Publication Details
Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study
DoH detection, malware detection, computer communication analysis, packet
classification
This paper presents a novel approach for detecting the FluBot malware, an
advanced Android banking Trojan that has been observed in active attacks in 2021
and 2022. The proposed method uses a two-layer detection mechanism to identify
FluBot network connections. In the first layer, a machine learning algorithm is
used to detect DNS-over-HTTPS (DoH) within Netflow records. The second layer uses
a modified version of an existing domain generation algorithm (DGA) detection
algorithm to target the DoH connections associated with the FluBot malware
specifically. To evaluate the effectiveness of this approach, we used a dataset
consisting of FluBot network traffic captured in a controlled sandbox
environment. The preliminary results show that our DoH classifier achieves high
accuracy and detection rates in identifying instances of FluBot malware, while
maintaining a low false positive rate.
@inproceedings{BUT184570,
author="Roman {Rader} and Kamil {Jeřábek} and Ondřej {Ryšavý}",
title="Detecting DoH-Based Data Exfiltration: FluBot Malware Case Study",
booktitle="IEEE 48th Conference on Local Computer Networks (LCN)",
year="2023",
pages="50--54",
publisher="IEEE Computer Society",
address="Daytona Beach",
doi="10.1109/LCN58197.2023.10223341",
isbn="979-8-3503-0074-1",
url="https://www.fit.vut.cz/research/publication/13007/"
}