Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries

TL;DR

EarlyCrow is a novel detection system that uses contextual summaries and a new network flow format to identify APT malware C&C communications over HTTP(S), achieving high accuracy and low false positives.

Contribution

It introduces EarlyCrow, a new approach utilizing contextual summaries and PairFlow format to improve APT detection over encrypted traffic.

Findings

Achieved a macro average F1-score of 93.02%.

Maintained a false positive rate of 0.74%.

Effectively detects unseen APT campaigns.

Abstract

Advanced Persistent Threats (APTs) are among the most sophisticated threats facing critical organizations worldwide. APTs employ specific tactics, techniques, and procedures (TTPs) which make them difficult to detect in comparison to frequent and aggressive attacks. In fact, current network intrusion detection systems struggle to detect APTs communications, allowing such threats to persist unnoticed on victims' machines for months or even years. In this paper, we present EarlyCrow, an approach to detect APT malware command and control over HTTP(S) using contextual summaries. The design of EarlyCrow is informed by a novel threat model focused on TTPs present in traffic generated by tools recently used as part of APT campaigns. The threat model highlights the importance of the context around the malicious connections, and suggests traffic attributes which help APT detection. EarlyCrow defines a novel multipurpose network flow format called PairFlow, which is leveraged to build the contextual summary of a PCAP capture, representing key behavioral, statistical and protocol information relevant to APT TTPs. We evaluate the effectiveness of EarlyCrow on unseen APTs obtaining a headline macro average F1-score of 93.02% with FPR of $0.74%.