Scalable command and control detection in log data through UF-ICF analysis

During an advanced persistent threat (APT), an attacker group usually establish more than one C&C server and these C&C servers will change their domain names and corresponding IP addresses over time to be unseen by anti-virus software or intrusion prevention systems. For this reason, discovering and catching C&C sites becomes a big challenge in information security. Based on our observations and deductions, a malware tends to contain a fixed user agent string, and the connection behaviors generated by a malware is different from that by a benign service or a normal user. This paper proposed a new method comprising filtering and clustering methods to detect C&C servers with a relatively higher coverage rate. The experiments revealed that the proposed method can successfully detect C&C Servers, and the can provide an important clue for detecting APT.