Command and Control (C2) communications are a persistent and stealthy component of advanced cyber threats, enabling adversaries to maintain remote access, exfiltrate sensitive data, and orchestrate lateral movement within target networks. This study presents a hybrid, flow-based machine learning framework for the intelligent detection and analysis of C2 traffic using two benchmark datasets: CTU-13 and CICIDS2017. A PyCaret-driven pipeline was developed to automate model comparison, training, and explainability, incorporating ensemble models such as Random Forest, Gradient Boosting, and LightGBM classifiers. Cross-dataset validation demonstrated that the trained models generalize well across heterogeneous traffic profiles, achieving over 99% accuracy and recall on unseen CICIDS2017 samples. SHAP-based explainability was used to identify high-impact features, enabling actionable insights into C2 behavior patterns. The results advocate for integrating flow-based anomaly detection and DNS tunneling filters into SIEM pipelines, and reinforce the importance of model interpretability and dataset diversity for real-world cyber defense applications.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Hybrid Detection of Command and Control Communications Using Flow-Based Features from Real-World Network Traffic

  • Chiamaka Femi-Adeyinka,
  • Tosin Akinsowon,
  • Qingzhong Liu

摘要

Command and Control (C2) communications are a persistent and stealthy component of advanced cyber threats, enabling adversaries to maintain remote access, exfiltrate sensitive data, and orchestrate lateral movement within target networks. This study presents a hybrid, flow-based machine learning framework for the intelligent detection and analysis of C2 traffic using two benchmark datasets: CTU-13 and CICIDS2017. A PyCaret-driven pipeline was developed to automate model comparison, training, and explainability, incorporating ensemble models such as Random Forest, Gradient Boosting, and LightGBM classifiers. Cross-dataset validation demonstrated that the trained models generalize well across heterogeneous traffic profiles, achieving over 99% accuracy and recall on unseen CICIDS2017 samples. SHAP-based explainability was used to identify high-impact features, enabling actionable insights into C2 behavior patterns. The results advocate for integrating flow-based anomaly detection and DNS tunneling filters into SIEM pipelines, and reinforce the importance of model interpretability and dataset diversity for real-world cyber defense applications.