Skip to main content
SpringerLink
Log in

C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Supply chain attacks are potent cyber attacks for widespread ramifications by compromising supply chains. Supply chain attacks are difficult to detect as the malware is installed through trustworthy supply chains, missing signs of infection and making deployed security controls ineffective. Recent increases in supply chain attacks warrant a Zero-trust model and innovative solutions for detecting supply chain attacks. Supply chain malware need to establish a Command and Control (C2) connection as a communication link with the attacker to proceed on the privileged pathway. Discovery of the C2 channel between the attacker and supply chain malware can lead to detection of the attack. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these with associated network activity for early discovery of C2 connection. Proposed framework has introduced a novel approach of detecting C2 over DNS by incorporating host-based activity with corresponding network activity coupled with threat intelligence. C2-Eye integrates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and real time threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the exploitation of C2 channel for probable data exfiltration. C2-Eye has introduced a distinctive featureset with 22 novel features specific to supply chain attack, enabling detection of the attack with F1-score of 98.70%.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Data Availability

Feature engineered experimental dataset can be made available on request.

References

  1. Miller, J.F.: Supply chain attack framework and attack patterns. The MITRE Corporation, MacLean (2013)

    Book  Google Scholar 

  2. Ohm, M., Plate, H., Sykosch, A., Meier, M.: Backstabber’s knife collection: a review of open source software supply chain attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17, pp. 23–43. Springer (2020)

  3. Datta, P.: Hannibal at the gates: cyberwarfare & the solarwinds sunburst hack. J. Inf. Technol. Teach. Cases 12(2), 115–120 (2022). https://doi.org/10.1177/2043886921993126

    Article  Google Scholar 

  4. Verizon: Verizon data breach investigations report. Tech. rep., Verizon (2019)

  5. Mirza, S., Abbas, H., Shahid, W.B., Shafqat, N., Fugini, M., Iqbal, Z., Muhammad, Z.: A malware evasion technique for auditing android anti-malware solutions. In: 2021 IEEE 30th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 125–130. IEEE (2021)

  6. Grunzweig, J., Scott, M., Lee, B., et al.: New wekby attacks use dns requests as command and control mechanism. Palo Alto Networks (2016)

  7. FireEye: FireEye APT28: at the center of the storm. https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf (2017). Accessed 5 August 2023

  8. Lwowski, J., Corley, I., Hoffman, J.: Neural steganalysis with spatial rich models for image steganography detection (2020)

  9. FireEye: Fireeye apt 41 report (2019)

  10. Hawley, S., Read, B., Brafman-Kittner, C., Fraser, N., Thompson, A., Rozhansky, Y., Yashar, S.: Apt39: An iranian cyber espionage group focused on personal information. In: Technical Report. Mandiant (2019)

  11. Fraser, N., Plan, F., OLeary, J., Cannon, V., Leong, R., Perez, D., Shen, C.e.: Apt41-a dual espionage and cyber crime operation. FireEye Blog (2019)

  12. Carr, N.: Cyber espionage is alive and well: Apt32 and the threat to global corporations. FireEye Blog (2017)

  13. Parmar, M., Domingo, A.: On the use of cyber threat intelligence (cti) in support of developing the commander’s understanding of the adversary. In: MILCOM 2019-2019 IEEE Military Communications Conference (MILCOM), pp. 1–6. IEEE (2019)

  14. Nelson, T., Kettani, H.: Open source powershell-written post exploitation frameworks used by cyber espionage groups. In: 2020 3rd International Conference on Information and Computer Technologies (ICICT), pp. 451–456. IEEE (2020)

  15. Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, K.K.R.: Analysis and triage of advanced hacking groups targeting western countries critical national infrastructure: Apt28, red october, and regin. In: Critical Infrastructure Security and Resilience: Theories, Methods, Tools and Technologies pp. 221–244 (2019)

  16. O’Leary, J., Kimble, J., Vanderlee, K., Fraser, N.: Insights into iranian cyber espionage: Apt33 targets aerospace and energy sectors and has ties to destructive malware. https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage (2017). Accessed 27 Nov 2023

  17. Johnson, A.: Domain fronting: making backdoor access look like google requests. https://www.cs.tufts.edu/comp/116/archive/spring2018/ajohnson.pdf (2018). Accessed 25-Novemeber-2023

  18. Baezner, M.: Use of cybertools in regional tensions in southeast asia. Tech. rep., ETH Zurich (2018)

  19. Alageel, A., Maffeis, S.: Hawk-eye: holistic detection of apt command and control domains. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing, pp. 1664–1673 (2021). https://doi.org/10.1145/3412841.3442040

  20. Oprea, A., Li, Z., Norris, R., Bowers, K.: Made: security analytics for enterprise threat detection. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 124–136 (2018). https://doi.org/10.1145/3274694.3274710

  21. Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: Fanci: feature-based automated nxdomain classification and intelligence. In: 27th USENIX Security Symposium, pp. 1165–1181 (2018)

  22. Spooren, J., Vissers, T., Janssen, P., Joosen, W., Desmet, L.: Premadoma: An operational solution for DNS registries to prevent malicious domain registrations. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 557–567 (2019)

  23. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive DNS analysis. In: Ndss, pp. 1–17 (2011). https://doi.org/10.1145/2584679

  24. Marchal, S.: Dns and semantic analysis for phishing detection. Ph.D. thesis, University of Luxembourg,Luxembourg,Luxembourg (2015)

  25. Kuyama, M., Kakizaki, Y., Sasaki, R.: Method for detecting a malicious domain by using whois and DNS features. In: The third international conference on digital security and forensics (DigitalSec2016), vol. 74 (2016)

  26. Korczynski, M., Wullink, M., Tajalizadehkhoob, S., Moura, G.C., Noroozian, A., Bagley, D., Hesselman, C.: Cybercrime after the sunrise: a statistical analysis of dns abuse in new gtlds. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 609–623 (2018). https://doi.org/10.1145/3196494.3196548

  27. Allman, M.: Comments on dns robustness. In: Proceedings of the Internet Measurement Conference 2018, pp. 84–90 (2018). https://doi.org/10.1145/3278532.3278541

  28. Niu, W., Zhang, X., Yang, G., Zhu, J., Ren, Z.: Identifying apt malware domain based on mobile DNS logging. Math. Probl. Eng. (2017). https://doi.org/10.1155/2017/4916953

    Article  Google Scholar 

  29. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for dns. In: USENIX security symposium, pp. 273–290 (2010)

  30. Sivakorn, S., Jee, K., Sun, Y., Korts-Pärn, L., Li, Z., Lumezanu, C., Wu, Z., Tang, L.A., Li, D.: Countering malicious processes with process-DNS association. In: NDSS (2019)

  31. Iqbal, Z., Anwar, Z., Mumtaz, R.: Stixgen-a novel framework for automatic generation of structured cyber threat information. In: 2018 International Conference on Frontiers of Information Technology (FIT), pp. 241–246. IEEE (2018)

  32. Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Real-time detection of DNS exfiltration and tunneling from enterprise networks. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 649–653. IEEE (2019)

  33. Naab, J., Sattler, P., Jelten, J., Gasser, O., Carle, G.: Prefix top lists: gaining insights with prefixes from domain-based top lists on dns deployment. In: Proceedings of the Internet Measurement Conference, pp. 351–357 (2019). https://doi.org/10.1145/3355369.3355598

  34. Ager, B., Mühlbauer, W., Smaragdakis, G., Uhlig, S.: Comparing DNS resolvers in the wild. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, pp. 15–21 (2010). https://doi.org/10.1145/1879141.1879144

  35. Xiao, D., Li, X., Cline, D.B., Loguinov, D.: Estimation of dns source and cache dynamics under interval-censored age sampling. In: IEEE INFOCOM 2018-IEEE Conference on Computer Communications, pp. 1358–1366. IEEE (2018). https://doi.org/10.1109/INFOCOM.2018.8485840

  36. Hoffman, P., McManus, P.: Dns queries over https (doh). Tech. rep., Internet Engineering Task Force (2018). https://doi.org/10.17487/RFC8484

  37. Lauinger, T., Chaabane, A., Buyukkayhan, A.S., Onarlioglu, K., Robertson, W.: Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: USENIX Security Symposium, pp. 865–880 (2017)

  38. Spaulding, J., Upadhyaya, S., Mohaisen, A.: The landscape of domain name typosquatting: techniques and countermeasures. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 284–289. IEEE (2016). https://doi.org/10.1109/ARES.2016.84

  39. Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 conference on Internet measurement conference, pp. 63–76 (2013). https://doi.org/10.1145/2504730.2504753

  40. Maroofi, S., Korczyński, M., Hesselman, C., Ampeau, B., Duda, A.: Comar: classification of compromised versus maliciously registered domains. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 607–623. IEEE (2020). https://doi.org/10.1109/EuroSP48549.2020.00045

  41. Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 1568–1579 (2016). https://doi.org/10.1145/2976749.2978317

  42. Feibish, S.L., Afek, Y., Bremler-Barr, A., Cohen, E., Shagam, M.: Mitigating dns random subdomain ddos attacks by distinct heavy hitters sketches. In: Proceedings of the fifth ACM/IEEE workshop on hot topics in web systems and technologies, pp. 1–6 (2017). https://doi.org/10.1145/3132465.3132474

  43. Dan, O., Parikh, V., Davison, B.D.: IP geolocation through reverse DNS. ACM Trans Internet Technol (TOIT) 22(1), 1–29 (2021). https://doi.org/10.1145/3457611

    Article  Google Scholar 

  44. Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive dns traces. In: 2009 Annual Computer Security Applications Conference, pp. 311–320. IEEE (2009). https://doi.org/10.1109/ACSAC.2009.36

  45. Stalmans, E., Irwin, B.: A framework for dns based detection and mitigation of malware infections on a network. In: 2011 Information Security for South Africa, pp. 1–8. IEEE (2011). https://doi.org/10.1109/ISSA.2011.6027531

  46. Fukushima, Y., Hori, Y., Sakurai, K.: Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. In: 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 352–361. IEEE (2011). https://doi.org/10.1109/TrustCom.2011.46

  47. Chen, C.M., Huang, J.J., Ou, Y.H.: Efficient suspicious URL filtering based on reputation. J. Inf. Secur. Appl. 20, 26–36 (2015). https://doi.org/10.1016/j.jisa.2014.10.005

    Article  Google Scholar 

  48. Peng, P., Yang, L., Song, L., Wang, G.: Opening the blackbox of virustotal: analyzing online phishing scan engines. In: Proceedings of the Internet Measurement Conference, pp. 478–485 (2019). https://doi.org/10.1145/3355369.3355585

  49. Alowaisheq, E., Wang, P., Alrwais, S., Liao, X., Wang, X., Alowaisheq, T., Mi, X., Tang, S., Liu, B.: Cracking the wall of confinement: understanding and analyzing malicious domain. In: Proceedings of the 28th Network and Distributed System Security Symposium (NDSS) (2019)

  50. Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts. IEEE Trans. Netw. Serv. Manage. 17(1), 265–279 (2019). https://doi.org/10.1109/TNSM.2019.2940735

    Article  Google Scholar 

  51. Almashhadani, A.O., Kaiiali, M., Carlin, D., Sezer, S.: Maldomdetector: a system for detecting algorithmically generated domain names with machine learning. Comput. Secur. 93, 101787 (2020). https://doi.org/10.1016/j.cose.2020.101787

    Article  Google Scholar 

  52. Hudaib, A.A.Z., Hudaib, E.: Dns advanced attacks and analysis. Int. J. Comput. Sci. Secur. (IJCSS) 8(2), 63 (2014)

    Google Scholar 

  53. Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., Zhang, L.: A comprehensive survey on DNS tunnel detection. Comput. Netw. 197, 108322 (2021). https://doi.org/10.1016/j.comnet.2021.108322

    Article  Google Scholar 

  54. Bai, H., Liu, W., Liu, G., Dai, Y., Huang, S.: Application behavior identification in DNS tunnels based on spatial-temporal information. IEEE Access 9, 80639–80653 (2021). https://doi.org/10.1109/ACCESS.2021.3085500

    Article  Google Scholar 

  55. Lyu, M., Gharakheili, H.H., Sivaraman, V.: A survey on DNS encryption: current development, malware misuse, and inference techniques. ACM Comput. Surv. 55(8), 1–28 (2022)

    Article  Google Scholar 

  56. Lambion, D., Josten, M., Olumofin, F., De Cock, M.: Malicious dns tunneling detection in real-traffic dns data. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 5736–5738. IEEE (2020). https://doi.org/10.1109/BigData50022.2020.9378418

  57. Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019 (2019). https://doi.org/10.14722/ndss.2019.23386

  58. Sood, G.: virustotal: R Client for the virustotal API (2021). R package version 0.2.2

  59. Nowroozi, E., Mohammadi, M., Conti, M., et al.: An adversarial attack analysis on malicious advertisement URL detection framework. IEEE Trans. Netw. Serv. Manage. (2022). https://doi.org/10.1109/TNSM.2022.3225217

    Article  Google Scholar 

  60. Pettersson, A., Nilsson, F.: Sysmon–a framework for monitoring and measuring real-time properties (2012)

  61. Jacobsen, D.: procmon. Tech. rep., Lawrence Berkeley National Lab.(LBNL), Berkeley (2014)

  62. Lamping, U., Warnicke, E.: Wireshark user’s guide. Interface 4(6), 1 (2004)

    Google Scholar 

  63. Wolff, E.D., Growley, K., Gruden, M., et al.: Navigating the solarwinds supply chain attack. Procurement Lawyer 56(2), 3 (2021)

    Google Scholar 

  64. FireEye: Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with sunburst backdoor. Tech. rep., FireEye (2020)

  65. Wong, A.D.: Detecting domain-generation algorithm (dga) based fully-qualified domain names (fqdns) with shannon entropy. arXiv preprint arXiv:2304.07943 (2023). https://doi.org/10.48550/arXiv.2304.07943

Download references

Author information

Authors and Affiliations

  1. Department of Information Security, National University of Sciences and Technology, Islamabad, Pakistan

    Raja Zeeshan Haider, Baber Aslam & Haider Abbas

  2. Department of Cyber Security, Air University, Islamabad, Pakistan

    Zafar Iqbal

Authors
  1. Raja Zeeshan Haider
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Baber Aslam
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Haider Abbas
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zafar Iqbal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raja Zeeshan Haider.

Ethics declarations

Conflict of interest

The authors declare that they have no known Conflict of interest that could have appeared to influence the work reported in this paper.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Haider, R.Z., Aslam, B., Abbas, H. et al. C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00850-y

Download citation

  • Published:

  • DOI: https://doi.org/10.1007/s10207-024-00850-y

Keywords

Search

Navigation