BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks

Xin Hu, Jiyong Jang, Marc Ph Stoecklin, Ting Wang, Douglas L. Schales, Dhilung Kirat, Josyula R. Rao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.

Original languageEnglish (US)
Title of host publicationProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages479-490
Number of pages12
ISBN (Electronic)9781467388917
DOIs
StatePublished - Sep 29 2016
Event46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 - Toulouse, France
Duration: Jun 28 2016Jul 1 2016

Publication series

NameProceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

Other

Other46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016
CountryFrance
CityToulouse
Period6/28/167/1/16

Fingerprint

Industry
Communication
Malware

All Science Journal Classification (ASJC) codes

  • Hardware and Architecture
  • Software
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

Hu, X., Jang, J., Stoecklin, M. P., Wang, T., Schales, D. L., Kirat, D., & Rao, J. R. (2016). BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks. In Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016 (pp. 479-490). [7579765] (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2016.50
Hu, Xin ; Jang, Jiyong ; Stoecklin, Marc Ph ; Wang, Ting ; Schales, Douglas L. ; Kirat, Dhilung ; Rao, Josyula R. / BAYWATCH : Robust beaconing detection to identify infected hosts in large-scale enterprise networks. Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016. Institute of Electrical and Electronics Engineers Inc., 2016. pp. 479-490 (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016).
@inproceedings{4041b9a84c3647e09f14edd9430f7e56,
title = "BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks",
abstract = "Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.",
author = "Xin Hu and Jiyong Jang and Stoecklin, {Marc Ph} and Ting Wang and Schales, {Douglas L.} and Dhilung Kirat and Rao, {Josyula R.}",
year = "2016",
month = "9",
day = "29",
doi = "10.1109/DSN.2016.50",
language = "English (US)",
series = "Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "479--490",
booktitle = "Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016",
address = "United States",

}

Hu, X, Jang, J, Stoecklin, MP, Wang, T, Schales, DL, Kirat, D & Rao, JR 2016, BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks. in Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016., 7579765, Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016, Institute of Electrical and Electronics Engineers Inc., pp. 479-490, 46th IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016, Toulouse, France, 6/28/16. https://doi.org/10.1109/DSN.2016.50

BAYWATCH : Robust beaconing detection to identify infected hosts in large-scale enterprise networks. / Hu, Xin; Jang, Jiyong; Stoecklin, Marc Ph; Wang, Ting; Schales, Douglas L.; Kirat, Dhilung; Rao, Josyula R.

Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016. Institute of Electrical and Electronics Engineers Inc., 2016. p. 479-490 7579765 (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - BAYWATCH

T2 - Robust beaconing detection to identify infected hosts in large-scale enterprise networks

AU - Hu, Xin

AU - Jang, Jiyong

AU - Stoecklin, Marc Ph

AU - Wang, Ting

AU - Schales, Douglas L.

AU - Kirat, Dhilung

AU - Rao, Josyula R.

PY - 2016/9/29

Y1 - 2016/9/29

N2 - Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.

AB - Sophisticated cyber security threats, such as advanced persistent threats, rely on infecting end points within a targeted security domain and embedding malware. Typically, such malware periodically reaches out to the command and control infrastructures controlled by adversaries. Such callback behavior, called beaconing, is challenging to detect as (a) detection requires long-term temporal analysis of communication patterns at several levels of granularity, (b) malware authors employ various strategies to hide beaconing behavior, and (c) it is also employed by legitimate applications (such as updates checks). In this paper, we develop a comprehensive methodology to identify stealthy beaconing behavior from network traffic observations. We use an 8-step filtering approach to iteratively refine and eliminate legitimate beaconing traffic and pinpoint malicious beaconing cases for in-depth investigation and takedown. We provide a systematic evaluation of our core beaconing detection algorithm and conduct a large-scale evaluation of web proxy data (more than 30 billion events) collected over a 5-month period at a corporate network comprising over 130,000 end-user devices. Our findings indicate that our approach reliably exposes malicious beaconing behavior, which may be overlooked by traditional security mechanisms.

UR - http://www.scopus.com/inward/record.url?scp=84994228717&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84994228717&partnerID=8YFLogxK

U2 - 10.1109/DSN.2016.50

DO - 10.1109/DSN.2016.50

M3 - Conference contribution

AN - SCOPUS:84994228717

T3 - Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

SP - 479

EP - 490

BT - Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Hu X, Jang J, Stoecklin MP, Wang T, Schales DL, Kirat D et al. BAYWATCH: Robust beaconing detection to identify infected hosts in large-scale enterprise networks. In Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016. Institute of Electrical and Electronics Engineers Inc. 2016. p. 479-490. 7579765. (Proceedings - 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2016). https://doi.org/10.1109/DSN.2016.50