StealthyFlow:一种对抗条件下恶意代码动态流量伪装框架

恶意代码问题使国家安全面临严重威胁.随着TLS协议快速普及,恶意代码呈现出流量加密化的趋势,通信内容加密导致检测难度的进一步提高.本文提出一种恶意代码流量伪装框架StealthyFlow,以采用加密流量进行远控通信的公共资源型恶意代码与GAN结合,对恶意流量进行不影响攻击功能的伪装,旨在实现伪装后的对抗流量与良性流量的...

StealthyFlow:A Framework for Malware Dynamic Traffic Camouflaging in Adversarial Environment

Malware emerges endlessly,which not only causes economic losses to enterprises and individuals,but also poses serious threats to national security.During the Gulf War in 1991,the United States publicly used malware attack technology to obtain major military benefits for the first time.Since then,malware attacks have become one of the most important intrusion methods for information and network warfare.In recent years,malware based on legitimate services has spread.The traffic of this kind of malware is mixed with the traffic of legitimate services and is not easy to be detected.At the same time,the use of TLS poses new challenges to traffic detection because the content can no longer be analyzed due to encryption.The combination of public resources and encrypted traffic makes“the traffic generated by malware flows to normal websites,and its communication content is based on encrypted protocols and cannot be checked”,which further increases the difficulty of detection.In order to ensure the security of network communication,researchers have conducted in-depth explorations on the detection of encrypted traffic.Due to the advantage of discovering unknown attacks,machine learning algorithms have become the mainstream detection method,but there is a risk of failure when malicious traffic and benign traffic are indistinguishable in the features focused by machine learning systems.In order to study the possibility of confronting machine-learning-based traffic detection system,we propose a dynamic traffic camouflaging framework named StealthyFlow.StealthyFlow combines Generative Adversarial Networks with malware that uses legitimate services for backdoor command and control,to realize traffic camouflaging without affecting the attack function.It consists of two modules,GAN module and malicious code module,which are responsible for feature generation and traffic generation respectively.It aimed at realizing the indistinguishability between traffic after disguise and benign traffic,and then bypass classifiers based on machine learning algorithms.StealthyFlow has the following advantages.First,it can dynamically adjust the traffic flow according to the change of the target flow,which means dynamic flow camouflaging.Second,it makes changes at the malware level instead of directly modifying the flow,which can ensure that the attack function is not destroyed.Third,the target being bypassed does not participate in the training process,ensure that malware is not exposed.Experiment results show that the traffic generated by StealthyFlow is very similar to benign traffic,and can bypass the machine-learning-based classifiers in an adversarial environment.The result questions the robustness of the encryption traffic detection method based on machine learning algorithms.Finally,from the perspective of the attacker,the new malware based on StealthyFlow will bring new security threats to the defense work.This not only requires the attention of security researchers,but also requires a lot of effort in the future to establish anti-encrypted-malware defense system as soon as possible.