A Learning Evasive Email-Based P2P-Like Botnet

作     者：Zhi Wang Meilin Qin Mengqi Chen Chunfu Jia Yong Ma 

作者机构：College of Computer and Control Engineering Nankai University Tianjin 300350 China Information Security Evaluation Center of Civil Aviation Civil Aviation University of China Tianjin 300300 China Key Lab. on High Trusted Information System in Hebei Province Baoding 071002 China 

出 版 物：《China Communications》 (中国通信（英文版）)

年 卷 期：2018年第15卷第2期

页      面：15-24页

核心收录：

学科分类：12[管理学] 1201[管理学-管理科学与工程(可授管理学、工学学位)] 08[工学] 081201[工学-计算机系统结构] 0812[工学-计算机科学与技术（可授工学、理学学位）] 

基　　金：the National Key Basic Research Program of China (Grant: 2013CB834204) the National Natural Science Foundation of China (Grant: 61300242, 61772291) the Tianjin Research Program of Application Foundation and Advanced Technology (Grant: 15JCQNJC41500, 17JCZDJC30500) the Open Project Foundation of Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China (Grant: CAAC-ISECCA- 201701, CAAC-ISECCA-201702) 

主　　题：malware botnet learning evasion command and control 

摘      要：Nowadays, machine learning is widely used in malware detection system as a core component. The machine learning algorithm is designed under the assumption that all datasets follow the same underlying data distribution. But the real-world malware data distribution is not stable and changes with time. By exploiting the knowledge of the machine learning algorithm and malware data concept drift problem, we show a novel learning evasive botnet architecture and a stealthy and secure C&C mechanism. Based on the email communication channel, we construct a stealthy email-based P2 P-like botnet that exploit the excellent reputation of email servers and a huge amount of benign email communication in the same channel. The experiment results show horizontal correlation learning algorithm is difficult to separate malicious email traffic from normal email traffic based on the volume features and time-related features with enough confidence. We discuss the malware data concept drift and possible defense strategies.