Saved in:
Bibliographic Details
Main Authors: Wang, Cheng, Kakkar, Akshay, Redino, Christopher, Rahman, Abdul, S, Ajinsyam, Clark, Ryan, Radke, Daniel, Cody, Tyler, Huang, Lanxiao, Bowen, Edward
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2401.07154
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914641923276800
author Wang, Cheng
Kakkar, Akshay
Redino, Christopher
Rahman, Abdul
S, Ajinsyam
Clark, Ryan
Radke, Daniel
Cody, Tyler
Huang, Lanxiao
Bowen, Edward
author_facet Wang, Cheng
Kakkar, Akshay
Redino, Christopher
Rahman, Abdul
S, Ajinsyam
Clark, Ryan
Radke, Daniel
Cody, Tyler
Huang, Lanxiao
Bowen, Edward
contents Command and control (C2) paths for issuing commands to malware are sometimes the only indicators of its existence within networks. Identifying potential C2 channels is often a manually driven process that involves a deep understanding of cyber tradecraft. Efforts to improve discovery of these channels through using a reinforcement learning (RL) based approach that learns to automatically carry out C2 attack campaigns on large networks, where multiple defense layers are in place serves to drive efficiency for network operators. In this paper, we model C2 traffic flow as a three-stage process and formulate it as a Markov decision process (MDP) with the objective to maximize the number of valuable hosts whose data is exfiltrated. The approach also specifically models payload and defense mechanisms such as firewalls which is a novel contribution. The attack paths learned by the RL agent can in turn help the blue team identify high-priority vulnerabilities and develop improved defense strategies. The method is evaluated on a large network with more than a thousand hosts and the results demonstrate that the agent can effectively learn attack paths while avoiding firewalls.
format Preprint
id arxiv_https___arxiv_org_abs_2401_07154
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Discovering Command and Control Channels Using Reinforcement Learning
Wang, Cheng
Kakkar, Akshay
Redino, Christopher
Rahman, Abdul
S, Ajinsyam
Clark, Ryan
Radke, Daniel
Cody, Tyler
Huang, Lanxiao
Bowen, Edward
Cryptography and Security
Machine Learning
Command and control (C2) paths for issuing commands to malware are sometimes the only indicators of its existence within networks. Identifying potential C2 channels is often a manually driven process that involves a deep understanding of cyber tradecraft. Efforts to improve discovery of these channels through using a reinforcement learning (RL) based approach that learns to automatically carry out C2 attack campaigns on large networks, where multiple defense layers are in place serves to drive efficiency for network operators. In this paper, we model C2 traffic flow as a three-stage process and formulate it as a Markov decision process (MDP) with the objective to maximize the number of valuable hosts whose data is exfiltrated. The approach also specifically models payload and defense mechanisms such as firewalls which is a novel contribution. The attack paths learned by the RL agent can in turn help the blue team identify high-priority vulnerabilities and develop improved defense strategies. The method is evaluated on a large network with more than a thousand hosts and the results demonstrate that the agent can effectively learn attack paths while avoiding firewalls.
title Discovering Command and Control Channels Using Reinforcement Learning
topic Cryptography and Security
Machine Learning
url https://arxiv.org/abs/2401.07154