Network trace signature matching is one reliable approach to detect active
Remote Control Trojan, (RAT). Compared to statistical-based detection of
malicious network traces in the face of known RATs, the signature-based method
can achieve more stable performance and thus more reliability. However, with
the development of encrypted technologies and disguise tricks, current methods
suffer inaccurate signature descriptions and inflexible matching mechanisms. In
this paper, we propose to tackle above problems by presenting MBTree, an
approach to detect encryption RATs Command and Control (C&C) communication
based on host-level network trace behavior. MBTree first models the RAT network
behaviors as the malicious set by automatically building the multiple level
tree, MLTree from distinctive network traces of each sample. Then, MBTree
employs a detection algorithm to detect malicious network traces that are
similar to any MLTrees in the malicious set. To illustrate the effectiveness of
our proposed method, we adopt theoretical analysis of MBTree from the
probability perspective. In addition, we have implemented MBTree to evaluate it
on five datasets which are reorganized in a sophisticated manner for
comprehensive assessment. The experimental results demonstrate the accurate and
robust of MBTree, especially in the face of new emerging benign applications.

By admin