Tweaking Metasploit to Evade Encrypted C2 Traffic Detection

• URL: http://arxiv.org/abs/2209.00943v1
• Date: Fri, 2 Sep 2022 10:56:15 GMT
• Title: Tweaking Metasploit to Evade Encrypted C2 Traffic Detection
• Authors: Gon\c{c}alo Xavier, Carlos Novo, Ricardo Morla
• Abstract summary: Command and Control (C2) communication is a key component of any structured cyber-attack. Pentesting tools, such as Metasploit, generate constant traffic patterns that are easily distinguishable from regular web traffic. We show that a machine learning-based detector is able to detect the presence of such traffic with high accuracy, even when encrypted.
• Score: 5.156484100374058
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Command and Control (C2) communication is a key component of any structured cyber-attack. As such, security operations actively try to detect this type of communication in their networks. This poses a problem for legitimate pentesters that try to remain undetected, since commonly used pentesting tools, such as Metasploit, generate constant traffic patterns that are easily distinguishable from regular web traffic. In this paper we start with these identifiable patterns in Metasploit's C2 traffic and show that a machine learning-based detector is able to detect the presence of such traffic with high accuracy, even when encrypted. We then outline and implement a set of modifications to the Metasploit framework in order to decrease the detection rates of such classifier. To evaluate the performance of these modifications, we use two threat models with increasing awareness of these modifications. We look at the detection evasion performance and at the byte count and runtime overhead of the modifications. Our results show that for the second, increased-awareness threat model the framework-side traffic modifications yield a better detection avoidance rate (90%) than payload-side only modifications (50%). We also show that although the modifications use up to 3 times more TLS payload bytes than the original, the runtime does not significantly change and the total number of bytes (including TLS payload) reduces.

Related papers

• Hiding in Plain Sight: An IoT Traffic Camouflage Framework for Enhanced Privacy [2.0257616108612373]
  Existing single-technique obfuscation methods, such as packet padding, often fall short in dynamic environments like smart homes. This paper introduces a multi-technique obfuscation framework designed to enhance privacy by disrupting traffic analysis.
  arXiv  Detail & Related papers  (2025-01-26T04:33:44Z)
• CyberSentinel: Efficient Anomaly Detection in Programmable Switch using Knowledge Distillation [0.0]
  CyberSentinel is a high throughput and accurate anomaly detection system deployed entirely in the programmable switch data plane. To detect unseen network attacks, CyberSentinel uses a novel knowledge distillation scheme that incorporates "learned" knowledge of deep unsupervised ML models. We implement a prototype of CyberSentinel on a testbed with an Intel Tofino switch and evaluate it on various real-world use cases.
  arXiv  Detail & Related papers  (2024-12-21T16:35:44Z)
• MIETT: Multi-Instance Encrypted Traffic Transformer for Encrypted Traffic Classification [59.96233305733875]
  Classifying traffic is essential for detecting security threats and optimizing network management. We propose a Multi-Instance Encrypted Traffic Transformer (MIETT) to capture both token-level and packet-level relationships. MIETT achieves results across five datasets, demonstrating its effectiveness in classifying encrypted traffic and understanding complex network behaviors.
  arXiv  Detail & Related papers  (2024-12-19T12:52:53Z)
• PARIS: A Practical, Adaptive Trace-Fetching and Real-Time Malicious Behavior Detection System [6.068607290592521]
  We propose adaptive trace fetching, lightweight, real-time malicious behavior detection system. Specifically, we monitor malicious behavior with Event Tracing for Windows (ETW) and learn to selectively collect maliciousness-related APIs or call stacks. As a result, we can monitor a wider range of APIs and detect more intricate attack behavior.
  arXiv  Detail & Related papers  (2024-11-02T14:52:04Z)
• A Transformer-Based Framework for Payload Malware Detection and Classification [0.0]
  Techniques such as Deep Packet Inspection (DPI) have been introduced to allow IDSs analyze the content of network packets. In this paper, we propose a revolutionary DPI algorithm based on transformers adapted for the purpose of detecting malicious traffic.
  arXiv  Detail & Related papers  (2024-03-27T03:25:45Z)
• ELGC-Net: Efficient Local-Global Context Aggregation for Remote Sensing Change Detection [65.59969454655996]
  We propose an efficient change detection framework, ELGC-Net, which leverages rich contextual information to precisely estimate change regions. Our proposed ELGC-Net sets a new state-of-the-art performance in remote sensing change detection benchmarks. We also introduce ELGC-Net-LW, a lighter variant with significantly reduced computational complexity, suitable for resource-constrained settings.
  arXiv  Detail & Related papers  (2024-03-26T17:46:25Z)
• Cal-DETR: Calibrated Detection Transformer [67.75361289429013]
  We propose a mechanism for calibrated detection transformers (Cal-DETR), particularly for Deformable-DETR, UP-DETR and DINO. We develop an uncertainty-guided logit modulation mechanism that leverages the uncertainty to modulate the class logits. Results corroborate the effectiveness of Cal-DETR against the competing train-time methods in calibrating both in-domain and out-domain detections.
  arXiv  Detail & Related papers  (2023-11-06T22:13:10Z)
• An Extendable, Efficient and Effective Transformer-based Object Detector [95.06044204961009]
  We integrate Vision and Detection Transformers (ViDT) to construct an effective and efficient object detector. ViDT introduces a reconfigured attention module to extend the recent Swin Transformer to be a standalone object detector. We extend it to ViDT+ to support joint-task learning for object detection and instance segmentation.
  arXiv  Detail & Related papers  (2022-04-17T09:27:45Z)
• DoS and DDoS Mitigation Using Variational Autoencoders [15.23225419183423]
  We explore the potential of Variational Autoencoders to serve as a component within an intelligent security solution. Two methods based on the ability of Variational Autoencoders to learn latent representations from network traffic flows are proposed.
  arXiv  Detail & Related papers  (2021-05-14T15:38:40Z)
• D-Unet: A Dual-encoder U-Net for Image Splicing Forgery Detection and Localization [108.8592577019391]
  Image splicing forgery detection is a global binary classification task that distinguishes the tampered and non-tampered regions by image fingerprints. We propose a novel network called dual-encoder U-Net (D-Unet) for image splicing forgery detection, which employs an unfixed encoder and a fixed encoder. In an experimental comparison study of D-Unet and state-of-the-art methods, D-Unet outperformed the other methods in image-level and pixel-level detection.
  arXiv  Detail & Related papers  (2020-12-03T10:54:02Z)
• Adversarial EXEmples: A Survey and Experimental Evaluation of Practical Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
  adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes. We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks. These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
  arXiv  Detail & Related papers  (2020-08-17T07:16:57Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.