C2-Eye:Framework for Detecting Command and Control (C2) Connection of Supply Chain Attacks

C2-Eye:Framework for Detecting Command and Control (C2) Connection of Supply Chain Attacks | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article C2-Eye:Framework for Detecting Command and Control (C2) Connection of Supply Chain Attacks Raja Zeeshan Haider, Baber Aslam, Haider Abbas, Zafar Iqbal This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-3867295/v1 This work is licensed under a CC BY 4.0 License Status: Published Journal Publication published 29 Apr, 2024 Read the published version in International Journal of Information Security → Version 1 posted 7 You are reading this latest preprint version Abstract Supply chain attacks are potent cyber attacks for compromising supply chains and infecting thousands of customers depending on the supply chain. Havoc, played bythe SUNBURST attack, demands a proactive and holistic approach for the timely detection of supply chain attacks. Supply chain attacks are difficult to detect as the malware is installed through legitimate supply chains, making deployed security controls futile. The recent increases in supply chain attacks warrant a Zero-trust model for detecting supply chain attacks. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these indicators with associated network activity. Establishing a Command and Control (C2) connection is one of the essential stages in supply chain attacks, and its timely detection can lead to the detection of the attack. The C2-Eye framework has introduced an all inclusive approach for detecting C2 of supply chain attacks, established over DNS. C2-Eye incorporates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the C2 channel for probable data exfiltration in the backdrop of supply chain attacks. C2-Eye has introduced many unique features, offering better performance and a high detection rate. A random forest classifier has been used to classify heterogeneous C2-Eye features. C2-Eye is an effective framework for detecting supply chain attacks with an F1-score of 98.70%. APT Command and Control (C2) DNS Random Forest Classifier SUNBURST Supply Chain Attack Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Published Journal Publication published 29 Apr, 2024 Read the published version in International Journal of Information Security → Version 1 posted Editorial decision: Revision requested 16 Feb, 2024 Reviews received at journal 13 Feb, 2024 Reviewers agreed at journal 11 Feb, 2024 Reviewers invited by journal 09 Feb, 2024 Editor assigned by journal 16 Jan, 2024 Submission checks completed at journal 16 Jan, 2024 First submitted to journal 15 Jan, 2024 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-3867295","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":267431494,"identity":"aea91ce4-9267-4230-96c5-db733645ac6a","order_by":0,"name":"Raja Zeeshan Haider","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABUklEQVRIie2RP2vCQBiHXwk45cx6ovYzHBwoQtGvEjmwSwahUDJICQhObV0tzYdIETK/4SBdAq4ZpODSKUOkk4vtmSBVYtu10Dxwf3jfe47fcQAlJX8RCoB6vmG4X439pB+dqDgA2o9K3dEyhWZtPK/AQckKDH9ROk+TNSb2K3Qak+dga/X6fLkMaWKvbqFxx99TuGx5SCT7UpqrkAVudA1dNxxJ4ouBH4tq3Y3eKDSjNkUYcg9rwjzKRU0mydQEFltMVnw027FWbZCppECttgomBx7qHI+Vq1SSXa4EWx/7fCaVsssUniJ8FBV1OXFyBYmPFQ+EUpxMYSoYZspJMGsUuKGpd+fD/C3zWHD1MFmf0uENjZjgj7Im2EmwRZqMzYsOFYvN1u/1jVmwjpOxNAxVSW2713p4uZcUCuisUKrm36SGpheah9a3nFdKSkpK/gufGyaEc8I6qWMAAAAASUVORK5CYII=","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":true,"prefix":"","firstName":"Raja","middleName":"Zeeshan","lastName":"Haider","suffix":""},{"id":267431495,"identity":"dc0aa2af-a891-498e-904f-f8c360d0064e","order_by":1,"name":"Baber Aslam","email":"","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":false,"prefix":"","firstName":"Baber","middleName":"","lastName":"Aslam","suffix":""},{"id":267431496,"identity":"ae4e73f9-8508-46be-b132-504cef7bd9c3","order_by":2,"name":"Haider Abbas","email":"","orcid":"","institution":"National University of Sciences and Technology","correspondingAuthor":false,"prefix":"","firstName":"Haider","middleName":"","lastName":"Abbas","suffix":""},{"id":267431497,"identity":"dd8758df-25f4-4f1b-b37a-59a9c877dfdc","order_by":3,"name":"Zafar Iqbal","email":"","orcid":"","institution":"Air University","correspondingAuthor":false,"prefix":"","firstName":"Zafar","middleName":"","lastName":"Iqbal","suffix":""}],"badges":[],"createdAt":"2024-01-15 17:59:07","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-3867295/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-3867295/v1","draftVersion":[],"editorialEvents":[{"content":"https://doi.org/10.1007/s10207-024-00850-y","type":"published","date":"2024-04-29T19:58:00+00:00"}],"editorialNote":"","failedWorkflow":false,"files":[{"id":56043134,"identity":"17246121-cab9-46cf-bdb0-7ffe32e931cf","added_by":"auto","created_at":"2024-05-07 20:10:26","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":948091,"visible":true,"origin":"","legend":"","description":"","filename":"C2EyeFrameworkforDetectingCommandandControlC2ofSupplyChainAttacks.pdf","url":"https://assets-eu.researchsquare.com/files/rs-3867295/v1_covered_928937c1-0be3-4022-bd41-b1ab48800a47.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"C2-Eye:Framework for Detecting Command and Control (C2) Connection of Supply Chain Attacks","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":true,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"international-journal-of-information-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"ijis","sideBox":"Learn more about [International Journal of Information Security](http://link.springer.com/journal/10207)","snPcode":"10207","submissionUrl":"https://submission.nature.com/new-submission/10207/3","title":"International Journal of Information Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"APT , Command and Control (C2) , DNS , Random Forest Classifier , SUNBURST , Supply Chain Attack","lastPublishedDoi":"10.21203/rs.3.rs-3867295/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-3867295/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"Supply chain attacks are potent cyber attacks for compromising supply chains and infecting thousands of customers depending on the supply chain. Havoc, played bythe SUNBURST attack, demands a proactive and holistic approach for the timely detection of supply chain attacks. Supply chain attacks are difficult to detect as the malware is installed through legitimate supply chains, making deployed security controls futile. The recent increases in supply chain attacks warrant a Zero-trust model for detecting supply chain attacks. The most promising technique for detecting supply chain attacks is monitoring host-based indicators and correlating these indicators with associated network activity. Establishing a Command and Control (C2) connection is one of the essential stages in supply chain attacks, and its timely detection can lead to the detection of the attack. The C2-Eye framework has introduced an all inclusive approach for detecting C2 of supply chain attacks, established over DNS. C2-Eye incorporates process-specific host-based features, correlated network activity, DNS metadata, DNS semantic analysis, and threat intelligence from publicly available resources for detecting C2 of supply chain attacks. Besides, C2-Eye monitors the C2 channel for probable data exfiltration in the backdrop of supply chain attacks. C2-Eye has introduced many unique features, offering better performance and a high detection rate. A random forest classifier has been used to classify heterogeneous C2-Eye features. C2-Eye is an effective framework for detecting supply chain attacks with an F1-score of 98.70%.","manuscriptTitle":"C2-Eye:Framework for Detecting Command and Control (C2) Connection of Supply Chain Attacks","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2024-01-18 03:50:33","doi":"10.21203/rs.3.rs-3867295/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2024-02-16T14:33:59+00:00","index":"","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2024-02-13T15:14:04+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"92d865a1-598e-49c3-91ec-e4522f9288dd","date":"2024-02-11T16:49:35+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2024-02-09T14:34:09+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2024-01-16T15:04:56+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2024-01-16T15:04:55+00:00","index":"","fulltext":""},{"type":"submitted","content":"International Journal of Information Security","date":"2024-01-15T17:43:19+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"international-journal-of-information-security","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"ijis","sideBox":"Learn more about [International Journal of Information Security](http://link.springer.com/journal/10207)","snPcode":"10207","submissionUrl":"https://submission.nature.com/new-submission/10207/3","title":"International Journal of Information Security","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"em","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"b2d1626b-8d31-4a0f-9b24-ec8b66989416","owner":[],"postedDate":"January 18th, 2024","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"published-in-journal","subjectAreas":[],"tags":[],"updatedAt":"2024-05-07T20:09:49+00:00","versionOfRecord":{"articleIdentity":"rs-3867295","link":"https://doi.org/10.1007/s10207-024-00850-y","journal":{"identity":"international-journal-of-information-security","isVorOnly":false,"title":"International Journal of Information Security"},"publishedOn":"2024-04-29 19:58:00","publishedOnDateReadable":"April 29th, 2024"},"versionCreatedAt":"2024-01-18 03:50:33","video":"","vorDoi":"10.1007/s10207-024-00850-y","vorDoiUrl":"https://doi.org/10.1007/s10207-024-00850-y","workflowStages":[]},"version":"v1","identity":"rs-3867295","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-3867295","identity":"rs-3867295","version":["v1"]},"buildId":"qtupq5eGEP_6zYnWcrvyt","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}