survey

On the Security of Machine Learning in Malware C&C Detection: A Survey

Authors:

Joseph Gardiner,

Shishir NagarajaAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 49, Issue 3

Article No.: 59, Pages 1 - 39

https://doi.org/10.1145/3003816

Published: 13 December 2016 Publication History

Abstract

One of the main challenges in security today is defending against malware attacks. As trends and anecdotal evidence show, preventing these attacks, regardless of their indiscriminate or targeted nature, has proven difficult: intrusions happen and devices get compromised, even at security-conscious organizations. As a consequence, an alternative line of work has focused on detecting and disrupting the individual steps that follow an initial compromise and are essential for the successful progression of the attack. In particular, several approaches and techniques have been proposed to identify the command and control (C8C) channel that a compromised system establishes to communicate with its controller.

A major oversight of many of these detection techniques is the design’s resilience to evasion attempts by the well-motivated attacker. C8C detection techniques make widespread use of a machine learning (ML) component. Therefore, to analyze the evasion resilience of these detection techniques, we first systematize works in the field of C8C detection and then, using existing models from the literature, go on to systematize attacks against the ML components used in these approaches.

References

[1]

Manos Antonakakis, Roberto Perdisci, David Dagon, Wenke Lee, and Nick Feamster. 2010. Building a dynamic reputation system for DNS. In Proceedings of the USENIX Security Symposium. ACM, New York, NY, 273--290.

Digital Library

[2]

Manos Antonakakis, Roberto Perdisci, Wenke Lee, Nikolaos Vasiloglou, and David Dagon. 2011. Detecting malware domains at the upper DNS hierarchy. In Proceedings of the USENIX Security Symposium. 1--16.

Digital Library

[3]

Manos Antonakakis, Roberto Perdisci, Yacin Nadji, Nikolaos Vasiloglou, Saeed Abu-Nimeh, Wenke Lee, and David Dagon. 2012. From throw-away traffic to bots: Detecting the rise of DGA-based malware. In Proceedings of the USENIX Security Symposium. 491--506.

Digital Library

[4]

M. Barreno, P. L. Bartlett, F. J. Chi, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, U. Saini, and J. D. Tygar. 2008. Open problems in the security of learning. In Proceedings of the 1st ACM Workshop on Artificial Intelligence and Security (AISec’08). ACM, New York, NY, 19--26.

Digital Library

[5]

M. Barreno, B. Nelson, A. D. Joseph, and J. D. Tygar. 2010. The security of machine learning. Machine Learning 81, 2, 121--148.

Digital Library

[6]

M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. 2006. Can machine learning be secure? In Proceedings of the 2006 ACM Symposium on Information, Computer, and Communications Security (ASIACCS’06). ACM, New York, NY, 16--25.

Digital Library

[7]

Chiranji Bhattacharyya. 2004. Robust classification of noisy data using second order cone programming approach. In Proceedings of the International Conference on Intelligent Sensing and Information Processing. IEEE, Los Alamitos, CA, 433--438.

[8]

Battista Biggio, Samuel Rota Bulo, Ignazio Pillai, Michele Mura, Eyasu Zemene Mequanint, Marcello Pelillo, and Fabio Roli. 2014a. Poisoning complete-linkage hierarchical clustering. In Structural, Syntactic, and Statistical Pattern Recognition. Lecture Notes in Computer Science, Vol. 8621. Springer, 42--52.

Digital Library

[9]

Battista Biggio, Igino Corona, Zhi-Min He, Patrick P. K. Chan, Giorgio Giacinto, Daniel S. Yeung, and Fabio Roli. 2015. One-and-a-Half-Class Multiple Classifier Systems for Secure Learning Against Evasion Attacks at Test Time. Springer, Cham, Switzerland, 168--180.

[10]

Battista Biggio, Igino Corona, Davide Maiorca, Blaine Nelson, Nedim Šrndic, Pavel Laskov, Giorgio Giacinto, and Fabio Roli. 2013a. Evasion attacks against machine learning at test time. In Machine Learning and Knowledge Discovery in Databases. Lecture Notes in Computer Science, Vol. 8190. Springer, 387--402.

[11]

Battista Biggio, Giorgio Fumera, and Fabio Roli. 2010. Multiple classifier systems for robust classifier design in adversarial environments. International Journal of Machine Learning and Cybernetics 1, 1, 27--41.

[12]

Battista Biggio, Giorgio Fumera, and Fabio Roli. 2011a. Design of robust classifiers for adversarial environments. In Proceedings of the 2011 IEEE International Conference on Systems, Man, and Cybernetics (SMC’11). IEEE, Los Alamitos, CA, 977--982.

[13]

Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014b. Pattern recognition systems under attack: Design issues and research challenges. International Journal of Pattern Recognition and Artificial Intelligence 28, 07, 1--21.

[14]

Battista Biggio, Giorgio Fumera, and Fabio Roli. 2014c. Security evaluation of pattern classifiers under attack. IEEE Transactions on Knowledge and Data Engineering 1, 984--996.

Digital Library

[15]

Battista Biggio, Blaine Nelson, and Pavel Laskov. 2011b. Support vector machines under adversarial label noise. In Proceedings of the 3rd Asian Conference on Machine Learning (ACML’11). 97--112.

[16]

Battista Biggio, Blaine Nelson, and Pavel Laskov. 2012. Poisoning attacks against support vector machines. In Proceedings of the International Conference on Machine Learning (ICML’12).

[17]

Battista Biggio, Ignazio Pillai, Samuel Rota Bulò, Davide Ariu, Marcello Pelillo, and Fabio Roli. 2013b. Is data clustering in adversarial settings secure? In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security (AISec’13). ACM, New York, NY, 87--98.

Digital Library

[18]

Battista Biggio, Konrad Rieck, Davide Ariu, Christian Wressnegger, Igino Corona, Giorgio Giacinto, and Fabio Roli. 2014d. Poisoning behavioral malware clustering. In Proceedings of the 2014 Workshop on Artificial Intelligence and Security (AISec’14). ACM, New York, NY, 27--36.

Digital Library

[19]

Leyla Bilge, Davide Balzarotti, William Robertson, Engin Kirda, and Christopher Kruegel. 2012. Disclosure: Detecting botnet command and control servers through large-scale NetFlow analysis. In Proceedings of the Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 129--138.

Digital Library

[20]

Leyla Bilge, Engin Kirda, Christopher Kruegel, and Marco Balduzzi. 2011. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’11).

[21]

Christian Böhm, Christos Faloutsos, Jia-Yu Pan, and Claudia Plant. 2006. Robust information-theoretic clustering. In Proceedings of the 12th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’06). ACM, New York, NY, 65--75.

Digital Library

[22]

Michael Brückner, Christian Kanzow, and Tobias Scheffer. 2012. Static prediction games for adversarial learning problems. Journal of Machine Learning Research 13, 1, 2617--2654.

Digital Library

[23]

Michael Brückner and Tobias Scheffer. 2009. Nash equilibria of static prediction games. In Advances in Neural Information Processing Systems 22. Curran Associates, Red Hook, NY, 171--179.

Digital Library

[24]

Michael Brückner and Tobias Scheffer. 2011. Stackelberg games for adversarial prediction problems. In Proceedings of the 17th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’11). ACM, New York, NY, 547--555.

Digital Library

[25]

Samuel Rota Bulò, Battista Biggio, Ignazio Pillai, Marcello Pelillo, and Fabio Roli. 2016. Randomized prediction games for adversarial machine learning. IEEE Transactions on Neural Networks and Learning Systems PP, 99, 1--13.

[26]

Yinzhi Cao and Junfeng Yang. 2015. Towards making systems forget with machine unlearning. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S8P’15). IEEE, Los Alamitos, CA, 463--480.

Digital Library

[27]

Krishna K. Chintalapudi and Moshe Kam. 1998. A noise-resistant fuzzy C means algorithm for clustering. In Proceedings of the IEEE World Congress on Computational Intelligence and the International Conference on Fuzzy Systems. IEEE, Los Alamitos, CA, 1458--1463.

[28]

Simon P. Chung and Aloysius K. Mok. 2006. Allergy attack against automatic signature generation. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 4219. Springer, 61--80.

Digital Library

[29]

Simon P. Chung and Aloysius K. Mok. 2007. Advanced allergy attacks: Does a corpus really help? In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID’07). 236--255.

Digital Library

[30]

Cisco Systems Inc. 2016. Cisco IOS Netflow. Retrieved October 22, 2016, from http://www.cisco. com/web/go/netflow.

[31]

M. Patrick Collins and Michael K. Reiter. 2007. Hit-list worm detection and bot identification in large networks using protocol graphs. In Recent Advances in Intrusion Detection. Lecture Notes in Computer Science, Vol. 4637. Springer, 276--295.

Digital Library

[32]

Igino Corona, Giorgio Giacinto, and Fabio Roli. 2013. Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues. Information Sciences 239, 201--225.

Digital Library

[33]

Chuck Cranor, Theodore Johnson, Oliver Spataschek, and Vladislav Shkapenyuk. 2003. Gigascope: A stream database for network applications. In Proceedings of the 2003 ACM SIGMOD International Conference on Management of Data (SIGMOD’03). ACM, New York, NY, 647--651.

Digital Library

[34]

Nilesh Dalvi, Pedro Domingos, Mausam, Sumit Sanghai, and Deepak Verma. 2004. Adversarial classification. In Proceedings of the 10th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’04). ACM, New York, NY, 99--108.

Digital Library

[35]

V. Denchev, N. Ding, H. Neven, and S. V. N. Vishwanathan. 2012. Robust classification with adiabatic quantum optimization. In Proceedings of the 29th International Conference on Machine Learning (ICML’12).

[36]

Manul Egele, Theodoor Scholte, Engin Kirda, and Christopher Kruegel. 2012. A survey on automated dynamic malware analysis techniques and tools. ACM Computing Surveys 44, 2, 6:1--6:42.

Digital Library

[37]

Peter Ferrie. 2007. Attacks on More Virtual Machine Emulators. Technical Report. Symantec.

[38]

Prahlad Fogla and Wenke Lee. 2006. Evading network anomaly detection systems: Formal reasoning and practical techniques. In Proceedings of the Conference on Computer and Communications Security (CCS’06). ACM, New York, NY, 59--68.

Digital Library

[39]

Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. 2006. Polymorphic blending attacks. In Proceedings of the 15th USENIX Security Symposium (USENIX-SS’06).

Digital Library

[40]

Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. 2007. An inquiry into the nature and causes of the wealth of Internet miscreants. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’07). ACM, New York, NY, 375--388.

Digital Library

[41]

Joseph Gardiner, Marco Cova, and Shishir Nagaraja. 2014. Command and Control: Understanding, Denying and Detecting. Retrieved October 22, 2016, from http://c2report.org.

[42]

Joseph Gardiner and Shishir Nagaraja. 2014. On the reliability of network measurement techniques used for malware traffic analysis. In Security Protocols XXII. Lecture Notes in Computer Science, Vol. 8809. Springer, 321--333.

[43]

Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, et al. 2012. Manufacturing compromise: The emergence of exploit-as-a-service. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’12). ACM, New York, NY, 821--832.

Digital Library

[44]

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. 2008. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the USENIX Security Symposium. 139--154. http://dl.acm.org/citation.cfm?id=1496711.1496721

Digital Library

[45]

Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, and Wenke Lee. 2007. BotHunter: Detecting malware infection through IDS-driven dialog correlations. In Proceedings of the USENIX Security Symposium. Article No. 12.

Digital Library

[46]

Thorsten Holz, Christian Gorecki, Konrad Rieck, and Felix Freiling. 2008. Measuring and detecting fast-flux service networks. In Proceedings of the Symposium on Network and Distributed System Security (NDSS’08).

[47]

Chet Hosmer. 2008. Polymorphic and metamorphic malware. In Proceedings of the BlackHat Conference.

[48]

L. Huang, A. D. Joseph, B. Nelson, B. I. P. Rubinstein, and J. D. Tygar. 2011. Adversarial machine learning. In Proceedings of the ACM Workshop on Artificial Intelligence and Security (AISec’11). ACM, New York, NY, 43--58.

Digital Library

[49]

Eric M. Hutchins, Michael J. Clopperty, and Rohan M. Amin. 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Technical Report. Lockheed Martin Corporation.

[50]

Marios Iliofotou, Michalis Faloutsos, and Michael Mitzenmacher. 2009. Exploiting dynamicity in graph-based traffic analysis: Techniques and applications. In Proceedings of the 5th International Conference on Emerging Networking Experiments and Technologies (CoNEXT’09). ACM, New York, NY, 241--252.

Digital Library

[51]

Marios Iliofotou, Prashanth Pappu, Michalis Faloutsos, Michael Mitzenmacher, George Varghese, and Hyunchul Kim. 2008. Graption: Automated Detection of P2P Applications Using Traffic Dispersion Graphs (TDGs). Technical Report CS-2008-06080. University of California, Riverside.

[52]

Luca Invernizzi, Stanislav Miskovic, Ruben Torres, Sabyaschi Saha, Sung-Ju Lee, Christopher Kruegel, and Giovanni Vigna. 2014. Nazca: Detecting malware distribution in large-scale networks. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS’14).

[53]

Gregoire Jacob, Ralf Hund, Christopher Kruegel, and Thorsten Holz. 2011. JACKSTRAWS: Picking command and control connections from bot traffic. In Proceedings of the USENIX Security Symposium.

Digital Library

[54]

M. Jelasity and V. Bilicki. 2009. Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In Proceedings of the USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET’09). 3.

Digital Library

[55]

Nan Jiang, Jin Cao, Yu Jin, Li Erran Li, and Zhi-Li Zhang. 2010. Identifying suspicious activities through DNS failure graph analysis. In Proceedings of the 18th IEEE International Conference on Network Protocols (ICNP’10). IEEE, Los Alamitos, CA, 144--153.

Digital Library

[56]

A. Kantchelian, J. D. Tygar, and A. Joseph. 2016. Evasion and hardening of tree ensemble classifiers. In Proceedings of the 33rd International Conference on Machine Learning. 2387--2396.

[57]

Kaspersky. 2013. Ask An Expert: The Brainstorming. Retrieved October 22, 2016, from http://blog.kaspersky. com/ask-an-expert-the-brainstorming/.

[58]

Hyang-Ah Kim and Brad Karp. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium (SSYM’04). 19.

Digital Library

[59]

Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of procrastination: Detection and mitigation of execution-stalling malicious code. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’11). ACM, New York, NY, 285--296.

Digital Library

[60]

Alexsander Kolcz and Choon Hui Teo. 2009. Feature weighting for improved classifier robustness. In Proceedings of the 6th Conference on Email and Anti-Spam (CEAS’09).

[61]

Zhenguo Li, Jianzhuang Liu, Shifeng Chen, and Xiaoou Tang. 2007. Noise robust spectral clustering. In Proceedings of the IEEE 11th International Conference on Computer Vision (ICCV’07). IEEE, Los Alamitos, CA, 1--8.

[62]

Justin Ma, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2009. Beyond blacklists: Learning to detect malicious Web sites from suspicious URLs. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’09). ACM, New York, NY, 1245--1254.

Digital Library

[63]

Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious PDF files detection. In Proceedings of the 8th International Conference on Machine Learning and Data Mining in Pattern Recognition (MLDM’12). 510--524.

Digital Library

[64]

Pratyusa K. Manadhata, Sandeep Yadav, Prasad Rao, and William Horne. 2014. Detecting malicious domains via graph inference. In Proceedings of the 2014 Workshop on Artificial Intelligence and Security (AISec’14). ACM, New York, NY, 59--60.

Digital Library

[65]

Konstantinos Mersinas, Bjoern Hartig, Keith Martin, and Andrew Seltzer. 2015. Experimental elicitation of risk behaviour amongst information security professionals. In Proceedings of the 2015 Workshop on the Economics of Information Security (WEIS’15).

[66]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’07). IEEE, Los Alamitos, CA, 231--245.

Digital Library

[67]

Shishir Nagaraja. 2014. Botyacc: Unified P2P botnet detection using behavioural analysis and graph analysis. In Computer Security—ESORICS 2014. Lecture Notes in Computer Science, Vol. 8713. Springer, 439--456.

[68]

Shishir Nagaraja, Prateek Mittal, Chi-Yao Hong, Matthew Caesar, and Nikita Borisov. 2010. BotGrep: Finding P2P bots with structured graph analysis. In Proceedings of the USENIX Symposium on Security. 95--110.

Digital Library

[69]

Antonio Nappa, Zhaoyan Xu, Juan Caballero, and Guofei Gu. 2014. CyberProbe: Towards Internet-scale active detection of malicious servers. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14).

[70]

Terry Nelms, Roberto Perdisci, and Mustaque Ahamad. 2013. ExecScent: Mining for new C8C domains in live networks with adaptive control protocol templates. In Proceedings of the USENIX Security Symposium. 589--604.

Digital Library

[71]

B. Nelson, M. Barreno, F. J. Chi, A. D. Joseph, B. I. P. Rubinstein, U. Saini, C. Sutton, J. D. Tygar, and K. Xia. 2008. Exploiting machine learning to subvert your spam filter. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats.

Digital Library

[72]

James Newsome, Brad Karp, and Dawn Song. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy (S8P’05). IEEE, Los Alamitos, CA, 226--241.

Digital Library

[73]

James Newsome, Brad Karp, and Dawn Song. 2006. Paragraph: Thwarting signature learning by training maliciously. In Proceedings of the 9th International Conference on Recent Advances in Intrusion Detection (RAID’06). 81--105.

Digital Library

[74]

Roberto Paleari, Lorenzo Martignoni, Giampaolo Fresi Roglia, and Danilo Bruschi. 2009. A fistful of red-pills: How to automatically generate procedures to detect CPU emulators. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT’09). 86--93.

Digital Library

[75]

Roberto Perdisci, Igino Corona, and Giorgio Giacinto. 2012. Early detection of malicious flux networks via large-scale passive DNS traffic analysis. IEEE Transactions on Dependable and Secure Computing 9, 5, 714--726.

Digital Library

[76]

Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla, and Monirul Sharif. 2006a. Misleading worm signature generators using deliberate noise injection. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (S8P’06). IEEE, Los Alamitos, CA, 17--31.

Digital Library

[77]

Roberto Perdisci, Guofei Gu, and Wenke Lee. 2006b. Using an ensemble of one-class SVM classifiers to harden payload-based anomaly detection systems. In Proceedings of the 6th International Conference on Data Mining (ICDM’06). IEEE, Los Alamitos, CA, 488--498.

Digital Library

[78]

M. Zubair Rafique and Juan Caballero. 2013. FIRMA: Malware clustering and network signature generation with mixed network behaviors. In Proceedings of the Symposium on Recent Advances in Intrusion Detection (RAID’13). 144--163.

Digital Library

[79]

Babak Rahbarinia, Roberto Perdisci, Andrea Lanzi, and Kang Li. 2013. PeerRush: Mining for unwanted P2P traffic. In Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, Vol. 7967. Springer, 62--82.

Digital Library

[80]

Konrad Rieck, Guido Schwenk, Tobias Limmer, Thorsten Holz, and Pavel Laskov. 2010. Botzilla: Detecting the “phoning home” of malicious software. In Proceedings of the ACM Symposium on Applied Computing (SAC’10). ACM, New York, NY, 1978--1984.

Digital Library

[81]

Konrad Rieck, Philipp Trinius, Carsten Willems, and Thorsten Holz. 2011. Automatic analysis of malware behavior using machine learning. Journal of Computer Security 19, 4, 27--36.

Digital Library

[82]

Christian Rossow and Christian J. Dietrich. 2013. ProVeX: Detecting botnets with encrypted command and control channels. In Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA’13). 21--40.

Digital Library

[83]

Stefano Schiavoni, Federico Maggi, Lorenzo Cavallaro, and Stefano Zanero. 2014. Phoenix: DGA-based botnet tracking and intelligence. In Detection of Intrusions and Malware, and Vulnerability Assessment. Lecture Notes in Computer Science, Vol. 8550. Springer, 192--211.

[84]

Charles Smutz and Angelos Stavrou. 2012. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC’12). ACM, New York, NY, 239--248.

Digital Library

[85]

Anil Somayaji and Stephanie Forrest. 2000. Automated response using system-call delays. In Proceedings of the USENIX Security Symposium. 185--197.

Digital Library

[86]

Nedim Šrndic and Pavel Laskov. 2013. Detection of malicious PDF files based on hierarchical document structure. In Proceedings of the Network and Distributed System Security Symposium (NDSS’13).

[87]

Nedim Šrndic and Pavel Laskov. 2014. Practical evasion of a learning-based classifier: A case study. In Proceedings of the 2014 IEEE Symposium on Security and Privacy (S8P’14). IEEE, Los Alamitos, CA, 197--211.

Digital Library

[88]

Verizon RISK Team. 2013. 2013 Data Breach Investigations Report. Technical Report. Verizon.

[89]

David Wagner and Paolo Soto. 2002. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS’02). ACM, New York, NY, 255--264.

Digital Library

[90]

Choon Hui Teo, Amir Globerson, Sam Roweis, and Alexander J. Smola. 2007. Convex learning with invariances. In Proceedings of the 20th International Conference on Neural Information Processing Systems (NIPS’07). 1489--1496.

Digital Library

[91]

Ke Wang, Gabriela Cretu, and Salvatore J. Stolfo. 2006. Anomalous payload-based worm detection and signature generation. In Proceedings of the International Conference on Recent Advances in Intrusion Detection (RAID’06). 227--246.

Digital Library

[92]

Ke Wang and Salvatore J. Stolfo. 2004. Anomalous payload-based network intrusion detection. In Proceedings of the International Conference on Recent Advances in Intrusion Detection (RAID’04). 203--222.

[93]

Charles V. Wright, Scott E. Coull, and Fabian Monrose. 2009. Traffic morphing: An efficient defense against statistical traffic analysis. In Proceedings of the Network and Distributed Security Symposium (NDSS’09). 237--250.

[94]

Han Xiao, Huang Xiao, and Claudia Eckert. 2012. Adversarial label flips attack on support vector machines. In Proceedings of the 20th European Conference on Artificial Intelligence (ECAI’12).

Digital Library

[95]

Weilin Xu, Yanjun Qi, and David Evans. 2016. Automatically evading classifiers—a case study on PDF malware classifiers. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).

[96]

Zhaoyan Xu, Antonio Nappa, Robert Baykov, Guangliang Yang, Juan Caballero, and Guofei Gu. 2014. AutoProbe: Towards automatic active malicious server probing using dynamic binary analysis. In Proceedings of the 21st ACM Conference on Computer and Communication Security. ACM, New York, NY, 179--190.

Digital Library

[97]

Moosa Yahyazadeh and Mahdi Abadi. 2015. BotGrab: A negative reputation system for botnet detection. Computers and Electrical Engineering 41, C, 68--85.

Digital Library

[98]

Miin-Shen Yang and Kuo-Lung Wu. 2004. A similarity-based robust clustering method. IEEE Transactions on Pattern Analysis and Machine Intelligence 26, 4, 434--448.

Digital Library

[99]

Ting-Fang Yen, Alina Oprea, Kaan Onarlioglu, Todd Leetham, William Robertson, Ari Juels, and Engin Kirda. 2013. Beehive: Large-scale log analysis for detecting suspicious activity in enterprise networks. In Proceedings of the 29th Annual Computer Security Applications Conference (ACSAC’13). ACM, New York, NY, 199--208.

Digital Library

[100]

Ting-Fang Yen and Michael K. Reiter. 2008. Traffic aggregation for malware detection. In Proceedings of the 5th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’08). 207--227.

Digital Library

[101]

Ali Zand, Giovanni Vigna, Xifeng Yan, and Christopher Kruegel. 2014. Extracting probable command and control signatures for detecting botnets. In Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC’14). ACM, New York, NY, 1657--1662.

Digital Library

[102]

Fei Zhang, Patrick P. K. Chan, Battista Biggio, Daniel S. Yeung, and Fabio Roli. 2015. Adversarial feature selection against evasion attacks. IEEE Transactions on Cybernetics 46, 3, 766--777.

[103]

Junjie Zhang, Roberto Perdisci, Wenke Lee, Xiapu Luo, and Unum Sarfraz. 2014. Building a scalable system for stealthy P2P-botnet detection. IEEE Transactions on Information Forensics and Security 9, 1, 27--38.

Digital Library

[104]

Junjie Zhang, Roberto Perdisci, Wenke Lee, Unum Sarfraz, and Xiapu Luo. 2011. Detecting stealthy P2P botnets using statistical traffic fingerprints. In Proceedings of the IEEE/IFIP Conference on Dependable Systems and Networks (DSN’11). IEEE, Los Alamitos, CA, 121--132.

Digital Library

[105]

Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum. 2009. BotGraph: Large scale spamming botnet detection. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation. 321--324.

Digital Library

Cited By

Krishna GSravan Kumar GRamachandra MSampurnima Pattem KRani DKakarla G(2024)Adapting to Evasive Tactics through Resilient Adversarial Machine Learning for Malware Detection2024 11th International Conference on Computing for Sustainable Global Development (INDIACom)10.23919/INDIACom61295.2024.10498313(1735-1741)Online publication date: 28-Feb-2024
https://doi.org/10.23919/INDIACom61295.2024.10498313
Macas MWu CFuertes W(2024)Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systemsExpert Systems with Applications10.1016/j.eswa.2023.122223238(122223)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122223
Sommervoll ÅErdődi LZennaro F(2024)Simulating all archetypes of SQL injection vulnerability exploitation using reinforcement learning agentsInternational Journal of Information Security10.1007/s10207-023-00738-323:1(225-246)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s10207-023-00738-3
Show More Cited By

Index Terms

On the Security of Machine Learning in Malware C&C Detection: A Survey

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Machine/Deep Learning for obfuscated malware Detection
ICFNDS '23: Proceedings of the 7th International Conference on Future Networks and Distributed Systems

The protection of digital systems and sensitive data has become paramount due to the appearance of new intelligent cybersecurity threats. The landscape of cyber threats is constantly evolving, becoming more sophisticated and diverse by the day. This ...
Opcode sequences as representation of executables for data-mining-based unknown malware detection

Malware can be defined as any type of malicious code that has the potential to harm a computer or network. The volume of malware is growing faster every year and poses a serious global security threat. Consequently, malware detection has become a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 49, Issue 3

September 2017

658 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/2988524

Editor:
Sartaj Sahni
Department of Computer and Information Science and Engineering/University of Florida/Gainesville, FL

Issue’s Table of Contents

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 December 2016

Accepted: 01 September 2016

Revised: 01 August 2016

Received: 01 July 2015

Published in CSUR Volume 49, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Research
Refereed

Funding Sources

EPSRC BACCHUS RASE project

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

94
Total Citations
View Citations
2,884
Total Downloads

Downloads (Last 12 months)152
Downloads (Last 6 weeks)11

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Krishna GSravan Kumar GRamachandra MSampurnima Pattem KRani DKakarla G(2024)Adapting to Evasive Tactics through Resilient Adversarial Machine Learning for Malware Detection2024 11th International Conference on Computing for Sustainable Global Development (INDIACom)10.23919/INDIACom61295.2024.10498313(1735-1741)Online publication date: 28-Feb-2024
https://doi.org/10.23919/INDIACom61295.2024.10498313
Macas MWu CFuertes W(2024)Adversarial examples: A survey of attacks and defenses in deep learning-enabled cybersecurity systemsExpert Systems with Applications10.1016/j.eswa.2023.122223238(122223)Online publication date: Mar-2024
https://doi.org/10.1016/j.eswa.2023.122223
Sommervoll ÅErdődi LZennaro F(2024)Simulating all archetypes of SQL injection vulnerability exploitation using reinforcement learning agentsInternational Journal of Information Security10.1007/s10207-023-00738-323:1(225-246)Online publication date: 1-Feb-2024
https://dl.acm.org/doi/10.1007/s10207-023-00738-3
Sangwan RBadr YSrinivasan S(2023)Cybersecurity for AI Systems: A SurveyJournal of Cybersecurity and Privacy10.3390/jcp30200103:2(166-190)Online publication date: 4-May-2023
https://doi.org/10.3390/jcp3020010
Sadhasivam SValarmathie PDinakaran K(2023)Malicious Activities Prediction Over Online Social Networking Using Ensemble ModelIntelligent Automation & Soft Computing10.32604/iasc.2023.02865036:1(461-479)Online publication date: 2023
https://doi.org/10.32604/iasc.2023.028650
Apruzzese GLaskov PMontes de Oca EMallouli WBrdalo Rapa LGrammatopoulos ADi Franco F(2023)The Role of Machine Learning in CybersecurityDigital Threats: Research and Practice10.1145/35455744:1(1-38)Online publication date: 7-Mar-2023
https://dl.acm.org/doi/10.1145/3545574
Apruzzese GSubrahmanian V(2023)Mitigating Adversarial Gray-Box Attacks Against Phishing DetectorsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.321002920:5(3753-3769)Online publication date: 1-Sep-2023
https://doi.org/10.1109/TDSC.2022.3210029
Shibly KBorhan RAkter LBased M(2023)Exploring A Novel Data Augmentation Strategy for Enhanced In-Vehicle Security Analysis2023 5th International Conference on Sustainable Technologies for Industry 5.0 (STI)10.1109/STI59863.2023.10464407(1-6)Online publication date: 9-Dec-2023
https://doi.org/10.1109/STI59863.2023.10464407
Ramos FWang X(2023)Detecting Stealthy Cobalt Strike C&C Activities via Multi-Flow based Machine Learning2023 International Conference on Machine Learning and Applications (ICMLA)10.1109/ICMLA58977.2023.00332(2200-2206)Online publication date: 15-Dec-2023
https://doi.org/10.1109/ICMLA58977.2023.00332
Shibly KAkter LRahman MBased M(2023)PMGN Data Augmentation: Pioneering Imbalance Correction in Security Data Analysis2023 International Conference on Information and Communication Technology for Sustainable Development (ICICT4SD)10.1109/ICICT4SD59951.2023.10303517(421-425)Online publication date: 21-Sep-2023
https://doi.org/10.1109/ICICT4SD59951.2023.10303517
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents