Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Automatic Detection of Malware-Generated Domains with Recurrent Neural Models

Modern malware families often rely on domain-generation algorithms (DGAs) to determine rendezvous points to their command-and-control server. Traditional defence strategies (such as blacklisting domains or IP addresses) are inadequate against such techniques due to the large and continuously changing list of domains produced by these algorithms. This paper demonstrates that a machine learning approach based on recurrent neural networks is able to detect domain names generated by DGAs with high precision. The neural models are estimated on a large training set of domains generated by various malwares. Experimental results show that this data-driven approach can detect malware-generated domain names with a F_1 score of 0.971. To put it differently, the model can automatically detect 93 % of malware-generated domain names for a false positive rate of 1:100.Comment: Submitted to NISK 201

Malicious botnet survivability mechanism evolution forecasting by means of a genetic algorithm

Botnets are considered to be among the most dangerous modern malware types and the biggest current threats to global IT infrastructure. Botnets are rapidly evolving, and therefore forecasting their survivability strategies is important for the development of countermeasure techniques. The article propose the botnet-oriented genetic algorithm based model framework, which aimed at forecasting botnet survivability mechanisms. The model may be used as a framework for forecasting the evolution of other characteristics. The efficiency of different survivability mechanisms is evaluated by applying the proposed fitness function. The model application area also covers scientific botnet research and modelling tasks. Article in English. Kenkėjiškų botnet tinklų išgyvenamumo mechanizmų evoliucijos prognozavimas genetinio algoritmo priemonėmis Santrauka. Botnet tinklai pripažįstami kaip vieni pavojingiausių šiuolaikinių kenksmingų programų ir vertinami kaip viena iš didžiausių grėsmių tarptautinei IT infrastruktūrai. Botnettinklai greitai evoliucionuoja, todėl jų savisaugos mechanizmų evoliucijos prognozavimas yra svarbus planuojant ir kuriant kontrpriemones. Šiame straipsnyje pateikiamas genetiniu algoritmu pagrįstas modelis, skirtas Botnet tinklų savisaugos mechanizmų evoliucijai prognozuoti, kuris taip pat gali būti naudojamas kaip pagrindas kitų Botnet tinklų savybių evoliucijai modeliuoti. Skirtingi savisaugos mechanizmai vertinami taikant siūlomą tinkamumo funkciją. Raktiniai žodžiai: Botnet; genetinis algoritmas; prognozė; savisauga; evoliucija; modeli

Taking Back the Internet: Defeating DDoS and Adverse Network Conditions via Reactive BGP Routing

In this work, we present Nyx, a system for mitigating Distributed Denial of Service (DDoS) attacks by routing critical traffic from known benign networks around links under attack from a massively distributed botnet. Nyx alters how Autonomous Systems (ASes) handle route selection and advertisement in the Border Gateway Protocol (BGP) in order to achieve isolation of critical traffic away from congested links onto alternative, less congested paths. Our system controls outbound paths through the normal process of BGP path selection, while return paths from critical ASes are controlled through the use of existing traffic engineering techniques. To prevent alternative paths from including attacked network links, Nyx employs strategic lying in a manner that is functional in the presence of RPKI. Our system only exposes the alternate path to the networks needed for forwarding and those networks\u27 customer cones, thus strategically reducing the number of ASes outside of the critical AS that receive the alternative path. By leaving the path taken by malicious traffic unchanged and limiting the amount of added traffic load placed on the alternate path, our system causes less than 10 ASes on average to be disturbed by our inbound traffic migration.Nyx is the first system that scalably and effectively mitigates transit-link DDoS attacks that cannot be handled by existing and costly traffic filtering or prioritization techniques. Unlike the prior state of the art, Nyx is highly deployable, requiring only minor changes to router policies at the deployer, and requires no assistance from external networks. Using our own Internet-scale simulator, we find that in more than 98% of cases our system can successfully migrate critical traffic off of the network segments under transit-link DDoS. In over 98% of cases, the alternate path provides some degree of relief over the original path. Finally, in over 70% of cases where Nyx can migrate critical traffic off attacked segments, the new path has sufficient capacity to handle the entire traffic load without congestion