Example Advanced Beaconing Detection
Beaconing is the practice of sending short and regular communications from an infected host to an attacker-controlled machine to communicate that the infected host malware is alive, functioning, and ready for instructions.
Beacons usually come from internal infected hosts (e.g. bots or zombies) and are sent to command and control (C2 or C&C) servers outside the network.
This “phone home” communication strategy allows botnet administrators to automatically track, manage, and control hundreds of thousands of infected hosts.
After having explained what beaconing is, how it works, its types and usages, and the different tricks used by malware with this behavior to avoid detection, we propose a new way to detect beaconing, with its different tricks based on unsupervised machine learning clustering algorithms.
The main idea behind this approach is to look for the variability of time intervals and the presence of recurrent data sizes, described as temporal and spatial beaconing.
Our approach takes into consideration the maneuvers taken by hackers, by studying many types of malware such as botnets. Also, our solution offers scalability and maintainability, considering that if a new maneuver is discovered, rewriting the algorithms will not be necessary, instead of looking into our already existing features, modifying them or adding new features will be enough
to get it up and running again.
In addition, our platform offers the ability of user interaction, defining whether he wants to consider an exchange as a dangerous one or not, since the needs of companies differ, this also will allow us to value user feedback and maybe use it to base our future work.