Abstract
Cobalt Strike is the most prevalent attack tool abused by cyber-criminals to achieve command and control on victim hosts over HTTPS traffics. It appears in many ransomware attacks and espionage attacks, threatening public privacy and national security. Therefore, it is of significant value to detect Cobalt Strike HTTPS traffics effectively. However, existing methods could be easily deceived by variable infrastructures or disguised certificates used by attackers, or do not adequately capture the multi-aspect information and their interrelations in encrypted traffics. To overcome these limitations, in this paper, we propose a Plaintext-aware Encrypted Traffic Detection Network (PETNet) to identify Cobalt Strike HTTPS traffics, which contains three main modules: (1) Meta Information Modeling, which parses handshake payloads into semantically explicit identity-agnostic meta features, avoiding being disturbed by infrastructures or certificates; (2) Sequential Information Modeling, which models the interaction between attackers and victims via a Transformer encoder, and captures the interrelations among multi-aspects of traffics by a meta-information-guided attention mechanism, realizing configuration-aware encoding of encrypted contents; (3) Fusion & Prediction, which fuses the interrelated meta information and sequential information to make the final prediction. We conduct extensive experiments on a close-world and four open-world datasets. PETNet outperforms the best baseline by 53.42% in F1-score on average, and remains robust to the concept drift issue during the test period of 14 months, proving its effectiveness and generalization ability.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.