Encrypted Remote Access Trojan Detection: A Machine Learning Approach with Real-World and Open Datasets

Authors

  • Emmanuel Sebakara University of Lay Adventists of Kigali (UNILAK)
  • Dr. K N Jonathan University of Lay Adventists of Kigali (UNILAK)

DOI:

https://doi.org/10.70619/vol5iss3pp30-42

Keywords:

Remote Access Trojan (RAT), Encryption, Machine Learning, Behavioral Analysis, Cybersecurity, Privacy-Preserving Detection.

Abstract

The increasing use of encryption by cyber attackers to conceal Remote Access Trojans (RATs) challenges traditional signature-based detection systems, which struggle with encrypted traffic and leave security gaps. In this study, we propose a privacy-preserving, machine-learning-based framework that detects encrypted RATs without decrypting traffic. Instead, it analyzes behavioral indicators and metadata, including packet timing anomalies, TLS handshake irregularities, and persistent unidirectional flows. We evaluated our approach using two datasets: a public Kaggle dataset (177,482 labeled records, 85 features) and an anonymized internal dataset from Company X (40,000 samples, 27 features). Among four tested models—Logistic Regression, Decision Tree, Random Forest, and XGBoost—Random Forest performed best, achieving 74.83% and 72.11% accuracy on the Company X and Kaggle datasets, respectively, outperforming a baseline signature-based system (53.8% accuracy). Our model also showed strong generalization, with 80% correct predictions across sample-based evaluations, demonstrating its readiness for real-world deployment. By ensuring privacy and delivering improved detection, our framework offers a scalable, adaptive alternative to traditional cybersecurity methods.

References

McDonald, G., Papadopoulos, P., Pitropakis, N., Ahmad, J., & Buchanan, W. J. (2022). Ransomware: Analysing the Impact on Windows Active Directory Domain Services. Sensors, 22(3). https://doi.org/10.3390/s22030953

Mokhtar, B. I., Jurcut, A. D., ElSayed, M. S., & Azer, M. A. (2022). Active Directory Attacks—Steps, Types, and Signatures. Electronics (Switzerland), 11(16), 1–23. https://doi.org/10.3390/electronics11162629

Eddy, M. (2014). RATs Come to Android: It's Scary, But You're (Probably) Safe | PCMag.

Kwon, H. Y., Kim, T., & Lee, M. K. (2022). Advanced Intrusion Detection Combining Signature-Based and Behavior-Based Detection Methods. Electronics (Switzerland), 11(6), 1–19. https://doi.org/10.3390/electronics11060867

Vasani, V., Bairwa, A. K., Joshi, S., Pljonkin, A., Kaur, M., & Amoon, M. (2023). Comprehensive Analysis of Advanced Techniques and Vital Tools for Detecting Malware Intrusion. Electronics (Switzerland), 12(20), 1–30. https://doi.org/10.3390/electronics12204299

Johnson, C. S., Badger, M. L., Waltermire, D. A., Snyder, J., & Skorupka, C. (2016). Guide to Cyber Threat Information Sharing. https://doi.org/10.6028/NIST.SP.800-150

Opderbeck, D. W. (2022). Cybersecurity and Data Breach Harms: Theory and Reality. In SSRN Electronic Journal (Vol. 82, Issue 4). https://doi.org/10.2139/ssrn.4187263

Ozkan-okay, M., Yilmaz, A. A., & Akin, E. (2023). A Comprehensive Review of Cyber Security Vulnerabilities. MDPI.

Mirza, A. U. (2024). Exploring the Frontiers of Artificial Intelligence and Machine Learning Technologies. In Exploring the Frontiers of Artificial Intelligence and Machine Learning Technologies (Issue April). https://doi.org/10.59646/efaimlt/133

Mosalam, K. M., & Gao, Y. (2024). Basics of Machine Learning (pp. 31–56). Morgan & Claypool Publishers. https://doi.org/10.1007/978-3-031-52407-3_3

Murphy, K. P. (2012). Machine Learning A Probabilistic Perspective. In The MIT Press Cambridge, Massachusetts. The MIT Press Cambridge. https://doi.org/10.1007/978-94-011-3532-0_2

Nigmatullin, R., Ivchenko, A., & Dorokhin, S. (2020). Differentiation of sliding rescaled ranges: New approach to encrypted and VPN traffic detection. 2020 International Conference Engineering and Telecommunication, En and T 2020. https://doi.org/10.1109/EnT50437.2020.9431285

Altukruni, H., Maynard, S. B., Alshaikh, M., & Ahmad, A. (2021). Exploring knowledge leakage risk in knowledge-intensive organisations: behavioural aspects and key controls. arXiv preprint arXiv:2104.07140.

Tanwar, R. (2025). Cyber Security Challenges. International Journal For Science Technology And Engineering, 13(1), 564–566. https://doi.org/10.22214/ijraset.2025.66263

Johansen, M., Mass Soldal Lund, & Geir Olav Dyrkolbotn. (2022). Development of a customized remote access trojan (RAT) for educational purposes within the field of malware analysis. June, 1–64.

Peter Szor. (2005). COMPUTER VIRUS RESEARCH AND DEFENSE (K. Gettman (ed.)). Pearson Education, Inc.

Gardiner, J., Cova, M., & Nagaraja, S. (2014). Command & Control: Understanding, Denying and Detecting. ArXiv.Org, cs.CR(February), 1136.

Zeltser, L. (n.d.). When Bots Use Social Media for Command and Control.

Cheruvu, S., Smith, N., Kumar, A., & Wheeler, D. M. (2019). Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment. Apress. https://doi.org/10.1007/978-1-4842-2896-8

Whitman, M. E., & Mattord, H. J. (2011). Principles of Information Security Fourth Edition. Learning, 269, 289.

Downloads

Published

2025-06-06

How to Cite

Sebakara, E. ., & Jonathan, D. K. N. . (2025). Encrypted Remote Access Trojan Detection: A Machine Learning Approach with Real-World and Open Datasets. Journal of Information and Technology, 5(3), 30–42. https://doi.org/10.70619/vol5iss3pp30-42

Issue

Vol. 5 No. 3 (2025)

Section

Articles

License

Copyright (c) 2025 Emmanuel Sebakara, Dr. K N Jonathan

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.