BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks

Xin Hu, Jiyong Jang, Marc Ph Stoecklin, Ting Wang, Douglas L. Schales, Dhilung Kirat, Josyula R. Rao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

20 Scopus citations

Abstract

Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.

Original languageEnglish (US)
Title of host publicationProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages479-490
Number of pages12
ISBN (Electronic)9781467388917
DOIs
StatePublished - Sep 29 2016
Event46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 - Toulouse, France
Duration: Jun 28 2016Jul 1 2016

Publication series

NameProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

Other

Other46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
Country/TerritoryFrance
CityToulouse
Period6/28/167/1/16

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Software
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks'. Together they form a unique fingerprint.

Cite this