Publication result detail

Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study

RADER, R.; JEŘÁBEK, K.; RYŠAVÝ, O.

Original Title

Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study

English Title

Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study

Type

Paper in proceedings outside WoS and Scopus

Original Abstract

This paper presents a novel approach for detecting the FluBot malware, an advanced Android banking Trojan that has been observed in active attacks in 2021 and 2022. The proposed method uses a two-layer detection mechanism to identify FluBot network connections. In the first layer, a machine learning algorithm is used to detect DNS-over-HTTPS (DoH) within Netflow records. The second layer uses a modified version of an existing domain generation algorithm (DGA) detection algorithm to target the DoH connections associated with the FluBot malware specifically. To evaluate the effectiveness of this approach, we used a dataset consisting of FluBot network traffic captured in a controlled sandbox environment. The preliminary results show that our DoH classifier achieves high accuracy and detection rates in identifying instances of FluBot malware, while maintaining a low false positive rate.

English abstract

This paper presents a novel approach for detecting the FluBot malware, an advanced Android banking Trojan that has been observed in active attacks in 2021 and 2022. The proposed method uses a two-layer detection mechanism to identify FluBot network connections. In the first layer, a machine learning algorithm is used to detect DNS-over-HTTPS (DoH) within Netflow records. The second layer uses a modified version of an existing domain generation algorithm (DGA) detection algorithm to target the DoH connections associated with the FluBot malware specifically. To evaluate the effectiveness of this approach, we used a dataset consisting of FluBot network traffic captured in a controlled sandbox environment. The preliminary results show that our DoH classifier achieves high accuracy and detection rates in identifying instances of FluBot malware, while maintaining a low false positive rate.

Keywords

DoH detection, malware detection, computer communication analysis, packet classification

Key words in English

DoH detection, malware detection, computer communication analysis, packet classification

Authors

RADER, R.; JEŘÁBEK, K.; RYŠAVÝ, O.

RIV year

2024

Released

12.05.2023

Publisher

IEEE Computer Society

Location

Daytona Beach

ISBN

979-8-3503-0074-1

Book

IEEE 48th Conference on Local Computer Networks (LCN)

Pages from

50

Pages to

54

Pages count

4

URL

https://www.fit.vut.cz/research/publication/13007/

Full text in the Digital Library

http://hdl.handle.net/

BibTex

@inproceedings{BUT184570,
  author="Roman {Rader} and Kamil {Jeřábek} and Ondřej {Ryšavý}",
  title="Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study",
  booktitle="IEEE 48th Conference on Local Computer Networks (LCN)",
  year="2023",
  pages="50--54",
  publisher="IEEE Computer Society",
  address="Daytona Beach",
  doi="10.1109/LCN58197.2023.10223341",
  isbn="979-8-3503-0074-1",
  url="https://www.fit.vut.cz/research/publication/13007/"
}

Documents

Detecting_DoH-Based_Data_Exfiltration_FluBot_Malware_Case_Study
1570900880 paper

Responsibility: Ing. Marek Strakoš