Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F23%3APU148949" target="_blank" >RIV/00216305:26230/23:PU148949 - isvavai.cz</a>

Výsledek na webu

<a href="https://www.fit.vut.cz/research/publication/13007/" target="_blank" >https://www.fit.vut.cz/research/publication/13007/</a>

DOI - Digital Object Identifier

—

Jazyk výsledku

angličtina

Název v původním jazyce

Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study

Popis výsledku v původním jazyce

This paper presents a novel approach for detecting the FluBot malware, an advanced Android banking Trojan that has been observed in active attacks in 2021 and 2022. The proposed method uses a two-layer detection mechanism to identify FluBot network connections. In the first layer, a machine learning algorithm is used to detect DNS-over-HTTPS (DoH) within Netflow records. The second layer uses a modified version of an existing domain generation algorithm (DGA) detection algorithm to target the DoH connections associated with the FluBot malware specifically. To evaluate the effectiveness of this approach, we used a dataset consisting of FluBot network traffic captured in a controlled sandbox environment. The preliminary results show that our DoH classifier achieves high accuracy and detection rates in identifying instances of FluBot malware, while maintaining a low false positive rate.

Název v anglickém jazyce

Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study

Popis výsledku anglicky

This paper presents a novel approach for detecting the FluBot malware, an advanced Android banking Trojan that has been observed in active attacks in 2021 and 2022. The proposed method uses a two-layer detection mechanism to identify FluBot network connections. In the first layer, a machine learning algorithm is used to detect DNS-over-HTTPS (DoH) within Netflow records. The second layer uses a modified version of an existing domain generation algorithm (DGA) detection algorithm to target the DoH connections associated with the FluBot malware specifically. To evaluate the effectiveness of this approach, we used a dataset consisting of FluBot network traffic captured in a controlled sandbox environment. The preliminary results show that our DoH classifier achieves high accuracy and detection rates in identifying instances of FluBot malware, while maintaining a low false positive rate.

Druh

O - Ostatní výsledky

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/FW03010099" target="_blank" >FW03010099: Analýza šifrovaného provozu založena na kontextové analýze pomocí flow dat</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2023

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů