DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting

Riccardo Bortolameotti, Thijs Sebastiaan van Ede, Marco Caselli, Maarten Hinderik Everts, Pieter H. Hartel, Rick Hofstede, Willem Jonker, Andreas Peter

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    5 Citations (Scopus)
    4 Downloads (Pure)

    Abstract

    We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a host's network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 monitored host machines, an average detection rate of 97.7%, and that it cannot be evaded by malware using simple evasion techniques such as using known browser user agent values. We compare our solution with DUMONT [24], the current state-of-the-art IDS which detects HTTP covert communication channels by focusing on benign HTTP traffic. The results show that DECANTeR outperforms DUMONT in terms of detection rate, false positive rate, and even evasion-resistance. Finally, DECANTeR detects 96.8% of information stealers in our dataset, which shows its potential to detect data exfiltration.
    Original languageEnglish
    Title of host publicationACSAC 2017, Proceedings of the 33rd Annual Computer Security Applications Conference
    Pages373-386
    ISBN (Electronic)978-1-4503-5345-8
    DOIs
    Publication statusPublished - 2017
    Event33nd Annual Computer Security Applications Conference 2017 - Orlando, United States
    Duration: 4 Dec 20178 Dec 2017
    Conference number: 33
    https://www.acsac.org

    Conference

    Conference33nd Annual Computer Security Applications Conference 2017
    Abbreviated titleACSAC 2017
    CountryUnited States
    CityOrlando
    Period4/12/178/12/17
    Internet address

      Fingerprint

    Cite this

    Bortolameotti, R., van Ede, T. S., Caselli, M., Everts, M. H., Hartel, P. H., Hofstede, R., ... Peter, A. (2017). DECANTeR: DEteCtion of Anomalous outbouNd HTTP TRaffic by Passive Application Fingerprinting. In ACSAC 2017, Proceedings of the 33rd Annual Computer Security Applications Conference (pp. 373-386) https://doi.org/10.1145/3134600.3134605