Tweaking Metasploit to Evade Encrypted C2 Traffic Detection
- URL: http://arxiv.org/abs/2209.00943v1
- Date: Fri, 2 Sep 2022 10:56:15 GMT
- Title: Tweaking Metasploit to Evade Encrypted C2 Traffic Detection
- Authors: Gon\c{c}alo Xavier, Carlos Novo, Ricardo Morla
- Abstract summary: Command and Control (C2) communication is a key component of any structured cyber-attack.
Pentesting tools, such as Metasploit, generate constant traffic patterns that are easily distinguishable from regular web traffic.
We show that a machine learning-based detector is able to detect the presence of such traffic with high accuracy, even when encrypted.
- Score: 5.156484100374058
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Command and Control (C2) communication is a key component of any structured
cyber-attack. As such, security operations actively try to detect this type of
communication in their networks. This poses a problem for legitimate pentesters
that try to remain undetected, since commonly used pentesting tools, such as
Metasploit, generate constant traffic patterns that are easily distinguishable
from regular web traffic. In this paper we start with these identifiable
patterns in Metasploit's C2 traffic and show that a machine learning-based
detector is able to detect the presence of such traffic with high accuracy,
even when encrypted. We then outline and implement a set of modifications to
the Metasploit framework in order to decrease the detection rates of such
classifier. To evaluate the performance of these modifications, we use two
threat models with increasing awareness of these modifications. We look at the
detection evasion performance and at the byte count and runtime overhead of the
modifications. Our results show that for the second, increased-awareness threat
model the framework-side traffic modifications yield a better detection
avoidance rate (90%) than payload-side only modifications (50%). We also show
that although the modifications use up to 3 times more TLS payload bytes than
the original, the runtime does not significantly change and the total number of
bytes (including TLS payload) reduces.
Related papers
- PARIS: A Practical, Adaptive Trace-Fetching and Real-Time Malicious Behavior Detection System [6.068607290592521]
We propose adaptive trace fetching, lightweight, real-time malicious behavior detection system.
Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks.
As a result, we can monitor a wider range of APIs and detect more intricate attack behavior.
arXiv Detail & Related papers (2024-11-02T14:52:04Z) - Revolutionizing Payload Inspection: A Self-Supervised Journey to Precision with Few Shots [0.0]
Traditional security measures are inadequate against the sophistication of modern cyber attacks.
Deep Packet Inspection (DPI) has been pivotal in enhancing network security.
integration of advanced deep learning techniques with DPI has introduced modern methodologies into malware detection.
arXiv Detail & Related papers (2024-09-26T18:55:52Z) - A Transformer-Based Framework for Payload Malware Detection and Classification [0.0]
Techniques such as Deep Packet Inspection (DPI) have been introduced to allow IDSs analyze the content of network packets.
In this paper, we propose a revolutionary DPI algorithm based on transformers adapted for the purpose of detecting malicious traffic.
arXiv Detail & Related papers (2024-03-27T03:25:45Z) - ELGC-Net: Efficient Local-Global Context Aggregation for Remote Sensing Change Detection [65.59969454655996]
We propose an efficient change detection framework, ELGC-Net, which leverages rich contextual information to precisely estimate change regions.
Our proposed ELGC-Net sets a new state-of-the-art performance in remote sensing change detection benchmarks.
We also introduce ELGC-Net-LW, a lighter variant with significantly reduced computational complexity, suitable for resource-constrained settings.
arXiv Detail & Related papers (2024-03-26T17:46:25Z) - Cal-DETR: Calibrated Detection Transformer [67.75361289429013]
We propose a mechanism for calibrated detection transformers (Cal-DETR), particularly for Deformable-DETR, UP-DETR and DINO.
We develop an uncertainty-guided logit modulation mechanism that leverages the uncertainty to modulate the class logits.
Results corroborate the effectiveness of Cal-DETR against the competing train-time methods in calibrating both in-domain and out-domain detections.
arXiv Detail & Related papers (2023-11-06T22:13:10Z) - An Extendable, Efficient and Effective Transformer-based Object Detector [95.06044204961009]
We integrate Vision and Detection Transformers (ViDT) to construct an effective and efficient object detector.
ViDT introduces a reconfigured attention module to extend the recent Swin Transformer to be a standalone object detector.
We extend it to ViDT+ to support joint-task learning for object detection and instance segmentation.
arXiv Detail & Related papers (2022-04-17T09:27:45Z) - Detecting message modification attacks on the CAN bus with Temporal
Convolutional Networks [0.3441021278275805]
We present a novel machine learning based intrusion detection method for CAN networks.
Our proposed temporal convolutional network-based solution can learn the normal behavior of CAN signals and differentiate them from malicious ones.
arXiv Detail & Related papers (2021-06-16T10:51:58Z) - DoS and DDoS Mitigation Using Variational Autoencoders [15.23225419183423]
We explore the potential of Variational Autoencoders to serve as a component within an intelligent security solution.
Two methods based on the ability of Variational Autoencoders to learn latent representations from network traffic flows are proposed.
arXiv Detail & Related papers (2021-05-14T15:38:40Z) - Robust and Accurate Object Detection via Adversarial Learning [111.36192453882195]
This work augments the fine-tuning stage for object detectors by exploring adversarial examples.
Our approach boosts the performance of state-of-the-art EfficientDets by +1.1 mAP on the object detection benchmark.
arXiv Detail & Related papers (2021-03-23T19:45:26Z) - D-Unet: A Dual-encoder U-Net for Image Splicing Forgery Detection and
Localization [108.8592577019391]
Image splicing forgery detection is a global binary classification task that distinguishes the tampered and non-tampered regions by image fingerprints.
We propose a novel network called dual-encoder U-Net (D-Unet) for image splicing forgery detection, which employs an unfixed encoder and a fixed encoder.
In an experimental comparison study of D-Unet and state-of-the-art methods, D-Unet outperformed the other methods in image-level and pixel-level detection.
arXiv Detail & Related papers (2020-12-03T10:54:02Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.