RADAR: Effective Network-based Malware Detection based on the MITRE ATT&CK Framework

MITRE ATT&CK is a widespread ontology that specifies tactics, techniques, and procedures (TTPs) typical of malware behaviour, making it possible to exploit such TTPs for malware identification. However, this is far from being an easy task given that benign usage of software can also match some of these TTPs. In this paper, we present RADAR, a system that can identify malicious behaviour in network traffic in two stages: first, RADAR extracts MITRE ATT&CK TTPs from arbitrary network traffic captures, and, secondly, it deploys decision trees to differentiate between malicious and benign uses of the detected TTPs. In order to evaluate RADAR, we created a dataset comprising of 2,286,907 malicious and benign samples, for a total of 84,792,452 network flows. The experimental analysis confirms that RADAR is able to $(i)$ match samples to multiple different TTPs, and $(ii)$ effectively detect malware with an AUC score of 0.868. Beside being effective, RADAR is also highly configurable, interpretable, privacy preserving, efficient and can be easily integrated with existing security infrastructure to complement their capabilities.