To complement one another’s strengths, this article proposes a phased RATs detection method by combining double-side features (PRATD). At present, two major RAT detection methods are host-based and network-based detection methods. Remote Access Trojan (RAT) is one of the most terrible security threats that organizations face today. Our system can achieve around 90% true positive rate in the cross-family experiment, around 80% true positive rate in the two-year spanning temporal experiment, and near zero false positive rate. The results show that the audit logging module only incurred 3.7% runtime overhead on average. We implemented a prototype of RATScope and evaluated the recording overhead and the behavior identification accuracy.
#FREEFILESYNC FUSION.P WINDOWS#
Specifically, RATScope offers an audit logging module to efficiently record system logs by leveraging Event Tracing for Windows (ETW), and provides a novel program behavior modeling technique to accurately reconstruct semantic behaviors of RATs.
Based on the study, we then propose RATScope, an instrumentation-free RAT forensic system targeting Windows platform. This is the first study to understand the landscape of RATs in the literature.
In this paper, we first conduct a large-scale study of a representative set of real-world RAT families active from 1999 to 2016. However, existing forensic systems suffer from various issues such as intrusive instrumentation, nontrivial recording overhead, and RAT behavior blindness. A forensic system targeting RAT attacks is needed to record and reconstruct fine-grained semantic behaviors of RATs.
Remote Access Trojan (RAT) attacks have become an extensively prevailing and serious threat to enterprise security.
0 kommentar(er)
