Hybrid Detection of Command and Control Communications Using Flow-Based Features from Real-World Network Traffic
摘要
Command and Control (C2) communications are a persistent and stealthy component of advanced cyber threats, enabling adversaries to maintain remote access, exfiltrate sensitive data, and orchestrate lateral movement within target networks. This study presents a hybrid, flow-based machine learning framework for the intelligent detection and analysis of C2 traffic using two benchmark datasets: CTU-13 and CICIDS2017. A PyCaret-driven pipeline was developed to automate model comparison, training, and explainability, incorporating ensemble models such as Random Forest, Gradient Boosting, and LightGBM classifiers. Cross-dataset validation demonstrated that the trained models generalize well across heterogeneous traffic profiles, achieving over 99% accuracy and recall on unseen CICIDS2017 samples. SHAP-based explainability was used to identify high-impact features, enabling actionable insights into C2 behavior patterns. The results advocate for integrating flow-based anomaly detection and DNS tunneling filters into SIEM pipelines, and reinforce the importance of model interpretability and dataset diversity for real-world cyber defense applications.