Almuthanna Alageel

Almuthanna Alageel

Ph.D. Student in Computing

Almuthanna A. Alageel is a Ph.D. student at Imperial College London in Cybersecurity. He received his MSc degree in Computer Science from the University of Colorado, Denver, USA. Before that, he obtained his BSc in Computer Engineering from King Saud University, Riyadh, KSA. He joined KACST, Computer Research Institute (CRI)-Security Group in 2009, then affiliated with The National Center for Artificial Intelligence (NCAI) in 2015 and The National Center for Cybersecurity (C4C) since 2016.

Scroll down for more details...

EarlyCrow: Detecting APT Malware Command and Control over HTTP(S) Using Contextual Summaries

Lightning Talk

Advanced Persistence Threats; Command and Control Domains; Machine Learning

Advanced Persistent Threats (APTs) are among the most sophisticated threats facing critical organizations worldwide. APTs employ specific tactics, techniques, and procedures (TTPs) which make them difficult to detect in comparison to frequent and aggressive attacks. In fact, current network intrusion detection systems struggle to detect APTs communications, allowing such threats to persist unnoticed on victims’ machines for months or even years.
In this talk, we present EARLYCROW, an approach to detect APT malware command and control over HTTP(S) using contextual summaries. The design of EARLYCROW is informed by a novel threat model focused on TTPs present in traffic generated by tools recently used as part of APT campaigns. The threat model highlights the importance of the context around the malicious connections, and suggests traffic attributes which help APT detection. EARLYCROW defines a novel multipurpose network flow format called PAIRFLOW, which is leveraged to build the contextual summary of a PCAP capture, representing key behavioral, statistical and protocol information relevant to APT TTPs. We evaluate the effectiveness of EARLYCROW on unseen APTs obtaining a headline macro average F1-score of 93.02% with FPR of 0.74%.