A key challenge for cybersecurity defense is to detect the encrypted Remote Control Trojan (RAT) communication traces. Previous studies in this area have either failed to handle encrypted content or achieve stable performance in different environments. To tackle both problems, we present a novel host-level signature based approach to detecting encrypted malicious traces, MBTree. MBTree enhances the evil behavior representation and detection ability by integrating multiple related traces with a corresponding similarity based matching strategy. Compared with previous related studies, MBTree (i) is more accurate to characterize different types of encryption RATs; (ii) has more robust performance, mainly when new benign applications emerged in the test environment; (iii) can automatically create trace signatures when given pure C&C traffic. For evaluation, we collect the malicious traces generated from several famous open source RAT. These traces are reorganized in a sophisticated manner with other available datasets for a comprehensive assessment. The experimental results demonstrate that MBTree is more robust and precise in detecting malicious traces with low false alarm rates, especially in new emerging applications.
View on arXiv