Al lelah, Turki, Theodorakopoulos, George ORCID: https://orcid.org/0000-0003-2701-7809, Javed, Amir ORCID: https://orcid.org/0000-0001-9761-0945 and Anthi, Eirini 2023. Machine learning detection of cloud services abuse as C&C Infrastructure. Journal of Cybersecurity and Privacy 3 (4) , pp. 858-881. 10.3390/jcp3040039 |
Preview |
PDF
- Published Version
Available under License Creative Commons Attribution. Download (5MB) | Preview |
Abstract
The proliferation of cloud and public legitimate services (CLS) on a global scale has resulted in increasingly sophisticated malware attacks that abuse these services as command-and-control (C&C) communication channels. Conventional security solutions are inadequate for detecting malicious C&C traffic because it blends with legitimate traffic. This motivates the development of advanced detection techniques. We make the following contributions: First, we introduce a novel labeled dataset. This dataset serves as a valuable resource for training and evaluating detection techniques aimed at identifying malicious bots that abuse CLS as C&C channels. Second, we tailor our feature engineering to behaviors indicative of CLS abuse, such as connections to known CLS domains and potential C&C API calls. Third, to identify the most relevant features, we introduced a custom feature elimination (CFE) method designed to determine the exact number of features needed for filter selection approaches. Fourth, our approach focuses on both static and derivative features of Portable Executable (PE) files. After evaluating various machine learning (ML) classifiers, the random forest emerges as the most effective classifier, achieving a 98.26% detection rate. Fifth, we introduce the “Replace Misclassified Parameter (RMCP)” adversarial attack. This white-box strategy is designed to evaluate our system’s detection robustness. The RMCP attack modifies feature values in malicious samples to make them appear as benign samples, thereby bypassing the ML model’s classification while maintaining the malware’s malicious capabilities. The results of the robustness evaluation demonstrate that our proposed method successfully maintains a high accuracy level of 84%. In sum, our comprehensive approach offers a robust solution to the growing threat of malware abusing CLS as C&C infrastructure.
Item Type: | Article |
---|---|
Date Type: | Publication |
Status: | Published |
Schools: | Computer Science & Informatics |
Publisher: | MDPI |
ISSN: | 2624-800X |
Date of First Compliant Deposit: | 7 December 2023 |
Date of Acceptance: | 9 November 2023 |
Last Modified: | 11 Dec 2023 11:00 |
URI: | https://orca.cardiff.ac.uk/id/eprint/164596 |
Actions (repository staff only)
Edit Item |