Abstract
One of the main challenges in security today is defending against malware attacks. As trends and anecdotal evidence show, preventing these attacks, regardless of their indiscriminate or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organizations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and are essential for the successful progression of the attack. In particular, several approaches and techniques have been proposed to identify the command and control (C8C) channel that a compromised system establishes to communicate with its controller.
A major oversight of many of these detection techniques is the design’s resilience to evasion attempts by the well-motivated attacker. C8C detection techniques make widespread use of a machine learning (ML) component. Therefore, to analyze the evasion resilience of these detection techniques, we first systematize works in the field of C8C detection and then, using existing models from the literature, go on to systematize attacks against the ML components used in these approaches.
- Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the USENIX Security Symposium. ACM, New York, NY, 273--290. Google ScholarDigital Library
- Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium. 1--16. Google ScholarDigital Library
- Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the USENIX Security Symposium. 491--506. Google ScholarDigital Library
- M. Barreno, P. L. Bartlett, F. J. Chi, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, U. Saini, and J. D. Tygar. 2008. Open problems in the security of learning. In Proceedings of the 1st ACM Workshop on Artificial Intelligence and Security (AISec’08). ACM, New York, NY, 19--26. Google ScholarDigital Library
- M. Barreno, B. Nelson, A. D. Joseph, and J. D. Tygar. 2010. The security of machine learning. Machine Learning 81, 2, 121--148. Google ScholarDigital Library
- M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. 2006. Can machine learning be secure? In Proceedings of the 2006 ACM Symposium on Information, Computer, and Communications Security (ASIACCS’06). ACM, New York, NY, 16--25. Google ScholarDigital Library
- Chiranji Bhattacharyya. 2004. Robust classification of noisy data using second order cone programming approach. In Proceedings of the International Conference on Intelligent Sensing and Information Processing. IEEE, Los Alamitos, CA, 433--438.Google ScholarCross Ref
- Battista Biggio, Samuel Rota Bulo, Ignazio Pillai, Michele Mura, Eyasu Zemene Mequanint, Marcello Pelillo, and Fabio Roli. 2014a. Poisoning complete-linkage hierarchical clustering. In Structural, Syntactic, and Statistical Pattern Recognition. Lecture Notes in Computer Science, Vol. 8621. Springer, 42--52. Google ScholarDigital Library
- Battista Biggio, Igino Corona, Zhi-Min He, Patrick P. K. Chan, Giorgio Giacinto, Daniel S. Yeung, and Fabio Roli. 2015. One-and-a-Half-Class Multiple Classifier Systems for Secure Learning Against Evasion Attacks at Test Time. Springer, Cham, Switzerland, 168--180.Google Scholar
- Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013a. Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases. Lecture Notes in Computer Science, Vol. 8190. Springer, 387--402.Google Scholar
- Battista Biggio, Giorgio Fumera, and Fabio Roli. 2010. Multiple classifier systems for robust classifier design in adversarial environments. International Journal of Machine Learning and Cybernetics 1, 1, 27--41.Google ScholarCross Ref
- Battista Biggio, Giorgio Fumera, and Fabio Roli. 2011a. Design of robust classifiers for adversarial environments. In Proceedings of the 2011 IEEE International Conference on Systems, Man, and Cybernetics (SMC’11). IEEE, Los Alamitos, CA, 977--982.Google ScholarCross Ref
- Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014b. Pattern recognition systems under attack: Design issues and research challenges. International Journal of Pattern Recognition and Artificial Intelligence 28, 07, 1--21.Google ScholarCross Ref
- Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014c. Security evaluation of pattern classifiers under attack. IEEE Transactions on Knowledge and Data Engineering 1, 984--996. Google ScholarDigital Library
- Battista Biggio, Blaine Nelson, and Pavel Laskov. 2011b. Support vector machines under adversarial label noise. In Proceedings of the 3rd Asian Conference on Machine Learning (ACML’11). 97--112.Google Scholar
- Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines. In Proceedings of the International Conference on Machine Learning (ICML’12).Google Scholar
- Battista Biggio, Ignazio Pillai, Samuel Rota Bulò, Davide Ariu, Marcello Pelillo, and Fabio Roli. 2013b. Is data clustering in adversarial settings secure? In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security (AISec’13). ACM, New York, NY, 87--98. Google ScholarDigital Library
- Battista Biggio, Konrad Rieck, Davide Ariu, Christian Wressnegger, Igino Corona, Giorgio Giacinto, and Fabio Roli. 2014d. Poisoning behavioral malware clustering. In Proceedings of the 2014 Workshop on Artificial Intelligence and Security (AISec’14). ACM, New York, NY, 27--36. Google ScholarDigital Library
- Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. 2012. Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 129--138. Google ScholarDigital Library
- Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’11).Google Scholar
- Christian Böhm, Christos Faloutsos, Jia-Yu Pan, and Claudia Plant. 2006. Robust information-theoretic clustering. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’06). ACM, New York, NY, 65--75. Google ScholarDigital Library
- Michael Brückner, Christian Kanzow, and Tobias Scheffer. 2012. Static prediction games for adversarial learning problems. Journal of Machine Learning Research 13, 1, 2617--2654. Google ScholarDigital Library
- Michael Brückner and Tobias Scheffer. 2009. Nash equilibria of static prediction games. In Advances in Neural Information Processing Systems 22. Curran Associates, Red Hook, NY, 171--179. Google ScholarDigital Library
- Michael Brückner and Tobias Scheffer. 2011. Stackelberg games for adversarial prediction problems. In Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’11). ACM, New York, NY, 547--555. Google ScholarDigital Library
- Samuel Rota Bulò, Battista Biggio, Ignazio Pillai, Marcello Pelillo, and Fabio Roli. 2016. Randomized prediction games for adversarial machine learning. IEEE Transactions on Neural Networks and Learning Systems PP, 99, 1--13.Google Scholar
- Yinzhi Cao and Junfeng Yang. 2015. Towards making systems forget with machine unlearning. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S8P’15). IEEE, Los Alamitos, CA, 463--480. Google ScholarDigital Library
- Krishna K. Chintalapudi and Moshe Kam. 1998. A noise-resistant fuzzy C means algorithm for clustering. In Proceedings of the IEEE World Congress on Computational Intelligence and the International Conference on Fuzzy Systems. IEEE, Los Alamitos, CA, 1458--1463.Google Scholar
- Simon P. Chung and Aloysius K. Mok. 2006. Allergy attack against automatic signature generation. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 4219. Springer, 61--80. Google ScholarDigital Library
- Simon P. Chung and Aloysius K. Mok. 2007. Advanced allergy attacks: Does a corpus really help? In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID’07). 236--255. Google ScholarDigital Library
- Cisco Systems Inc. 2016. Cisco IOS Netflow. Retrieved October 22, 2016, from http://www.cisco. com/web/go/netflow.Google Scholar
- M. Patrick Collins and Michael K. Reiter. 2007. Hit-list worm detection and bot identification in large networks using protocol graphs. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 4637. Springer, 276--295. Google ScholarDigital Library
- Igino Corona, Giorgio Giacinto, and Fabio Roli. 2013. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues. Information Sciences 239, 201--225. Google ScholarDigital Library
- Chuck Cranor, Theodore Johnson, Oliver Spataschek, and Vladislav Shkapenyuk. 2003. Gigascope: A stream database for network applications. In Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data (SIGMOD’03). ACM, New York, NY, 647--651. Google ScholarDigital Library
- Nilesh Dalvi, Pedro Domingos, Mausam, Sumit Sanghai, and Deepak Verma. 2004. Adversarial classification. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’04). ACM, New York, NY, 99--108. Google ScholarDigital Library
- V. Denchev, N. Ding, H. Neven, and S. V. N. Vishwanathan. 2012. Robust classification with adiabatic quantum optimization. In Proceedings of the 29th International Conference on Machine Learning (ICML’12).Google Scholar
- Manul Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware analysis techniques and tools. ACM Computing Surveys 44, 2, 6:1--6:42. Google ScholarDigital Library
- Peter Ferrie. 2007. Attacks on More Virtual Machine Emulators. Technical Report. Symantec.Google Scholar
- Prahlad Fogla and Wenke Lee. 2006. Evading network anomaly detection systems: Formal reasoning and practical techniques. In Proceedings of the Conference on Computer and Communications Security (CCS’06). ACM, New York, NY, 59--68. Google ScholarDigital Library
- Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. 2006. Polymorphic blending attacks. In Proceedings of the 15th USENIX Security Symposium (USENIX-SS’06). Google ScholarDigital Library
- Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. 2007. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, NY, 375--388. Google ScholarDigital Library
- Joseph Gardiner, Marco Cova, and Shishir Nagaraja. 2014. Command and Control: Understanding, Denying and Detecting. Retrieved October 22, 2016, from http://c2report.org.Google Scholar
- Joseph Gardiner and Shishir Nagaraja. 2014. On the reliability of network measurement techniques used for malware traffic analysis. In Security Protocols XXII. Lecture Notes in Computer Science, Vol. 8809. Springer, 321--333.Google Scholar
- Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, et al. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 821--832. Google ScholarDigital Library
- Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. 2008. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the USENIX Security Symposium. 139--154. http://dl.acm.org/citation.cfm?id=1496711.1496721 Google ScholarDigital Library
- Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlations. In Proceedings of the USENIX Security Symposium. Article No. 12. Google ScholarDigital Library
- Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix Freiling. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’08).Google Scholar
- Chet Hosmer. 2008. Polymorphic and metamorphic malware. In Proceedings of the BlackHat Conference.Google Scholar
- L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D. Tygar. 2011. Adversarial machine learning. In Proceedings of the ACM Workshop on Artificial Intelligence and Security (AISec’11). ACM, New York, NY, 43--58. Google ScholarDigital Library
- Eric M. Hutchins, Michael J. Clopperty, and Rohan M. Amin. 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Technical Report. Lockheed Martin Corporation.Google Scholar
- Marios Iliofotou, Michalis Faloutsos, and Michael Mitzenmacher. 2009. Exploiting dynamicity in graph-based traffic analysis: Techniques and applications. In Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies (CoNEXT’09). ACM, New York, NY, 241--252. Google ScholarDigital Library
- Marios Iliofotou, Prashanth Pappu, Michalis Faloutsos, Michael Mitzenmacher, George Varghese, and Hyunchul Kim. 2008. Graption: Automated Detection of P2P Applications Using Traffic Dispersion Graphs (TDGs). Technical Report CS-2008-06080. University of California, Riverside.Google Scholar
- Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Sabyaschi Saha, Sung-Ju Lee, Christopher Kruegel, and Giovanni Vigna. 2014. Nazca: Detecting malware distribution in large-scale networks. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
- Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz. 2011. JACKSTRAWS: Picking command and control connections from bot traffic. In Proceedings of the USENIX Security Symposium. Google ScholarDigital Library
- M. Jelasity and V. Bilicki. 2009. Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’09). 3. Google ScholarDigital Library
- Nan Jiang, Jin Cao, Yu Jin, Li Erran Li, and Zhi-Li Zhang. 2010. Identifying suspicious activities through DNS failure graph analysis. In Proceedings of the 18th IEEE International Conference on Network Protocols (ICNP’10). IEEE, Los Alamitos, CA, 144--153. Google ScholarDigital Library
- A. Kantchelian, J. D. Tygar, and A. Joseph. 2016. Evasion and hardening of tree ensemble classifiers. In Proceedings of the 33rd International Conference on Machine Learning. 2387--2396.Google Scholar
- Kaspersky. 2013. Ask An Expert: The Brainstorming. Retrieved October 22, 2016, from http://blog.kaspersky. com/ask-an-expert-the-brainstorming/.Google Scholar
- Hyang-Ah Kim and Brad Karp. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium (SSYM’04). 19. Google ScholarDigital Library
- Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 285--296. Google ScholarDigital Library
- Alexsander Kolcz and Choon Hui Teo. 2009. Feature weighting for improved classifier robustness. In Proceedings of the 6th Conference on Email and Anti-Spam (CEAS’09).Google Scholar
- Zhenguo Li, Jianzhuang Liu, Shifeng Chen, and Xiaoou Tang. 2007. Noise robust spectral clustering. In Proceedings of the IEEE 11th International Conference on Computer Vision (ICCV’07). IEEE, Los Alamitos, CA, 1--8.Google ScholarCross Ref
- Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Beyond blacklists: Learning to detect malicious Web sites from suspicious URLs. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’09). ACM, New York, NY, 1245--1254. Google ScholarDigital Library
- Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious PDF files detection. In Proceedings of the 8th International Conference on Machine Learning and Data Mining in Pattern Recognition (MLDM’12). 510--524. Google ScholarDigital Library
- Pratyusa K. Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In Proceedings of the 2014 Workshop on Artificial Intelligence and Security (AISec’14). ACM, New York, NY, 59--60. Google ScholarDigital Library
- Konstantinos Mersinas, Bjoern Hartig, Keith Martin, and Andrew Seltzer. 2015. Experimental elicitation of risk behaviour amongst information security professionals. In Proceedings of the 2015 Workshop on the Economics of Information Security (WEIS’15).Google Scholar
- Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’07). IEEE, Los Alamitos, CA, 231--245. Google ScholarDigital Library
- Shishir Nagaraja. 2014. Botyacc: Unified P2P botnet detection using behavioural analysis and graph analysis. In Computer Security—ESORICS 2014. Lecture Notes in Computer Science, Vol. 8713. Springer, 439--456.Google Scholar
- Shishir Nagaraja, Prateek Mittal, Chi-Yao Hong, Matthew Caesar, and Nikita Borisov. 2010. BotGrep: Finding P2P bots with structured graph analysis. In Proceedings of the USENIX Symposium on Security. 95--110. Google ScholarDigital Library
- Antonio Nappa, Zhaoyan Xu, Juan Caballero, and Guofei Gu. 2014. CyberProbe: Towards Internet-scale active detection of malicious servers. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14).Google ScholarCross Ref
- Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for new C8C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium. 589--604. Google ScholarDigital Library
- B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, J. D. Tygar, and K. Xia. 2008. Exploiting machine learning to subvert your spam filter. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Google ScholarDigital Library
- James Newsome, Brad Karp, and Dawn Song. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’05). IEEE, Los Alamitos, CA, 226--241. Google ScholarDigital Library
- James Newsome, Brad Karp, and Dawn Song. 2006. Paragraph: Thwarting signature learning by training maliciously. In Proceedings of the 9th International Conference on Recent Advances in Intrusion Detection (RAID’06). 81--105. Google ScholarDigital Library
- Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’09). 86--93. Google ScholarDigital Library
- Roberto Perdisci, Igino Corona, and Giorgio Giacinto. 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Transactions on Dependable and Secure Computing 9, 5, 714--726. Google ScholarDigital Library
- Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif. 2006a. Misleading worm signature generators using deliberate noise injection. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S8P’06). IEEE, Los Alamitos, CA, 17--31. Google ScholarDigital Library
- Roberto Perdisci, Guofei Gu, and Wenke Lee. 2006b. Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. In Proceedings of the 6th International Conference on Data Mining (ICDM’06). IEEE, Los Alamitos, CA, 488--498. Google ScholarDigital Library
- M. Zubair Rafique and Juan Caballero. 2013. FIRMA: Malware clustering and network signature generation with mixed network behaviors. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID’13). 144--163. Google ScholarDigital Library
- Babak Rahbarinia, Roberto Perdisci, Andrea Lanzi, and Kang Li. 2013. PeerRush: Mining for unwanted P2P traffic. In Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, Vol. 7967. Springer, 62--82. Google ScholarDigital Library
- Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz, and Pavel Laskov. 2010. Botzilla: Detecting the “phoning home” of malicious software. In Proceedings of the ACM Symposium on Applied Computing (SAC’10). ACM, New York, NY, 1978--1984. Google ScholarDigital Library
- Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19, 4, 27--36. Google ScholarDigital Library
- Christian Rossow and Christian J. Dietrich. 2013. ProVeX: Detecting botnets with encrypted command and control channels. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’13). 21--40. Google ScholarDigital Library
- Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based botnet tracking and intelligence. In Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, Vol. 8550. Springer, 192--211.Google Scholar
- Charles Smutz and Angelos Stavrou. 2012. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 239--248. Google ScholarDigital Library
- Anil Somayaji and Stephanie Forrest. 2000. Automated response using system-call delays. In Proceedings of the USENIX Security Symposium. 185--197. Google ScholarDigital Library
- Nedim Šrndic and Pavel Laskov. 2013. Detection of malicious PDF files based on hierarchical document structure. In Proceedings of the Network and Distributed System Security Symposium (NDSS’13).Google Scholar
- Nedim Šrndic and Pavel Laskov. 2014. Practical evasion of a learning-based classifier: A case study. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (S8P’14). IEEE, Los Alamitos, CA, 197--211. Google ScholarDigital Library
- Verizon RISK Team. 2013. 2013 Data Breach Investigations Report. Technical Report. Verizon.Google Scholar
- David Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS’02). ACM, New York, NY, 255--264. Google ScholarDigital Library
- Choon Hui Teo, Amir Globerson, Sam Roweis, and Alexander J. Smola. 2007. Convex learning with invariances. In Proceedings of the 20th International Conference on Neural Information Processing Systems (NIPS’07). 1489--1496. Google ScholarDigital Library
- Ke Wang, Gabriela Cretu, and Salvatore J. Stolfo. 2006. Anomalous payload-based worm detection and signature generation. In Proceedings of the International Conference on Recent Advances in Intrusion Detection (RAID’06). 227--246. Google ScholarDigital Library
- Ke Wang and Salvatore J. Stolfo. 2004. Anomalous payload-based network intrusion detection. In Proceedings of the International Conference on Recent Advances in Intrusion Detection (RAID’04). 203--222.Google Scholar
- Charles V. Wright, Scott E. Coull, and Fabian Monrose. 2009. Traffic morphing: An efficient defense against statistical traffic analysis. In Proceedings of the Network and Distributed Security Symposium (NDSS’09). 237--250.Google Scholar
- Han Xiao, Huang Xiao, and Claudia Eckert. 2012. Adversarial label flips attack on support vector machines. In Proceedings of the 20th European Conference on Artificial Intelligence (ECAI’12). Google ScholarDigital Library
- Weilin Xu, Yanjun Qi, and David Evans. 2016. Automatically evading classifiers—a case study on PDF malware classifiers. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).Google ScholarCross Ref
- Zhaoyan Xu, Antonio Nappa, Robert Baykov, Guangliang Yang, Juan Caballero, and Guofei Gu. 2014. AutoProbe: Towards automatic active malicious server probing using dynamic binary analysis. In Proceedings of the 21st ACM Conference on Computer and Communication Security. ACM, New York, NY, 179--190. Google ScholarDigital Library
- Moosa Yahyazadeh and Mahdi Abadi. 2015. BotGrab: A negative reputation system for botnet detection. Computers and Electrical Engineering 41, C, 68--85. Google ScholarDigital Library
- Miin-Shen Yang and Kuo-Lung Wu. 2004. A similarity-based robust clustering method. IEEE Transactions on Pattern Analysis and Machine Intelligence 26, 4, 434--448. Google ScholarDigital Library
- Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu, Todd Leetham, William Robertson, Ari Juels, and Engin Kirda. 2013. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). ACM, New York, NY, 199--208. Google ScholarDigital Library
- Ting-Fang Yen and Michael K. Reiter. 2008. Traffic aggregation for malware detection. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08). 207--227. Google ScholarDigital Library
- Ali Zand, Giovanni Vigna, Xifeng Yan, and Christopher Kruegel. 2014. Extracting probable command and control signatures for detecting botnets. In Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC’14). ACM, New York, NY, 1657--1662. Google ScholarDigital Library
- Fei Zhang, Patrick P. K. Chan, Battista Biggio, Daniel S. Yeung, and Fabio Roli. 2015. Adversarial feature selection against evasion attacks. IEEE Transactions on Cybernetics 46, 3, 766--777.Google ScholarCross Ref
- Junjie Zhang, Roberto Perdisci, Wenke Lee, Xiapu Luo, and Unum Sarfraz. 2014. Building a scalable system for stealthy P2P-botnet detection. IEEE Transactions on Information Forensics and Security 9, 1, 27--38. Google ScholarDigital Library
- Junjie Zhang, Roberto Perdisci, Wenke Lee, Unum Sarfraz, and Xiapu Luo. 2011. Detecting stealthy P2P botnets using statistical traffic fingerprints. In Proceedings of the IEEE/IFIP Conference on Dependable Systems and Networks (DSN’11). IEEE, Los Alamitos, CA, 121--132. Google ScholarDigital Library
- Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. 2009. BotGraph: Large scale spamming botnet detection. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation. 321--324. Google ScholarDigital Library
Index Terms
- On the Security of Machine Learning in Malware C&C Detection: A Survey
Recommendations
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection
Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...
An Approach to Botnet Malware Detection Using Nonparametric Bayesian Methods
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityBotnet malware, which infects Internet-connected devices and seizes control for a remote botmaster, is a long-standing threat to Internet-connected users and systems. Botnets are used to conduct DDoS attacks, distributed computing (e.g., mining bitcoins)...
Comments