An Exploit Traffic Detection Method Based on Reverse Shell

1Citations
Citations of this article
20Readers
Mendeley users who have this article in their library.

Abstract

As the most crucial link in the network kill chain, exploiting a vulnerability is viewed as one of the most popular attack vectors to get the control authority of the system, which is dangerous for legal users. Therefore, an effective exploit traffic detection method is urgent. However, current methods are almost based on pattern matching, invalid for encrypted traffic. To address this problem, we propose a reverse shell-based exploit traffic detection method, ETDetector. Our key insight is that the reverse shell attack often coexists with vulnerability exploitation as one of the most popular exploit behaviors. So, we first extract the fusion information feature from original features, such as the packet delay sequence, as input of a decision tree model to identify reverse shell traffic in the shellcode execution stage. Then, we trace suspicious traffic in the shellcode delivery stage by reconstructing the session relationship of the two stages above. Compared with Blatta, using a cyclic neural network to detect early exploit traffic, the detection rate of ETDetector is increased by 50% and valid for encrypted exploit traffic. In addition, we propose a traffic stratification method based on a bisecting K-means algorithm, which can intuitively show the traffic communication behavior and improve the interpretability of ETDetector.

Cite

CITATION STYLE

APA

Liu, Y., Cai, R., Yin, X., & Liu, S. (2023). An Exploit Traffic Detection Method Based on Reverse Shell. Applied Sciences (Switzerland), 13(12). https://doi.org/10.3390/app13127161

Register to see more suggestions

Mendeley helps you to discover research relevant for your work.

Already have an account?

Save time finding and organizing research with Mendeley

Sign up for free