Detecting abuse of cloud and public legitimate services as command and control infrastructure using machine learning

Abstract

The widespread adoption of Cloud and Public Legitimate Services (CPLS) has inadvertently created new opportunities for cybercriminals to establish hidden and robust command-and-control (C&C) communication infrastructure. This abuse represents a major cybersecurity risk, as it allows malicious traffic to seamlessly disguise itself within normal network activities. Traditional detection systems are proving inadequate in accurately identifying such abuses. Therefore, this thesis is motivated by emphasizing the urgent need for more advanced detection techniques that are capable of identifying the C&C activity hidden within legitimate CPLS traffic. To assess the extent of the cyber threat of abusing CPLS, this thesis presents an ex- tensive Systematic Literature Review (SLR) encompassing academic and industry lit- erature. The review provides a comprehensive categorization of the attack techniques utilized to abuse CPLS as C&C infrastructure. The open problems uncovered through the SLR motivate this thesis to propose a novel Detection System (DS) capable of identifying malware that abuse CPLS as C&C communication channels. Furthermore, to evaluate our system robustness against attempts to evade detection, this thesis intro- duces the Replace Misclassified Parameter (RMCP) adversarial attack. The proposed detection system leverages Artificial Intelligence (AI) techniques, combining static and dynamic malware analysis methods to accurately identify CPLS abuse. The effective- ness of the proposed system is validated through extensive experiments, demonstrating its ability to detect novel and sophisticated attacks that evade traditional security measures. The outcomes of this thesis have significant implications for enhancing the security of cloud environments, contributing valuable knowledge and practical solutions to the field of cloud security.