The present invention relates to cyber security, and more specifically, to providing improved beaconing behavior detection by evaluating potential candidate period data as data points on a received signal to which statistical and communication theory principles can be applied.
Sophisticated cyber security threats, for example advanced persistent threats (APTs), employ strategies to infect end points within a security perimeter and instruct these machines (e.g., by means of a malware process) to issue regular callback traffic, hereinafter referred to as “beaconing”, to a machine outside the perimeter of an organization (e.g., the Internet) controlled by an attacker. Other well-known cases employing beaconing traffic are botnet command and control infrastructures, where bots use such techniques to announce themselves and establish stealthy communication channels in order to receive instructions from the botnet master. In general, beaconing traffic can be characterized as regular (periodic) traffic (e.g., network connections, network packets) to a destination point. It is also noted that beaconing traffic is not necessarily generated by a malware process since beaconing traffic also occurs for benign, desirable network operations, such as occurs when a safe application sends out update requests.
Existing solutions to detect beaconing behavior employ pattern matching, statistical techniques, rate-based thresholds, and frequency analysis. For example, one conventional method uses Fourier transformation to analyze control plane traffic, looking for periodic signals that might indicate the presence of botnet.
These existing solutions are challenged with high false positive rates. Moreover, the algorithms often assume highly regular, consecutive, and periodic beaconing behavior. In reality the intervals are not strictly periodic, as endpoints dynamically join and leave the network, endpoints restart, gaps or noises exist in the observation, or malware may change its beaconing behavior. In addition, some malware use multiple periodicities, such as short intervals (e.g., seconds) for contact establishment and, after that, remain dormant for a longer period of time (e.g., hours or days). Existing frequency analysis method that detects only the top periodicity may lead to an incomplete picture of the beaconing behavior or they may fail to detect interleaved periodicities due to their seemingly irregular patterns.
In the identified co-pending application Ser. No. 14/668,595 (now U.S. Pat. No. 9,591,007), incorporated herein by reference, the present inventors presented a method of detecting beaconing behavior in which network records were preprocessed to identify candidate source and destination pairs for detecting beaconing behavior, each source and destination pair being associated with specific time intervals. The activity time interval information was then converted from the time domain into the frequency domain so that candidate frequencies could be determined from the source/destination information.