Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Machine learning detection of cloud services abuse as C&C Infrastructure

Al lelah, Turki, Theodorakopoulos, George ORCID: https://orcid.org/0000-0003-2701-7809, Javed, Amir ORCID: https://orcid.org/0000-0001-9761-0945 and Anthi, Eirini 2023. Machine learning detection of cloud services abuse as C&C Infrastructure. Journal of Cybersecurity and Privacy 3 (4) , pp. 858-881. 10.3390/jcp3040039

[thumbnail of jcp-03-00039.pdf]
Preview
 PDF - Published Version
Available under License Creative Commons Attribution.
Download (5MB) | Preview

Abstract

The proliferation of cloud and public legitimate services (CLS) on a global scale has resulted in increasingly sophisticated malware attacks that abuse these services as command-and-control (C&C) communication channels. Conventional security solutions are inadequate for detecting malicious C&C traffic because it blends with legitimate traffic. This motivates the development of advanced detection techniques. We make the following contributions: First, we introduce a novel labeled dataset. This dataset serves as a valuable resource for training and evaluating detection techniques aimed at identifying malicious bots that abuse CLS as C&C channels. Second, we tailor our feature engineering to behaviors indicative of CLS abuse, such as connections to known CLS domains and potential C&C API calls. Third, to identify the most relevant features, we introduced a custom feature elimination (CFE) method designed to determine the exact number of features needed for filter selection approaches. Fourth, our approach focuses on both static and derivative features of Portable Executable (PE) files. After evaluating various machine learning (ML) classifiers, the random forest emerges as the most effective classifier, achieving a 98.26% detection rate. Fifth, we introduce the “Replace Misclassified Parameter (RMCP)” adversarial attack. This white-box strategy is designed to evaluate our system’s detection robustness. The RMCP attack modifies feature values in malicious samples to make them appear as benign samples, thereby bypassing the ML model’s classification while maintaining the malware’s malicious capabilities. The results of the robustness evaluation demonstrate that our proposed method successfully maintains a high accuracy level of 84%. In sum, our comprehensive approach offers a robust solution to the growing threat of malware abusing CLS as C&C infrastructure.

Item Type: Article
Date Type: Publication
Status: Published
Schools: Computer Science & Informatics
Publisher: MDPI
ISSN: 2624-800X
Date of First Compliant Deposit: 7 December 2023
Date of Acceptance: 9 November 2023
Last Modified: 11 Dec 2023 11:00
URI: https://orca.cardiff.ac.uk/id/eprint/164596

Actions (repository staff only)

Edit Item Edit Item
Altmetric
Dimensions
Download Statistics

Downloads

Downloads per month over past year

View more statistics

CORE (COnnecting REpositories)


Maintained by Cardiff University Information Services