{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,9]],"date-time":"2026-05-09T16:34:22Z","timestamp":1778344462276,"version":"3.51.4"},"reference-count":41,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2023,12,1]],"date-time":"2023-12-01T00:00:00Z","timestamp":1701388800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"The proliferation of cloud and public legitimate services (CLS) on a global scale has resulted in increasingly sophisticated malware attacks that abuse these services as command-and-control (C&C) communication channels. Conventional security solutions are inadequate for detecting malicious C&C traffic because it blends with legitimate traffic. This motivates the development of advanced detection techniques. We make the following contributions: First, we introduce a novel labeled dataset. This dataset serves as a valuable resource for training and evaluating detection techniques aimed at identifying malicious bots that abuse CLS as C&C channels. Second, we tailor our feature engineering to behaviors indicative of CLS abuse, such as connections to known CLS domains and potential C&C API calls. Third, to identify the most relevant features, we introduced a custom feature elimination (CFE) method designed to determine the exact number of features needed for filter selection approaches. Fourth, our approach focuses on both static and derivative features of Portable Executable (PE) files. After evaluating various machine learning (ML) classifiers, the random forest emerges as the most effective classifier, achieving a 98.26% detection rate. Fifth, we introduce the \u201cReplace Misclassified Parameter (RMCP)\u201d adversarial attack. This white-box strategy is designed to evaluate our system\u2019s detection robustness. The RMCP attack modifies feature values in malicious samples to make them appear as benign samples, thereby bypassing the ML model\u2019s classification while maintaining the malware\u2019s malicious capabilities. The results of the robustness evaluation demonstrate that our proposed method successfully maintains a high accuracy level of 84%. In sum, our comprehensive approach offers a robust solution to the growing threat of malware abusing CLS as C&C infrastructure.<\/jats:p>","DOI":"10.3390\/jcp3040039","type":"journal-article","created":{"date-parts":[[2023,12,1]],"date-time":"2023-12-01T04:12:56Z","timestamp":1701403976000},"page":"858-881","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Machine Learning Detection of Cloud Services Abuse as C&C Infrastructure"],"prefix":"10.3390","volume":"3","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6701-0279","authenticated-orcid":false,"given":"Turki","family":"Al lelah","sequence":"first","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2701-7809","authenticated-orcid":false,"given":"George","family":"Theodorakopoulos","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Amir","family":"Javed","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eirini","family":"Anthi","sequence":"additional","affiliation":[{"name":"School of Computer Science and Informatics, Cardiff University, Cardiff CF24 4AG, UK"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2023,12,1]]},"reference":[{"key":"ref_1","unstructured":"(2023, February 14). Announcing the Public Cloud Market Outlook, 2022 to 2026 Public Cloud\u2019s Stormy Path to Growth. Available online: https:\/\/www.forrester.com\/blogs\/announcing-the-public-cloud-market-outlook-2022-to-2026\/."},{"key":"ref_2","unstructured":"(2023, February 14). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group|FireEye. Available online: https:\/\/www.fireeye.com\/current-threats\/apt-groups\/rpt-apt29.html."},{"key":"ref_3","unstructured":"(2023, February 14). Operation Ghost: The Dukes Aren\u2019t Back\u2014They Never Left|WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com\/2019\/10\/17\/operation-ghost-dukes-never-left\/."},{"key":"ref_4","unstructured":"Pernet, C., Cao, E., Horejsi, J., Chen, J.C., and Sanchez, W.G. (2023, February 14). New SLUB Backdoor Uses GitHub, Communicates via Slack. Available online: https:\/\/www.trendmicro.com\/en_gb\/research\/19\/c\/new-slub-backdoor-uses-github-communicates-via-slack.html."},{"key":"ref_5","unstructured":"Robert Falcone, B.L. (2023, February 14). DarkHydrus Delivers New Trojan That Can Use Google Drive for C2 Communications. Available online: https:\/\/unit42.paloaltonetworks.com\/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications\/."},{"key":"ref_6","unstructured":"(2023, February 14). PE Format\u2014Win32 Apps|Microsoft Learn. Available online: https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/debug\/pe-format."},{"key":"ref_7","unstructured":"(2023, August 31). Desktop Operating System Market Share 2013\u20132023|Statista. Available online: https:\/\/www.statista.com\/statistics\/218089\/global-market-share-of-windows-7\/."},{"key":"ref_8","unstructured":"(2023, August 31). VirusTotal\u2014Stats. Available online: https:\/\/www.virustotal.com\/gui\/stats."},{"key":"ref_9","unstructured":"(2023, July 03). Inside Windows: An In-Depth Look into the Win32 Portable Executable File Format, Part 2|Microsoft Learn. Available online: https:\/\/learn.microsoft.com\/en-us\/archive\/msdn-magazine\/2002\/march\/inside-windows-an-in-depth-look-into-the-win32-portable-executable-file-format-part-2."},{"key":"ref_10","unstructured":"(2023, April 09). Portable Executable\u2014Wikipedia. Available online: https:\/\/en.wikipedia.org\/wiki\/Portable_Executable."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Kartaltepe, E.J., Morales, J.A., Xu, S., and Sandhu, R. (2010, January 22\u201325). Social network-based botnet command-and-control: Emerging threats and countermeasures. Proceedings of the International Conference on Applied Cryptography and Network Security, Beijing, China.","DOI":"10.1007\/978-3-642-13708-2_30"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Vo, N.H., and Pieprzyk, J. (2010, January 19\u201320). Protecting web 2.0 services from botnet exploitations. Proceedings of the 2010 Second Cybercrime and Trustworthy Computing Workshop, Ballarat, Australia.","DOI":"10.1109\/CTC.2010.10"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Ghanadi, M., and Abadi, M. (2014, January 9\u201311). Socialclymene: A negative reputation system for covert botnet detection in social networks. Proceedings of the 7\u2019th International Symposium on Telecommunications (IST\u20192014), Tehran, Iran.","DOI":"10.1109\/ISTEL.2014.7000840"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Ji, Y., He, Y., Jiang, X., and Li, Q. (2014, January 16\u201319). Towards social botnet behavior detecting in the end host. Proceedings of the 2014 20th IEEE International Conference on Parallel and Distributed Systems (ICPADS), Hsinchu, Taiwan.","DOI":"10.1109\/PADSW.2014.7097824"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Thomas, K., and Nicol, D.M. (2010, January 19\u201320). The Koobface botnet and the rise of social malware. Proceedings of the 2010 5th International Conference on Malicious and Unwanted Software, Nancy, France.","DOI":"10.1109\/MALWARE.2010.5665793"},{"key":"ref_16","unstructured":"Ivanov, A., and Sinitsyn, F. (2023, February 14). The First Cryptor to Exploit Telegram|Securelist. Available online: https:\/\/securelist.com\/the-first-cryptor-to-exploit-telegram\/76558\/."},{"key":"ref_17","unstructured":"Singel, R. (2023, February 14). Hackers Use Twitter to Control Botnet|WIRED. Available online: https:\/\/www.wired.com\/2009\/08\/botnet-tweets\/."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Singh, A., Toderici, A.H., Ross, K., and Stamp, M. (2013). Social Networking for Botnet Command and Control. Int. J. Comput. Netw. Inf. Secur., 5.","DOI":"10.5815\/ijcnis.2013.06.02"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Nagaraja, S., Houmansadr, A., Piyawongwisal, P., Singh, V., Agarwal, P., and Borisov, N. (2011, January 18\u201320). Stegobot: A covert social network botnet. Proceedings of the International Workshop on Information Hiding, Prague, Czech Republic.","DOI":"10.1007\/978-3-642-24178-9_21"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Burghouwt, P., Spruit, M., and Sips, H. (2011, January 15\u201319). Towards detection of botnet communication through social media by monitoring user activity. Proceedings of the International Conference on Information Systems Security, Kolkata, India.","DOI":"10.1007\/978-3-642-25560-1_9"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"230","DOI":"10.1016\/j.cose.2016.01.007","article-title":"Combating the evasion mechanisms of social bots","volume":"58","author":"Ji","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_22","unstructured":"Singh, A. (2012). Social Networking for Botnet Command and Control. 2012. [Master\u2019s Thesis, San Jose State University]."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Burghouwt, P., Spruit, M., and Sips, H. (2013, January 13\u201315). Detection of covert botnet command and control channels by causal analysis of traffic flows. Proceedings of the International Symposium on Cyberspace Safety and Security, Zhangjiajie, China.","DOI":"10.1007\/978-3-319-03584-0_10"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"556","DOI":"10.1016\/j.comnet.2012.06.006","article-title":"Design and analysis of a social botnet","volume":"57","author":"Boshmaf","year":"2013","journal-title":"Comput. Networks"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Ji, Y., He, Y., Zhu, D., Li, Q., and Guo, D. (2014, January 5\u20138). A mulitiprocess mechanism of evading behavior-based bot detection approaches. Proceedings of the International Conference on Information Security Practice and Experience, Fuzhou, China.","DOI":"10.1007\/978-3-319-06320-1_7"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Ahmadi, M., Biggio, B., Arzt, S., Ariu, D., and Giacinto, G. (2016, January 24). Detecting misuse of google cloud messaging in android badware. Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, Vienna, Austria.","DOI":"10.1145\/2994459.2994469"},{"key":"ref_27","unstructured":"Arzt, S. (2017). Static Data Flow Analysis for Android Applications. 2017. [Ph.D. Thesis, Darmstadt University of Technology]."},{"key":"ref_28","unstructured":"(2023, May 18). VirusTotal\u2014Home. Available online: https:\/\/www.virustotal.com\/gui\/home\/upload."},{"key":"ref_29","unstructured":"(2023, May 18). Cuckoo Sandbox\u2014Automated Malware Analysis. Available online: https:\/\/cuckoosandbox.org\/."},{"key":"ref_30","unstructured":"(2023, May 18). Free Software Downloads and Reviews for Windows, Android, Mac, and IOS\u2014Cnet Download. Available online: https:\/\/download.cnet.com\/windows\/."},{"key":"ref_31","unstructured":"(2023, May 18). SourceForge.Net. Available online: https:\/\/sourceforge.net\/projects\/sourceforge\/."},{"key":"ref_32","unstructured":"(2023, February 14). Windows Internet\u2014Win32 Apps|Microsoft Learn. Available online: https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/_wininet\/."},{"key":"ref_33","unstructured":"Santos, I., Devesa, J., Brezo, F., Nieves, J., and Bringas, P.G. (2012, January 5\u20137). Opem: A static-dynamic approach for machine-learning-based malware detection. Proceedings of the International Joint Conference CISIS\u201912-ICEUTE\u2019 12-SOCO\u2019 12 Special Sessions, Ostrava, Czech Republic."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Shalaginov, A., Banin, S., Dehghantanha, A., and Franke, K. (2018). Cyber Threat Intelligence, Springer.","DOI":"10.1007\/978-3-319-73951-9"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Baldangombo, U., Jambaljav, N., and Horng, S.J. (2013). A static malware detection system using data mining methods. arXiv.","DOI":"10.5121\/ijaia.2013.4411"},{"key":"ref_36","unstructured":"Yan, G., Brown, N., and Kong, D. (2013, January 18\u201319). Exploring discriminatory features for automated malware classification. Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment: 10th International Conference, DIMVA 2013, Berlin, Germany. Proceedings 10."},{"key":"ref_37","unstructured":"(2023, May 18). Mlxtend. Available online: https:\/\/rasbt.github.io\/mlxtend\/."},{"key":"ref_38","unstructured":"(2023, May 18). scikit-Learn: Machine Learning in Python\u2014Scikit-Learn 1.2.2 Documentation. Available online: https:\/\/scikit-learn.org\/stable\/."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Naz, S., and Singh, D.K. (2019, January 6\u20138). Review of machine learning methods for windows malware detection. Proceedings of the 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT), Kanpur, India.","DOI":"10.1109\/ICCCNT45670.2019.8944796"},{"key":"ref_40","first-page":"252","article-title":"A learning model to detect maliciousness of portable executable using integrated feature set","volume":"31","author":"Kumar","year":"2019","journal-title":"J. King Saud Univ.-Comput. Inf. Sci."},{"key":"ref_41","first-page":"1","article-title":"Selecting features to classify malware","volume":"2012","author":"Raman","year":"2012","journal-title":"Infosec Southwest"}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/3\/4\/39\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T21:35:41Z","timestamp":1760132141000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/3\/4\/39"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,1]]},"references-count":41,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["jcp3040039"],"URL":"https:\/\/doi.org\/10.3390\/jcp3040039","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,12,1]]}}}