A Learning Evasive Email-Based P2P-Like Botnet  

作　　者：Zhi Wang Meilin Qin Mengqi Chen Chunfu Jia Yong Ma 

机构地区：[1]College of Computer and Control Engineering, Nankai University, Tianjin 300350, China [2]Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China, Tianjin 300300, China [3]Key Lab. on High Trusted Information System in Hebei Province, Baoding 071002, China

出　　处：《China Communications》2018年第2期15-24,共10页中国通信（英文版）

基　　金：the National Key Basic Research Program of China (Grant: 2013CB834204);the National Natural Science Foundation of China (Grant: 61300242, 61772291);the Tianjin Research Program of Application Foundation and Advanced Technology (Grant: 15JCQNJC41500, 17JCZDJC30500);the Open Project Foundation of Information Security Evaluation Center of Civil Aviation, Civil Aviation University of China (Grant: CAAC-ISECCA- 201701, CAAC-ISECCA-201702)

摘　　要：Nowadays, machine learning is widely used in malware detection system as a core component. The machine learning algorithm is designed under the assumption that all datasets follow the same underlying data distribution. But the real-world malware data distribution is not stable and changes with time. By exploiting the knowledge of the machine learning algorithm and malware data concept drift problem, we show a novel learning evasive botnet architecture and a stealthy and secure C&C mechanism. Based on the email communication channel, we construct a stealthy email-based P2 P-like botnet that exploit the excellent reputation of email servers and a huge amount of benign email communication in the same channel. The experiment results show horizontal correlation learning algorithm is difficult to separate malicious email traffic from normal email traffic based on the volume features and time-related features with enough confidence. We discuss the malware data concept drift and possible defense strategies.Nowadays, machine learning is widely used in malware detection system as a core component. The machine learning algorithm is designed under the assumption that all datasets follow the same underlying data distribution. But the real-world malware data distribution is not stable and changes with time. By exploiting the knowledge of the machine learning algorithm and malware data concept drift problem, we show a novel learn- ing evasive botnet architecture and a stealthy and secure C＆C mechanism. Based on the email communication channel, we construct a stealthy email-based P2P-like botnet that ex- ploit the excellent reputation of email servers and a huge amount of benign email commu- nication in the same channel. The experiment results show horizontal correlation learning al- gorithm is difficult to separate malicious email traffic from normal email traffic based on the volume features and time-related features with enough confidence. We discuss the malware data concept drift and possible defense strate- gies.

关 键 词：MALWARE BOTNET learning evasion command and control 

分 类 号：TP393.0[自动化与计算机技术—计算机应用技术]