Publications

BibTex format

@inproceedings{Alageel:2021:10.1145/3412841.3442040,
author = {Alageel, A and Maffeis, S},
doi = {10.1145/3412841.3442040},
pages = {1664--1673},
publisher = {ACM},
title = {Hawk-Eye: holistic detection of APT command and control domains},
url = {http://dx.doi.org/10.1145/3412841.3442040},
year = {2021}
}

Download

RIS format (EndNote, RefMan)

TY  - CPAPER
AB  - The high complexity and low volume of APT attacks has lead to limited insight into their behavior and to a scarcity of data, hindering research on effective detection techniques. In this paper we present a comprehensive study of the usage of domains in the context of the Command and Control (C&C) infrastructure of APTs, covering 63 APT campaigns spanning the last 13 years. We discuss the APT threat model, focusing in particular on evasion techniques, and collect an extensive dataset for studying APT C&C domains.Based on the gained insight, we propose a number of novel features to detect APTs, leveraging both semantic properties of the domains themselves and structural properties of their DNS infrastructure. We build Hawk-Eye, a system to classify domain names extracted from PCAP files, and use it to evaluate the performance of the various features we studied, and compare them to malicious domain detection features from the literature. We find that a holistic approach combining selected orthogonal features achieves the best performance, with an F1-score of 98.53% and a FPR of 0.35%.
AU  - Alageel,A
AU  - Maffeis,S
DO  - 10.1145/3412841.3442040
EP  - 1673
PB  - ACM
PY  - 2021///
SP  - 1664
TI  - Hawk-Eye: holistic detection of APT command and control domains
UR  - http://dx.doi.org/10.1145/3412841.3442040
UR  - https://dl.acm.org/doi/10.1145/3412841.3442040
ER  -

Download

DrSergioMaffeis

Contact

Location

Summary

Citation

BibTex format

RIS format (EndNote, RefMan)