Abstract | ||
---|---|---|
We propose a novel approach to infer protocol state machines in the realistic high-latency network setting, and apply it to the analysis of botnet Command and Control (C &C) protocols. Our proposed techniques enable an order of magnitude reduction in the number of queries and time needed to learn a botnet C &C protocol compared to classic algorithms (from days to hours for inferring the MegaD C &C protocol). We also show that the computed protocol state machines enable formal analysis for botnet defense, including finding the weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting. We validate our technique by inferring the protocol state-machine from Postfix's SMTP implementation and comparing the inferred state-machine to the SMTP standard. Further, our experimental results offer new insights into MegaD's C &C, showing our technique can be used as a powerful tool for defense against botnets. |
Year | DOI | Venue |
---|---|---|
2010 | 10.1145/1866307.1866355 | ACM Conference on Computer and Communications Security |
Keywords | Field | DocType |
protocol implementation,megad c,protocol state machine,protocol design flaw,botnet c,control protocol,botnet command,c protocol,botnet defense,formal model,protocol state-machine,computed protocol state machine,security,algorithms,performance,command and control,state machine | Data mining,Command and control,Computer science,Botnet,Inference,Computer security,Server,Finite-state machine,Protocol design,Unobservable,Universal composability | Conference |
Citations | PageRank | References |
62 | 1.93 | 26 |
Authors | ||
4 |
Name | Order | Citations | PageRank |
---|---|---|---|
Chia Yuan Cho | 1 | 251 | 11.20 |
Domagoj Babi ć | 2 | 89 | 3.40 |
Eui Chul Richard Shin | 3 | 343 | 17.34 |
Dawn Song | 4 | 7334 | 385.37 |