Abstract
Supply chain attacks are potent cyber attacks for widespread ramifications by compromising supply chains. Supply chain attacks are difficult to detect as the malware is installed through trustworthy supply chains, missing signs of infection and making deployed security controls ineffective. Recent increases in supply chain attacks warrant a Zero-trust model and innovative solutions for detecting supply chain attacks. Supply chain malware need to establish a Command and Control (C2) connection as a communication link with the attacker to proceed on the privileged pathway. Discovery of the C2 channel between the attacker and supply chain malware can lead to detection of the attack. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these with associated network activity for early discovery of C2 connection. Proposed framework has introduced a novel approach of detecting C2 over DNS by incorporating host-based activity with corresponding network activity coupled with threat intelligence. C2-Eye integrates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and real time threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the exploitation of C2 channel for probable data exfiltration. C2-Eye has introduced a distinctive featureset with 22 novel features specific to supply chain attack, enabling detection of the attack with F1-score of 98.70%.
Similar content being viewed by others
Data Availability
Feature engineered experimental dataset can be made available on request.
References
Miller, J.F.: Supply chain attack framework and attack patterns. The MITRE Corporation, MacLean (2013)
Ohm, M., Plate, H., Sykosch, A., Meier, M.: Backstabber’s knife collection: a review of open source software supply chain attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment: 17th International Conference, DIMVA 2020, Lisbon, Portugal, June 24–26, 2020, Proceedings 17, pp. 23–43. Springer (2020)
Datta, P.: Hannibal at the gates: cyberwarfare & the solarwinds sunburst hack. J. Inf. Technol. Teach. Cases 12(2), 115–120 (2022). https://doi.org/10.1177/2043886921993126
Verizon: Verizon data breach investigations report. Tech. rep., Verizon (2019)
Mirza, S., Abbas, H., Shahid, W.B., Shafqat, N., Fugini, M., Iqbal, Z., Muhammad, Z.: A malware evasion technique for auditing android anti-malware solutions. In: 2021 IEEE 30th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 125–130. IEEE (2021)
Grunzweig, J., Scott, M., Lee, B., et al.: New wekby attacks use dns requests as command and control mechanism. Palo Alto Networks (2016)
FireEye: FireEye APT28: at the center of the storm. https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf (2017). Accessed 5 August 2023
Lwowski, J., Corley, I., Hoffman, J.: Neural steganalysis with spatial rich models for image steganography detection (2020)
FireEye: Fireeye apt 41 report (2019)
Hawley, S., Read, B., Brafman-Kittner, C., Fraser, N., Thompson, A., Rozhansky, Y., Yashar, S.: Apt39: An iranian cyber espionage group focused on personal information. In: Technical Report. Mandiant (2019)
Fraser, N., Plan, F., OLeary, J., Cannon, V., Leong, R., Perez, D., Shen, C.e.: Apt41-a dual espionage and cyber crime operation. FireEye Blog (2019)
Carr, N.: Cyber espionage is alive and well: Apt32 and the threat to global corporations. FireEye Blog (2017)
Parmar, M., Domingo, A.: On the use of cyber threat intelligence (cti) in support of developing the commander’s understanding of the adversary. In: MILCOM 2019-2019 IEEE Military Communications Conference (MILCOM), pp. 1–6. IEEE (2019)
Nelson, T., Kettani, H.: Open source powershell-written post exploitation frameworks used by cyber espionage groups. In: 2020 3rd International Conference on Information and Computer Technologies (ICICT), pp. 451–456. IEEE (2020)
Mwiki, H., Dargahi, T., Dehghantanha, A., Choo, K.K.R.: Analysis and triage of advanced hacking groups targeting western countries critical national infrastructure: Apt28, red october, and regin. In: Critical Infrastructure Security and Resilience: Theories, Methods, Tools and Technologies pp. 221–244 (2019)
O’Leary, J., Kimble, J., Vanderlee, K., Fraser, N.: Insights into iranian cyber espionage: Apt33 targets aerospace and energy sectors and has ties to destructive malware. https://www.mandiant.com/resources/blog/apt33-insights-into-iranian-cyber-espionage (2017). Accessed 27 Nov 2023
Johnson, A.: Domain fronting: making backdoor access look like google requests. https://www.cs.tufts.edu/comp/116/archive/spring2018/ajohnson.pdf (2018). Accessed 25-Novemeber-2023
Baezner, M.: Use of cybertools in regional tensions in southeast asia. Tech. rep., ETH Zurich (2018)
Alageel, A., Maffeis, S.: Hawk-eye: holistic detection of apt command and control domains. In: Proceedings of the 36th Annual ACM Symposium on Applied Computing, pp. 1664–1673 (2021). https://doi.org/10.1145/3412841.3442040
Oprea, A., Li, Z., Norris, R., Bowers, K.: Made: security analytics for enterprise threat detection. In: Proceedings of the 34th Annual Computer Security Applications Conference, pp. 124–136 (2018). https://doi.org/10.1145/3274694.3274710
Schüppen, S., Teubert, D., Herrmann, P., Meyer, U.: Fanci: feature-based automated nxdomain classification and intelligence. In: 27th USENIX Security Symposium, pp. 1165–1181 (2018)
Spooren, J., Vissers, T., Janssen, P., Joosen, W., Desmet, L.: Premadoma: An operational solution for DNS registries to prevent malicious domain registrations. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 557–567 (2019)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive DNS analysis. In: Ndss, pp. 1–17 (2011). https://doi.org/10.1145/2584679
Marchal, S.: Dns and semantic analysis for phishing detection. Ph.D. thesis, University of Luxembourg,Luxembourg,Luxembourg (2015)
Kuyama, M., Kakizaki, Y., Sasaki, R.: Method for detecting a malicious domain by using whois and DNS features. In: The third international conference on digital security and forensics (DigitalSec2016), vol. 74 (2016)
Korczynski, M., Wullink, M., Tajalizadehkhoob, S., Moura, G.C., Noroozian, A., Bagley, D., Hesselman, C.: Cybercrime after the sunrise: a statistical analysis of dns abuse in new gtlds. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 609–623 (2018). https://doi.org/10.1145/3196494.3196548
Allman, M.: Comments on dns robustness. In: Proceedings of the Internet Measurement Conference 2018, pp. 84–90 (2018). https://doi.org/10.1145/3278532.3278541
Niu, W., Zhang, X., Yang, G., Zhu, J., Ren, Z.: Identifying apt malware domain based on mobile DNS logging. Math. Probl. Eng. (2017). https://doi.org/10.1155/2017/4916953
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for dns. In: USENIX security symposium, pp. 273–290 (2010)
Sivakorn, S., Jee, K., Sun, Y., Korts-Pärn, L., Li, Z., Lumezanu, C., Wu, Z., Tang, L.A., Li, D.: Countering malicious processes with process-DNS association. In: NDSS (2019)
Iqbal, Z., Anwar, Z., Mumtaz, R.: Stixgen-a novel framework for automatic generation of structured cyber threat information. In: 2018 International Conference on Frontiers of Information Technology (FIT), pp. 241–246. IEEE (2018)
Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Real-time detection of DNS exfiltration and tunneling from enterprise networks. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM), pp. 649–653. IEEE (2019)
Naab, J., Sattler, P., Jelten, J., Gasser, O., Carle, G.: Prefix top lists: gaining insights with prefixes from domain-based top lists on dns deployment. In: Proceedings of the Internet Measurement Conference, pp. 351–357 (2019). https://doi.org/10.1145/3355369.3355598
Ager, B., Mühlbauer, W., Smaragdakis, G., Uhlig, S.: Comparing DNS resolvers in the wild. In: Proceedings of the 10th ACM SIGCOMM conference on Internet measurement, pp. 15–21 (2010). https://doi.org/10.1145/1879141.1879144
Xiao, D., Li, X., Cline, D.B., Loguinov, D.: Estimation of dns source and cache dynamics under interval-censored age sampling. In: IEEE INFOCOM 2018-IEEE Conference on Computer Communications, pp. 1358–1366. IEEE (2018). https://doi.org/10.1109/INFOCOM.2018.8485840
Hoffman, P., McManus, P.: Dns queries over https (doh). Tech. rep., Internet Engineering Task Force (2018). https://doi.org/10.17487/RFC8484
Lauinger, T., Chaabane, A., Buyukkayhan, A.S., Onarlioglu, K., Robertson, W.: Game of registrars: an empirical analysis of post-expiration domain name takeovers. In: USENIX Security Symposium, pp. 865–880 (2017)
Spaulding, J., Upadhyaya, S., Mohaisen, A.: The landscape of domain name typosquatting: techniques and countermeasures. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 284–289. IEEE (2016). https://doi.org/10.1109/ARES.2016.84
Hao, S., Thomas, M., Paxson, V., Feamster, N., Kreibich, C., Grier, C., Hollenbeck, S.: Understanding the domain registration behavior of spammers. In: Proceedings of the 2013 conference on Internet measurement conference, pp. 63–76 (2013). https://doi.org/10.1145/2504730.2504753
Maroofi, S., Korczyński, M., Hesselman, C., Ampeau, B., Duda, A.: Comar: classification of compromised versus maliciously registered domains. In: 2020 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 607–623. IEEE (2020). https://doi.org/10.1109/EuroSP48549.2020.00045
Hao, S., Kantchelian, A., Miller, B., Paxson, V., Feamster, N.: Predator: proactive recognition and elimination of domain abuse at time-of-registration. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp. 1568–1579 (2016). https://doi.org/10.1145/2976749.2978317
Feibish, S.L., Afek, Y., Bremler-Barr, A., Cohen, E., Shagam, M.: Mitigating dns random subdomain ddos attacks by distinct heavy hitters sketches. In: Proceedings of the fifth ACM/IEEE workshop on hot topics in web systems and technologies, pp. 1–6 (2017). https://doi.org/10.1145/3132465.3132474
Dan, O., Parikh, V., Davison, B.D.: IP geolocation through reverse DNS. ACM Trans Internet Technol (TOIT) 22(1), 1–29 (2021). https://doi.org/10.1145/3457611
Perdisci, R., Corona, I., Dagon, D., Lee, W.: Detecting malicious flux service networks through passive analysis of recursive dns traces. In: 2009 Annual Computer Security Applications Conference, pp. 311–320. IEEE (2009). https://doi.org/10.1109/ACSAC.2009.36
Stalmans, E., Irwin, B.: A framework for dns based detection and mitigation of malware infections on a network. In: 2011 Information Security for South Africa, pp. 1–8. IEEE (2011). https://doi.org/10.1109/ISSA.2011.6027531
Fukushima, Y., Hori, Y., Sakurai, K.: Proactive blacklisting for malicious web sites by reputation evaluation based on domain and IP address registration. In: 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 352–361. IEEE (2011). https://doi.org/10.1109/TrustCom.2011.46
Chen, C.M., Huang, J.J., Ou, Y.H.: Efficient suspicious URL filtering based on reputation. J. Inf. Secur. Appl. 20, 26–36 (2015). https://doi.org/10.1016/j.jisa.2014.10.005
Peng, P., Yang, L., Song, L., Wang, G.: Opening the blackbox of virustotal: analyzing online phishing scan engines. In: Proceedings of the Internet Measurement Conference, pp. 478–485 (2019). https://doi.org/10.1145/3355369.3355585
Alowaisheq, E., Wang, P., Alrwais, S., Liao, X., Wang, X., Alowaisheq, T., Mi, X., Tang, S., Liu, B.: Cracking the wall of confinement: understanding and analyzing malicious domain. In: Proceedings of the 28th Network and Distributed System Security Symposium (NDSS) (2019)
Ahmed, J., Gharakheili, H.H., Raza, Q., Russell, C., Sivaraman, V.: Monitoring enterprise DNS queries for detecting data exfiltration from internal hosts. IEEE Trans. Netw. Serv. Manage. 17(1), 265–279 (2019). https://doi.org/10.1109/TNSM.2019.2940735
Almashhadani, A.O., Kaiiali, M., Carlin, D., Sezer, S.: Maldomdetector: a system for detecting algorithmically generated domain names with machine learning. Comput. Secur. 93, 101787 (2020). https://doi.org/10.1016/j.cose.2020.101787
Hudaib, A.A.Z., Hudaib, E.: Dns advanced attacks and analysis. Int. J. Comput. Sci. Secur. (IJCSS) 8(2), 63 (2014)
Wang, Y., Zhou, A., Liao, S., Zheng, R., Hu, R., Zhang, L.: A comprehensive survey on DNS tunnel detection. Comput. Netw. 197, 108322 (2021). https://doi.org/10.1016/j.comnet.2021.108322
Bai, H., Liu, W., Liu, G., Dai, Y., Huang, S.: Application behavior identification in DNS tunnels based on spatial-temporal information. IEEE Access 9, 80639–80653 (2021). https://doi.org/10.1109/ACCESS.2021.3085500
Lyu, M., Gharakheili, H.H., Sivaraman, V.: A survey on DNS encryption: current development, malware misuse, and inference techniques. ACM Comput. Surv. 55(8), 1–28 (2022)
Lambion, D., Josten, M., Olumofin, F., De Cock, M.: Malicious dns tunneling detection in real-traffic dns data. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 5736–5738. IEEE (2020). https://doi.org/10.1109/BigData50022.2020.9378418
Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium, NDSS 2019 (2019). https://doi.org/10.14722/ndss.2019.23386
Sood, G.: virustotal: R Client for the virustotal API (2021). R package version 0.2.2
Nowroozi, E., Mohammadi, M., Conti, M., et al.: An adversarial attack analysis on malicious advertisement URL detection framework. IEEE Trans. Netw. Serv. Manage. (2022). https://doi.org/10.1109/TNSM.2022.3225217
Pettersson, A., Nilsson, F.: Sysmon–a framework for monitoring and measuring real-time properties (2012)
Jacobsen, D.: procmon. Tech. rep., Lawrence Berkeley National Lab.(LBNL), Berkeley (2014)
Lamping, U., Warnicke, E.: Wireshark user’s guide. Interface 4(6), 1 (2004)
Wolff, E.D., Growley, K., Gruden, M., et al.: Navigating the solarwinds supply chain attack. Procurement Lawyer 56(2), 3 (2021)
FireEye: Highly evasive attacker leverages solarwinds supply chain to compromise multiple global victims with sunburst backdoor. Tech. rep., FireEye (2020)
Wong, A.D.: Detecting domain-generation algorithm (dga) based fully-qualified domain names (fqdns) with shannon entropy. arXiv preprint arXiv:2304.07943 (2023). https://doi.org/10.48550/arXiv.2304.07943
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no known Conflict of interest that could have appeared to influence the work reported in this paper.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Haider, R.Z., Aslam, B., Abbas, H. et al. C2-Eye: framework for detecting command and control (C2) connection of supply chain attacks. Int. J. Inf. Secur. (2024). https://doi.org/10.1007/s10207-024-00850-y
Published:
DOI: https://doi.org/10.1007/s10207-024-00850-y