A Machine Learning Based Approach to Detect Stealthy Cobalt Strike C &C Activities from Encrypted Network Traffic

A Machine Learning Based Approach to Detect Stealthy Cobalt Strike C &C Activities from Encrypted Network Traffic

연구 분야: Strategies

학회: International Conference on Machine Learning for Networking

Cobalt Strike is a stealthy and powerful command and control (C &C) framework that has been widely used in many recent massive data breach attacks (e.g., the SolarWinds attack in 2020) and ransomware attacks. While detecting Cobalt Strike C &C network traffic is crucial to the protection our mission critical systems from many sophisticated cyberattacks, no existing intrusion detection systems have been shown to be able to reliably detect real world Cobalt Strike C &C traffic from encrypted traffic. In this paper, we propose a machine learning based approach to detect stealthy Cobalt Strike C &C traffic. Based on the analysis of real world Cobalt Strike traffic, we have developed an approach using flow-level features that capture the inherent characteristics of Cobalt Strike C &C traffic. We have validated our machine learning based detection with five machine learning algorithms and evaluated them with Cobalt Strike traffic from real world cyberattacks. Our empirical results demonstrate that our random forest model can detect close to 50% of real world Cobalt Strike C &C traces in encrypted traffic with a 1.4% false positive rate.