Identification Domain Fronting Traffic for Revealing Obfuscated C2 Communications

Zeyu Li,Meiqi Wang,Xuebin Wang,Jinqiao Shi,Kexin Zou,Majing Su
DOI: https://doi.org/10.1109/DSC53577.2021.00020
2021-01-01
Abstract:Nowadays, as networks grow in size, the scope of malware and malicious traffic is also increasing quickly. For example, some attacks turn a group of Internet-connected hacked devices into botnets, and a command-and-control(C2) tunnel is built to herd bots for illicit purposes such as massive DDoS. In order to evade Internet malware detection, a variety of techniques are used to obfuscate the C2 communications, of which Tor domain-fronting is one of the most sophisticated techniques. In this paper, a method based on deep learning for domain-fronting traffic identification is proposed. CNN model is adopted which integrates feature learning into the training process so that it can classify traffic based only on packet sequences. We identify the meek-azure traffic and meek-fastly traffic mixed with different types of traffic including tor traffic and non-tor traffic, and the method can achieve rather high precision and accuracy of 99.69%. Furthermore, we identify the domain fronting traffic mixed with the non-domain-fronting traffic with the same Server Name Indication (SNI), and the result shows that our method achieves the accuracy of 97.35% by identifying the domain fronting traffic from the mixed dataset. The results of this work provide a new approach to detect obfuscated C2 communications of the botnet.
What problem does this paper attempt to address?