Recent stealth attacks conceal malicious behaviors behind seemingly ordinary connections to popular online services provided by seemingly harmless applications. These attacks are undetectable via traditional network monitoring or signature-based detection techniques since attackers often conceal C&C servers in well-known cloud vendors to let the anomalous traffic appear to be normal. In this paper, we propose an application-level monitoring system named Anteater. Anteater generates a fine-grained profile of each benign software's network traffic behavior, describing the “expected” network traffic behavior. By analyzing the program's network traffic configuration, our Anteater can quickly determine the IP address of the program's abnormal access and intercept it instantly. Anteater was implemented in a real-world enterprise dataset containing over 400 million real-world network traffic sessions. The evaluation results indicate that Anteater has a high detection rate for the malware injection, with a true positive rate of 94.5% and a false positive rate of less than 0.1%.
1. CISA. Ransomware Awareness for Holidays and Weekends. https://www.cisa.gov/uscert/ncas/alerts/aa21-243a
2. Fortinet. (2021). Global Threat Landscape Report. 16.
3. Paloalto. (2017). Threat Brief: Why Ransomware Hurts So Much and Is So Hard to Stop. https://unit42.paloaltonetworks.com/threat-brief-ransomware-hurts-much-hard-stop/
4. McAfee.What Is Fileless Malware? https://www.mcafee.com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html
5. Cobalt Strike | Adversary Simulation and Red Team Operations. Cobalt Strike Research and Development. https://www.cobaltstrike.com/
6. ESET. (2019, Oct 17). Operation Ghost: The Dukes aren’t back – they never left. WeLiveSecurity. https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/
7. Jirsik, T., & Velan, P. (2021). Host Behavior in Computer Network: One-Year Study. IEEE Transactions on Network and Service Management, 18(1), 822–838. https://doi.org/10.1109/TNSM.2020.3036528
8. Sun, Y., Jee, K., Sivakorn, S., Li, Z., Lumezanu, C., Korts-Parn, L., Wu, Z., Rhee, J., Kim, C. H., Chiang, M., & Mittal, P. (2020). Detecting Malware Injection with Program-DNS Behavior. 2020 IEEE European Symposium on Security and Privacy (EuroS P), 552–568. https://doi.org/10.1109/EuroSP48549.2020.00042
9. Jin, Y., Tomoishi, M., & Yamai, N. (2021). Anomaly Detection on User Terminals Based on Outbound Traffic Filtering by DNS Query Monitoring and Application Program Identification. 2021 International Conference on Human-Machine Interaction, 47–56. https://doi.org/10.1145/3478472.3478481
10. Norton. What is fileless malware and how does it work? https://us.norton.com/internetsecurity-malware-what-is-fileless-malware..html
11. MITRE. Process Injection, Technique T1055—Enterprise. https://attack.mitre.org/techniques/T1055/
12. Elastic. (2017, July 18). Ten process injection techniques: A technical survey of common and trending process injection techniques. Elastic Blog. https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
13. Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing. (2017,July 13). Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/
14. Rpt-apt29-hammertoss.pdf. https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
15. Kaspersky. (2020, June 17). Steganography in attacks on industrial enterprises (updated) | Kaspersky ICS CERT. https://ics-cert.kaspersky.com/publications/steganography-in-attacks-on-industrial-enterprises/
16. MITRE.. Kazuar, Software S0265 | MITRE ATT&CK®. https://attack.mitre.org/software/S0265/
17. MITRE. Turla, Group 88, Belugasturgeon, Waterbug, WhiteBear, VENOMOUS BEAR, Snake, Krypton, Group G0010 | MITRE ATT&CK®.https://attack.mitre.org/groups/G0010/
18. MITRE. Web Service, Technique T1102—Enterprise | MITRE ATT&CK®. https://attack.mitre.org/techniques/T1102/
19. MITRE. Empire, Software S0363 | MITRE ATT&CK®.https://attack.mitre.org/software/S0363/
20. Willems, C., Holz, T., & Freiling, F. (2007). Toward Automated Dynamic Malware Analysis Using CWSandbox. IEEE Security Privacy, 5(2), 32–39. https://doi.org/10.1109/MSP.2007.45
21. Bhatkar, S. B., Nanda, S., & Wilhelm, J. S. (54) TECHNIQUES FOR BEHAVIOR BASED. 16.
22. Goel, A., Feng, W.-C., Maier, D., Feng, W.-C., & Walpole, J. (2005). Forensix: A robust, high-performance reconstruction system. 25th IEEE International Conference on Distributed Computing Systems Workshops, 155–162. https://doi.org/10.1109/ICDCSW.2005.62
23. Kwon, Y., Wang, F., Wang, W., Lee, K. H., Lee, W.-C., Ma, S., Zhang, X., Xu, D., Jha, S., Ciocarlie, G., Gehani, A., & Yegneswaran, V. (2018). MCI: Modeling-based Causality Inference in Audit Logging for Attack Investigation. Proceedings 2018 Network and Distributed System Security Symposium. Network and Distributed System Security Symposium, San Diego, CA. https://doi.org/10.14722/ndss.2018.23306
24. Xu, Z., Wu, Z., Li, Z., Jee, K., Rhee, J., Xiao, X., Xu, F., Wang, H., & Jiang, G. (2016). High Fidelity Data Reduction for Big Data Security Dependency Analyses. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 504–516. https://doi.org/10.1145/2976749.2978378
25. Lyu, M., Gharakheili, H. H., Russell, C., & Sivaraman, V. (2021). Hierarchical Anomaly-Based Detection of Distributed DNS Attacks on Enterprise Networks. IEEE Transactions on Network and Service Management, 18(1), 1031–1048. https://doi.org/10.1109/TNSM.2021.3050091
26. Madariaga, D., Madariaga, J., Panza, M., Bustos-Jiménez, J., & Bustos, B. (2021). Detecting Anomalies at a TLD Name Server Based on DNS Traffic Predictions. IEEE Transactions on Network and Service Management, 18(1), 1016–1030. https://doi.org/10.1109/TNSM.2021.3051195
27. Yin, H., Song, D., Egele, M., Kruegel, C., & Kirda, E. (2007, 十月 28). Panorama: Capturing system-wide information flow for malware detection and analysis. https://doi.org/10.1145/1315245.1315261
28. ahelms. VMware vSphere 7.0 Release Notes. https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-esxi-vcenter-server-70-release-notes.html
29. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. FireEye. https://www.fireeye.com/current-threats/apt-groups/rpt-apt29.html
30. Mandiant. Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) | Mandiant. https://www.mandiant.com/resources/dissecting-one-ofap
31. Sivakorn, S., Jee, K., Sun, Y., Korts-Pärn, L., Li, Z., Lumezanu, C., Wu, Z., Tang, L.-A., & Li, D. (2019). Countering Malicious Processes with Process-DNS Association. NDSS.
32. Chawla, N. V., Bowyer, K. W., Hall, L. O., & Kegelmeyer, W. P. (2002). SMOTE: Synthetic Minority Over-sampling Technique. Journal of Artificial Intelligence Research, 16, 321–357. https://doi.org/10.1613/jair.953
33. Weimer, F. (2005). Passive DNS replication. FIRST conference on computer security incident, 98, 1–14.
34. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., & Feamster, N. (2010). Building a Dynamic Reputation System for {DNS}. 19th USENIX Security Symposium (USENIX Security 10).
35. Bilge, L., Kirda, E., Kruegel, C., & Balduzzi, M. (2011). Exposure: Finding malicious domains using passive DNS analysis. Ndss, 1–17.
36. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou, N., Abu-Nimeh, S., Lee, W., & Dagon, D. (2012). From {Throw-Away} Traffic to Bots: Detecting the Rise of {DGA-Based} Malware. 21st USENIX Security Symposium (USENIX Security 12), 491–506.
37. Perdisci, R., Corona, I., Dagon, D., & Lee, W. (2009). Detecting malicious flux service networks through passive analysis of recursive DNS traces. 2009 Annual Computer Security Applications Conference, 311–320.
38. Plohmann, D., Yakdan, K., Klatt, M., Bader, J., & Gerhards-Padilla, E. (2016). A comprehensive measurement study of domain generating malware. 25th USENIX Security Symposium (USENIX Security 16), 263–278.
39. Bartos, K., Sofka, M., & Franc, V. (2016). Optimized invariant representation of network traffic for detecting unseen malware variants. 25th USENIX Security Symposium (USENIX Security 16), 807–822.
40. Christodorescu, M., & Jha, S. (2003). Static analysis of executables to detect malicious patterns. 12th USENIX Security Symposium (USENIX Security 03).
41. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P., & Saxena, P. (2008). BitBlaze: A new approach to computer security via binary analysis. International conference on information systems security, 1–25.
42. Moser, A., Kruegel, C., & Kirda, E. (2007). Limits of static analysis for malware detection. Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 421–430.
43. You, I., & Yim, K. (2010). Malware obfuscation techniques: A brief survey. 2010 International conference on broadband, wireless computing, communication and applications, 297–300.
44. Bayer, U., Kruegel, C., & Kirda, E. (2006). TTAnalyze: A tool for analyzing malware. Citeseer.
45. Vasudevan, A., & Yerraballi, R. (2006). Cobra: Fine-grained malware analysis using stealth localized-executions. 2006 IEEE Symposium on Security and Privacy (S&P’06), 15 pp. – 279.
46. Uncovering cross-process injection with Windows Defender ATP. (2017, March 9). Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/03/08/uncovering-cross-process-injection-with-windows-defender-atp/
47. Microsoft. (2017, July 13). Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing. Microsoft Security Blog. https://www.microsoft.com/security/blog/2017/07/12/detecting-stealthier-cross-process-injection-techniques-with-windows-defender-atp-process-hollowing-and-atom-bombing/
48. Firefox will block DLL Injections—GHacks Tech News. (2019, Jan 21). GHacks Technology News. https://www.ghacks.net/2019/01/21/firefox-will-block-dll-injections/
49. Google Chrome 72’s Code Injection Blocking Detailed. https://news.softpedia.com/news/google-chrome-72-s-code-injection-blocking-detailed-524759.shtml
50. Blog, M. E. (2015 Nov 17). Protecting Microsoft Edge against binary injection. Microsoft Edge Blog. https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/