TY - JOUR
T1 - Anteater
T2 - Advanced Persistent Threat Detection With Program Network Traffic Behavior
AU - Zhang, Yangzong
AU - Liu, Wenjian
AU - Kuok, Kaiian
AU - Cheong, Ngai
N1 - Publisher Copyright:
© 2013 IEEE.
PY - 2024
Y1 - 2024
N2 - Recent stealth attacks cleverly disguise malicious activities, masquerading as ordinary connections to popular online services through seemingly innocuous applications. These methods often evade detection by traditional network monitoring or signature-based techniques, as attackers frequently hide Command and Control (C&C) servers within well-known cloud service providers, making the traffic anomalies appear normal. In this paper, we introduce an application-level monitoring system, Anteater. Anteater constructs a detailed profile for each legitimate software's network traffic behavior, outlining the expected traffic patterns. By scrutinizing a program's network traffic configuration, Anteater efficiently pinpoints and intercepts the IP addresses associated with abnormal program access. Implemented in a real-world enterprise environment, Anteater was tested on a dataset containing over 400 million real-world network traffic sessions. The evaluation results demonstrate that Anteater achieves a high detection rate for malware injections, boasting a true positive rate of 94.5% and a false positive rate of less than 0.1%.
AB - Recent stealth attacks cleverly disguise malicious activities, masquerading as ordinary connections to popular online services through seemingly innocuous applications. These methods often evade detection by traditional network monitoring or signature-based techniques, as attackers frequently hide Command and Control (C&C) servers within well-known cloud service providers, making the traffic anomalies appear normal. In this paper, we introduce an application-level monitoring system, Anteater. Anteater constructs a detailed profile for each legitimate software's network traffic behavior, outlining the expected traffic patterns. By scrutinizing a program's network traffic configuration, Anteater efficiently pinpoints and intercepts the IP addresses associated with abnormal program access. Implemented in a real-world enterprise environment, Anteater was tested on a dataset containing over 400 million real-world network traffic sessions. The evaluation results demonstrate that Anteater achieves a high detection rate for malware injections, boasting a true positive rate of 94.5% and a false positive rate of less than 0.1%.
KW - Anteater
KW - Malware injection detection
KW - advanced persistent threat
KW - network security
KW - program traffic behavior
UR - http://www.scopus.com/inward/record.url?scp=85182380287&partnerID=8YFLogxK
U2 - 10.1109/ACCESS.2024.3349943
DO - 10.1109/ACCESS.2024.3349943
M3 - Article
AN - SCOPUS:85182380287
SN - 2169-3536
VL - 12
SP - 8536
EP - 8551
JO - IEEE Access
JF - IEEE Access
ER -