Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.
Execution, Analysis and Detection of Android RATs traffic
Mobile devices are at risk of cyber attacks, and the most dangerous attacks on mobile phones are Remote Access Trojans (RAT). RAT are malicious programs that allow for unauthorized remote access of the infected phones to see their resources. Detecting Android RAT in the phone is a challenging task, that is why we propose to detect it in the network traffic. However, it is hard to access the network traffic in the phone, since there is no easy way to capture its traffic. More importantly, it's very hard or even impossible to have applications in the phones that can protect it from these attacks, leaving the detection in the network as the only option. In this bachelor thesis we research this problem of detecting RATs in phones by (1) creating an Android RATs’ dataset of real infected phones, (2) analysing RATs' network traffic behaviours, (3) proposing new detections model, and (4) implementing this detection module for RATs in a open-source Python-based intrusion detection system called Slips.
IDENTIFYING MALICIOUS HOSTS BY AGGREGATION OF PARTIAL DETECTIONS
Bachelor Thesis
This thesis proposes to design, implement and test a machine learning improvement of Stratosphere IPS which aggregates the partial detections of hosts and classifies them using the XGBoost algorithm to improve the overall performance of the tool. Our method is based on an additional layer of abstraction called Source Address layer which collects the partial data and pre-processes it or the classifier. Compared to the first version of Stratosphere IPS proposed extension results in 40% increase in accuracy and 26% improvement in the False Positive rate.
GRAPH-BASED ANALYSIS OF MALWARE NETWORK BEHAVIORS
Bachelor Thesis
There are many malware families and every each of them has some unique features. The aim of this work is to focus on detecting malicious behavior using leaving network communication. Our hypothesis is that this malicious communication has sequential behavioral patterns. We present a new graph representation of leaving network communication using (IP address, port, protocol)-triplets as vertices.
Detection of HTTPS Malware Traffic
In the last years there has been an increase in the amount of malware using HTTPS traffic for their communications. This situation pose a challenge for the security analysts because the traffic is encrypted and because it mostly looks like normal traffic. Therefore, there is a need to discover new features and methods to detect malware without decrypting the traffic. A detection method that does not need to unencrypt the traffic is cheaper (because no traffic interceptor is needed), faster and private, respecting the original idea of HTTPS. The goal of this thesis is to detect HTTPS malware connections by extracting new features and using data from the Bro IDS program. Since the data for the research is hard to come by, we used data from the Stratosphere project and we created, by hand, our own datasets. Our unit of analysis is an aggregation of all the information that is possible to obtain without decrypting the data. We group together flows, SSL data and X.509 certificates data as they are generated by Bro. To classify the HTTPS malware traffic we used several algorithms, such as Neural Networks, XGBoost and Random Forest. Our results show that the HTTPS malware behaviour is distinct from normal HTTPS behaviour and that our methods are able to separate them with an accuracy of at least 96.64%.