Recent self-propagating malware (SPM) campaigns compromised hundred of thousands of victim machines on the Internet. It is challenging to detect these attacks in their early stages, as adversaries utilize common network services, use novel techniques, and can evade existing detection mechanisms. We propose PORTFILER (PORT-Level Network Traffic ProFILER), a new machine learning system applied to network traffic for detecting SPM attacks. PORTFILER extracts port-level features from the Zeek connection logs collected at a border of a monitored network, applies anomaly detection techniques to identify suspicious events, and ranks the alerts across ports for investigation by the Security Operations Center (SOC). We propose a novel ensemble methodology for aggregating individual models in PORTFILER that increases resilience against several evasion strategies compared to standard ML baselines. We extensively evaluate PORTFILER on traffic collected from two university networks, and show that it can detect SPM attacks with different patterns, such as WannaCry and Mirai, and performs well under evasion. Ranking across ports achieves precision over 0.94 with low false positive rates in the top ranked alerts. When deployed on the university networks, PORTFILER detected anomalous SPM-like activity on one of the campus networks, confirmed by the university SOC as malicious. PORTFILER also detected a Mirai attack recreated on the two university networks with higher precision and recall than deep-learning-based autoencoder methods.
翻译:最近自我宣传的恶意软件(SPM)运动在互联网上暴露了数十万个受害者机器,在早期发现这些袭击是具有挑战性的,因为对手利用共同网络服务,使用新颖的技术,并可以回避现有的检测机制。我们建议采用PORTFILER(Port-level Network Network Travel ProFILER),这是一套适用于网络交通的新的机器学习系统,用于检测SPM袭击。PORFILER从在监测网络的边界收集的Zeek连接日志中提取了港口层面的特征,运用异常探测技术查明可疑事件,并将各港口的警报排在安全行动中心(SOC)调查的早期阶段。我们提出了一种新型的连锁方法,用于汇集PORTFIL的单个模型,以比标准ML基线的多几个规避战略。我们广泛评价PORFIER对从两个大学网络收集的流量,显示它能够以不同的模式探测SPM攻击事件,如WANCry和Mirai, 并且表现得非常低的规避。在跨港口安全行动中心的大学网络中测测测测测测测测测测测测测测了SER的大学网络。