We present DECANTeR, a system to detect anomalous outbound HTTP communication, which passively extracts fingerprints for each application running on a monitored host. The goal of our system is to detect unknown malware and backdoor communication indicated by unknown fingerprints extracted from a host’s network traffic. We evaluate a prototype with realistic data from an international organization and datasets composed of malicious traffic. We show that our system achieves a false positive rate of 0.9% for 441 monitored host machines, an average detection rate of 97.7%, and that it cannot be evaded by malware using simple evasion techniques such as using known browser user agent values. We compare our solution the current state-of-the-art IDS which detects HTTP covert communication channels by focusing on benign HTTP traffic. The results show that our approach outperforms its competitor in terms of detection rate, false positive rate, and even evasion-resistance. Finally, DECANTeR detects 96.8% of information stealers in our dataset, which shows its potential to detect data exfiltration.
Riccardo Bortolameotti received his bachelor’s degree in Computer Science at the University of Trento (2012), and his master’s degree at the University of Twente and at the University of Trento (2014) under the EIT Digital Master Programme, with a specialization in Security and Privacy. Currently, he is a PhD student at the University of Twente.
In his research he develops technical solution for the prevention and mitigation of data breaches. His main research interests are related to network security, data analysis and secure protocol engineering. During his PhD studies he has published two works at ACSAC (ACM), related to the determination of data leakage after a data breach and to the detection of data exfiltration.