@inproceedings{4041b9a84c3647e09f14edd9430f7e56,
title = "BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks",
abstract = "Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.",
author = "Xin Hu and Jiyong Jang and Stoecklin, {Marc Ph} and Ting Wang and Schales, {Douglas L.} and Dhilung Kirat and Rao, {Josyula R.}",
note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 ; Conference date: 28-06-2016 Through 01-07-2016",
year = "2016",
month = sep,
day = "29",
doi = "10.1109/DSN.2016.50",
language = "English (US)",
series = "Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "479--490",
booktitle = "Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016",
address = "United States",
}