A RAT Detection Method by Using Packet Entropy on Early Intrusion Stage

Masahiro ISHII  Masumi UNO  Atsuo INOMATA  Ismail ARAI  Kazutoshi FUJIKAWA  

B - Abstracts of IEICE TRANSACTIONS on Communications (Japanese Edition)   Vol.J101-B   No.3   pp.220-232
Publication Date: 2018/03/01
Online ISSN: 1881-0209
Type of Manuscript: PAPER
RAT,  intrusion detection,  network security,  machine learning,  

Full Text(in Japanese): PDF(913.5KB)
>>Buy this Article

We provide a method to detect early intrusion stage of Remote Access Trojan/tool (RAT) communications by using their network features of packet entropy. We used several supervised machine learning algorithms and k-fold cross validation technique to validate using features of packet entropy. From our experimental results, we report that our approach can detect RAT sessions with the high accuracy 96.4% and the low false positive rate of 0.7% by Random Forest algorithm. In addition, other metrics for evaluating the classifiers are better than previously reported results.