MBTree: Detecting Encryption RAT Communication Using Malicious Behavior Tree

TL;DR

MBTree is a host-level network trace behavior-based method that models malicious RAT communication as a tree structure and detects encrypted C&C traffic with high accuracy and robustness, even against new benign applications.

Contribution

The paper introduces MBTree, a novel tree-based signature method for detecting encrypted RAT C&C communication at the host level, addressing limitations of existing signature-based approaches.

Findings

MBTree achieves high detection accuracy on multiple datasets.

The method is robust against encryption and disguise tricks.

Theoretical analysis supports the effectiveness of MBTree.

Abstract

Network trace signature matching is one reliable approach to detect active Remote Control Trojan, (RAT). Compared to statistical-based detection of malicious network traces in the face of known RATs, the signature-based method can achieve more stable performance and thus more reliability. However, with the development of encrypted technologies and disguise tricks, current methods suffer inaccurate signature descriptions and inflexible matching mechanisms. In this paper, we propose to tackle above problems by presenting MBTree, an approach to detect encryption RATs Command and Control (C&C) communication based on host-level network trace behavior. MBTree first models the RAT network behaviors as the malicious set by automatically building the multiple level tree, MLTree from distinctive network traces of each sample. Then, MBTree employs a detection algorithm to detect malicious network traces that are similar to any MLTrees in the malicious set. To illustrate the effectiveness of our proposed method, we adopt theoretical analysis of MBTree from the probability perspective. In addition, we have implemented MBTree to evaluate it on five datasets which are reorganized in a sophisticated manner for comprehensive assessment. The experimental results demonstrate the accurate and robust of MBTree, especially in the face of new emerging benign applications.