Flow-based detection and proxy-based evasion of encrypted malware C2 traffic

by   Carlos Novo, et al.

State of the art deep learning techniques are known to be vulnerable to evasion attacks where an adversarial sample is generated from a malign sample and misclassified as benign. Detection of encrypted malware command and control traffic based on TCP/IP flow features can be framed as a learning task and is thus vulnerable to evasion attacks. However, unlike e.g. in image processing where generated adversarial samples can be directly mapped to images, going from flow features to actual TCP/IP packets requires crafting the sequence of packets, with no established approach for such crafting and a limitation on the set of modifiable features that such crafting allows. In this paper we discuss learning and evasion consequences of the gap between generated and crafted adversarial samples. We exemplify with a deep neural network detector trained on a public C2 traffic dataset, white-box adversarial learning, and a proxy-based approach for crafting longer flows. Our results show 1) the high evasion rate obtained by using generated adversarial samples on the detector can be significantly reduced when using crafted adversarial samples; 2) robustness against adversarial samples by model hardening varies according to the crafting approach and corresponding set of modifiable features that the attack allows for; 3) incrementally training hardened models with adversarial samples can produce a level playing field where no detector is best against all attacks and no attack is best against all detectors, in a given set of attacks and detectors. To the best of our knowledge this is the first time that level playing field feature set- and iteration-hardening are analyzed in encrypted C2 malware traffic detection.


page 1

page 2

page 3

page 4


Unsupervised Detection and Clustering of Malicious TLS Flows

Malware abuses TLS to encrypt its malicious traffic, preventing examinat...

Query-Free Evasion Attacks Against Machine Learning-Based Malware Detectors with Generative Adversarial Networks

Malware detectors based on machine learning (ML) have been shown to be s...

Can't Boil This Frog: Robustness of Online-Trained Autoencoder-Based Anomaly Detectors to Adversarial Poisoning Attacks

In recent years, a variety of effective neural network-based methods for...

Learning detectors of malicious web requests for intrusion detection in network traffic

This paper proposes a generic classification system designed to detect s...

Making DeepFakes more spurious: evading deep face forgery detection via trace removal attack

DeepFakes are raising significant social concerns. Although various Deep...

Liuer Mihou: A Practical Framework for Generating and Evaluating Grey-box Adversarial Attacks against NIDS

Due to its high expressiveness and speed, Deep Learning (DL) has become ...

MalFox: Camouflaged Adversarial Malware Example Generation Based on C-GANs Against Black-Box Detectors

Deep learning is a thriving field currently stuffed with many practical ...

Please sign up or login with your details

Forgot password? Click here to reset