Virtual Machine Emulators. Technical Report. Symantec.Google Scholar
Prahlad Fogla and Wenke Lee. 2006. Evading network anomaly detection systems: Formal reasoning and practical techniques. In Proceedings of the Conference on Computer and Communications Security (CCS’06). ACM, New York, NY, 59--68. Google ScholarDigital Library
Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. 2006. Polymorphic blending attacks. In Proceedings of the 15th USENIX Security Symposium (USENIX-SS’06). Google ScholarDigital Library
Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. 2007. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, NY, 375--388. Google ScholarDigital Library
Joseph Gardiner, Marco Cova, and Shishir Nagaraja. 2014. Command and Control: Understanding, Denying and Detecting. Retrieved October 22, 2016, from http://c2report.org.Google Scholar
Joseph Gardiner and Shishir Nagaraja. 2014. On the reliability of network measurement techniques used for malware traffic analysis. In Security Protocols XXII. Lecture Notes in Computer Science, Vol. 8809. Springer, 321--333.Google Scholar
Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, et al. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 821--832. Google ScholarDigital Library
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. 2008. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the USENIX Security Symposium. 139--154. http://dl.acm.org/citation.cfm?id=1496711.1496721 Google ScholarDigital Library
Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlations. In Proceedings of the USENIX Security Symposium. Article No. 12. Google ScholarDigital Library
Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix Freiling. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’08).Google Scholar
Chet Hosmer. 2008. Polymorphic and metamorphic malware. In Proceedings of the BlackHat Conference.Google Scholar
L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D. Tygar. 2011. Adversarial machine learning. In Proceedings of the ACM Workshop on Artificial Intelligence and Security (AISec’11). ACM, New York, NY, 43--58. Google ScholarDigital Library
Eric M. Hutchins, Michael J. Clopperty, and Rohan M. Amin. 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Technical Report. Lockheed Martin Corporation.Google Scholar
Marios Iliofotou, Michalis Faloutsos, and Michael Mitzenmacher. 2009. Exploiting dynamicity in graph-based traffic analysis: Techniques and applications. In Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies (CoNEXT’09). ACM, New York, NY, 241--252. Google ScholarDigital Library
Marios Iliofotou, Prashanth Pappu, Michalis Faloutsos, Michael Mitzenmacher, George Varghese, and Hyunchul Kim. 2008. Graption: Automated Detection of P2P Applications Using Traffic Dispersion Graphs (TDGs). Technical Report CS-2008-06080. University of California, Riverside.Google Scholar
Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Sabyaschi Saha, Sung-Ju Lee, Christopher Kruegel, and Giovanni Vigna. 2014. Nazca: Detecting malware distribution in large-scale networks. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz. 2011. JACKSTRAWS: Picking command and control connections from bot traffic. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
M. Jelasity and V. Bilicki. 2009. Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’09). 3. Google ScholarDigital Library
Nan Jiang, Jin Cao, Yu Jin, Li Erran Li, and Zhi-Li Zhang. 2010. Identifying suspicious activities through DNS failure graph analysis. In Proceedings of the 18th IEEE International Conference on Network Protocols (ICNP’10). IEEE, Los Alamitos, CA, 144--153. Google ScholarDigital Library
A. Kantchelian, J. D. Tygar, and A. Joseph. 2016. Evasion and hardening of tree ensemble classifiers. In Proceedings of the 33rd International Conference on Machine Learning. 2387--2396.Google Scholar
Kaspersky. 2013. Ask An Expert: The Brainstorming. Retrieved October 22, 2016, from http://blog.kaspersky. com/ask-an-expert-the-brainstorming/.Google Scholar
Hyang-Ah Kim and Brad Karp. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium (SSYM’04). 19. Google ScholarDigital Library
Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 285--296. Google ScholarDigital Library
Alexsander Kolcz and Choon Hui Teo. 2009. Feature weighting for improved classifier robustness. In Proceedings of the 6th Conference on Email and Anti-Spam (CEAS’09).Google Scholar
Zhenguo Li, Jianzhuang Liu, Shifeng Chen, and Xiaoou Tang. 2007. Noise robust spectral clustering. In Proceedings of the IEEE 11th International Conference on Computer Vision (ICCV’07). IEEE, Los Alamitos, CA, 1--8.Google ScholarCross Ref
Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Beyond blacklists: Learning to detect malicious Web sites from suspicious URLs. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’09). ACM, New York, NY, 1245--1254. Google ScholarDigital Library
Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious PDF files detection. In Proceedings of the 8th International Conference on Machine Learning and Data Mining in Pattern Recognition (MLDM’12). 510--524. Google ScholarDigital Library
Pratyusa K. Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In Proceedings of the 2014 Workshop on Artificial Intelligence and Security (AISec’14). ACM, New York, NY, 59--60. Google ScholarDigital Library
Konstantinos Mersinas, Bjoern Hartig, Keith Martin, and Andrew Seltzer. 2015. Experimental elicitation of risk behaviour amongst information security professionals. In Proceedings of the 2015 Workshop on the Economics of Information Security (WEIS’15).Google Scholar
Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’07). IEEE, Los Alamitos, CA, 231--245. Google ScholarDigital Library
Shishir Nagaraja. 2014. Botyacc: Unified P2P botnet detection using behavioural analysis and graph analysis. In Computer Security—ESORICS 2014. Lecture Notes in Computer Science, Vol. 8713. Springer, 439--456.Google Scholar
Shishir Nagaraja, Prateek Mittal, Chi-Yao Hong, Matthew Caesar, and Nikita Borisov. 2010. BotGrep: Finding P2P bots with structured graph analysis. In Proceedings of the USENIX Symposium on Security. 95--110. Google ScholarDigital Library
Antonio Nappa, Zhaoyan Xu, Juan Caballero, and Guofei Gu. 2014. CyberProbe: Towards Internet-scale active detection of malicious servers. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for new C8C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium. 589--604. Google ScholarDigital Library
B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, J. D. Tygar, and K. Xia. 2008. Exploiting machine learning to subvert your spam filter. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Google ScholarDigital Library
James Newsome, Brad Karp, and Dawn Song. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’05). IEEE, Los Alamitos, CA, 226--241. Google ScholarDigital Library
James Newsome, Brad Karp, and Dawn Song. 2006. Paragraph: Thwarting signature learning by training maliciously. In Proceedings of the 9th International Conference on Recent Advances in Intrusion Detection (RAID’06). 81--105. Google ScholarDigital Library
Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’09). 86--93. Google ScholarDigital Library
Roberto Perdisci, Igino Corona, and Giorgio Giacinto. 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Transactions on Dependable and Secure Computing 9, 5, 714--726. Google ScholarDigital Library
Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif. 2006a. Misleading worm signature generators using deliberate noise injection. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S8P’06). IEEE, Los Alamitos, CA, 17--31. Google ScholarDigital Library
Roberto Perdisci, Guofei Gu, and Wenke Lee. 2006b. Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. In Proceedings of the 6th International Conference on Data Mining (ICDM’06). IEEE, Los Alamitos, CA, 488--498. Google ScholarDigital Library
M. Zubair Rafique and Juan Caballero. 2013. FIRMA: Malware clustering and network signature generation with mixed network behaviors. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID’13). 144--163. Google ScholarDigital Library
Babak Rahbarinia, Roberto Perdisci, Andrea Lanzi, and Kang Li. 2013. PeerRush: Mining for unwanted P2P traffic. In Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, Vol. 7967. Springer, 62--82. Google ScholarDigital Library
Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz, and Pavel Laskov. 2010. Botzilla: Detecting the “phoning home” of malicious software. In Proceedings of the ACM Symposium on Applied Computing (SAC’10). ACM, New York, NY, 1978--1984. Google ScholarDigital Library
Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19, 4, 27--36. Google ScholarDigital Library
Christian Rossow and Christian J. Dietrich. 2013. ProVeX: Detecting botnets with encrypted command and control channels. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’13). 21--40. Google ScholarDigital Library
Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based botnet tracking and intelligence. In Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, Vol. 8550. Springer, 192--211.Google Scholar
Charles Smutz and Angelos Stavrou. 2012. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 239--248. Google ScholarDigital Library
Anil Somayaji and Stephanie Forrest. 2000. Automated response using system-call delays. In Proceedings of the USENIX Security Symposium. 185--197. Google ScholarDigital Library
Nedim Šrndic and Pavel Laskov. 2013. Detection of malicious PDF files based on hierarchical document structure. In Proceedings of the Network and Distributed System Security Symposium (NDSS’13).Google Scholar
Nedim Šrndic and Pavel Laskov. 2014. Practical evasion of a learning-based classifier: A case study. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (S8P’14). IEEE, Los Alamitos, CA, 197--211. Google ScholarDigital Library
Verizon RISK Team. 2013. 2013 Data Breach Investigations Report. Technical Report. Verizon.Google Scholar
David Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS’02). ACM, New York, NY, 255--264. Google ScholarDigital Library
Choon Hui Teo, Amir Globerson, Sam Roweis, and Alexander J. Smola. 2007. Convex learning with invariances. In Proceedings of the 20th International Conference on Neural Information Processing Systems (NIPS’07). 1489--1496. Google ScholarDigital Library
Ke Wang, Gabriela Cretu, and Salvatore J. Stolfo. 2006. Anomalous payload-based worm detection and signature generation. In Proceedings of the International Conference on Recent Advances in Intrusion Detection (RAID’06). 227--246. Google ScholarDigital Library
Ke Wang and Salvatore J. Stolfo. 2004. Anomalous payload-based network intrusion detection. In Proceedings of the International Conference on Recent Advances in Intrusion Detection (RAID’04). 203--222.Google Scholar
Charles V. Wright, Scott E. Coull, and Fabian Monrose. 2009. Traffic morphing: An efficient defense against statistical traffic analysis. In Proceedings of the Network and Distributed Security Symposium (NDSS’09). 237--250.Google Scholar
Han Xiao, Huang Xiao, and Claudia Eckert. 2012. Adversarial label flips attack on support vector machines. In Proceedings of the 20th European Conference on Artificial Intelligence (ECAI’12). Google ScholarDigital Library
Weilin Xu, Yanjun Qi, and David Evans. 2016. Automatically evading classifiers—a case study on PDF malware classifiers. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).Google ScholarCross Ref
Zhaoyan Xu, Antonio Nappa, Robert Baykov, Guangliang Yang, Juan Caballero, and Guofei Gu. 2014. AutoProbe: Towards automatic active malicious server probing using dynamic binary analysis. In Proceedings of the 21st ACM Conference on Computer and Communication Security. ACM, New York, NY, 179--190. Google ScholarDigital Library
Moosa Yahyazadeh and Mahdi Abadi. 2015. BotGrab: A negative reputation system for botnet detection. Computers and Electrical Engineering 41, C, 68--85. Google ScholarDigital Library
Miin-Shen Yang and Kuo-Lung Wu. 2004. A similarity-based robust clustering method. IEEE Transactions on Pattern Analysis and Machine Intelligence 26, 4, 434--448. Google ScholarDigital Library
Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu, Todd Leetham, William Robertson, Ari Juels, and Engin Kirda. 2013. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). ACM, New York, NY, 199--208. Google ScholarDigital Library
Ting-Fang Yen and Michael K. Reiter. 2008. Traffic aggregation for malware detection. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08). 207--227. Google ScholarDigital Library
Ali Zand, Giovanni Vigna, Xifeng Yan, and Christopher Kruegel. 2014. Extracting probable command and control signatures for detecting botnets. In Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC’14). ACM, New York, NY, 1657--1662. Google ScholarDigital Library
Fei Zhang, Patrick P. K. Chan, Battista Biggio, Daniel S. Yeung, and Fabio Roli. 2015. Adversarial feature selection against evasion attacks. IEEE Transactions on Cybernetics 46, 3, 766--777.Google ScholarCross Ref
Junjie Zhang, Roberto Perdisci, Wenke Lee, Xiapu Luo, and Unum Sarfraz. 2014. Building a scalable system for stealthy P2P-botnet detection. IEEE Transactions on Information Forensics and Security 9, 1, 27--38. Google ScholarDigital Library
Junjie Zhang, Roberto Perdisci, Wenke Lee, Unum Sarfraz, and Xiapu Luo. 2011. Detecting stealthy P2P botnets using statistical traffic fingerprints. In Proceedings of the IEEE/IFIP Conference on Dependable Systems and Networks (DSN’11). IEEE, Los Alamitos, CA, 121--132. Google ScholarDigital Library
Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. 2009. BotGraph: Large scale spamming botnet detection. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation. 321--324. Google ScholarDigital Library

Index Terms

On the Security of Machine Learning in Malware C&C Detection: A Survey

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Read More
Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
Read More
An Approach to Botnet Malware Detection Using Nonparametric Bayesian Methods
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and Security

Botnet malware, which infects Internet-connected devices and seizes control for a remote botmaster, is a long-standing threat to Internet-connected users and systems. Botnets are used to conduct DDoS attacks, distributed computing (e.g., mining bitcoins)...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 49, Issue 3
September 2017
658 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2988524
Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering/University of Florida/Gainesville, FL
Issue’s Table of Contents
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 13 December 2016
- Accepted: 1 September 2016
- Revised: 1 August 2016
- Received: 1 July 2015
Published in csur Volume 49, Issue 3

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Command and control channels
botnets
data mining
machine learning
network intrusion
Qualifiers
- survey
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 94
  Total Citations
  View Citations
- 2,850
  Total Downloads
- Downloads (Last 12 months)161
- Downloads (Last 6 weeks)13
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

On the Security of Machine Learning in Malware C&C Detection: A Survey

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Honeypot detection in advanced botnet attacks

Opcode sequences as representation of executables for data-mining-based unknown malware detection

An Approach to Botnet Malware Detection Using Nonparametric Bayesian Methods