With the continuous evolution of cyberattack techniques, Advanced Persistent Threats (APTs) establish covert Command and Control (C2) channels for long-term infiltration, posing severe security risks. Existing C2 detection methods heavily depend on metadata from the encryption handshake stage, rendering them vulnerable to evasion techniques such as mimicking legitimate TLS fingerprints or randomizing handshake parameters. Additionally, these methods are susceptible to network noise and lack of cross-protocol generalization. To address these challenges, we propose C2Detector, an interaction-enhanced and semantic-aware detection method. By shifting the focus from potentially unreliable handshake metadata to the semantics of the data transmission stage, C2Detector reconstructs network sessions into protocol-independent interaction-state transition sequences. This approach eliminates underlying noise and captures high-level interaction semantics. A spatio-temporal neural network is then employed to learn complex behavioral patterns from these sequences. In complex mixed-traffic environments, C2Detector achieves an F1-score of 0.989. Importantly, in a zero-shot generalization test, the model trained exclusively on TCP traffic successfully identified unseen DNS and ICMP C2 channels, achieving F1-scores of 0.931 and 0.826, respectively. These results suggest the method’s potential advantages in both accuracy and generalization.
扫码关注我们
求助内容:
应助结果提醒方式:
