Paper Info
Title
Inference and analysis of formal models of botnet command and control protocols
Abstract
We propose a novel approach to infer protocol state machines in the realistic high-latency network setting, and apply it to the analysis of botnet Command and Control (C &C) protocols. Our proposed techniques enable an order of magnitude reduction in the number of queries and time needed to learn a botnet C &C protocol compared to classic algorithms (from days to hours for inferring the MegaD C &C protocol). We also show that the computed protocol state machines enable formal analysis for botnet defense, including finding the weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting. We validate our technique by inferring the protocol state-machine from Postfix's SMTP implementation and comparing the inferred state-machine to the SMTP standard. Further, our experimental results offer new insights into MegaD's C &C, showing our technique can be used as a powerful tool for defense against botnets.
Year
DOI
Venue
2010
10.1145/1866307.1866355
ACM Conference on Computer and Communications Security
Keywords
Field
DocType
protocol implementation,megad c,protocol state machine,protocol design flaw,botnet c,control protocol,botnet command,c protocol,botnet defense,formal model,protocol state-machine,computed protocol state machine,security,algorithms,performance,command and control,state machine
Data mining,Command and control,Computer science,Botnet,Inference,Computer security,Server,Finite-state machine,Protocol design,Unobservable,Universal composability
Conference
Citations 
PageRank 
References 
62
1.93
26
Authors
4
Name
Order
Citations
PageRank
Chia Yuan Cho125111.20
Domagoj Babi ć2893.40
Eui Chul Richard Shin334317.34
Dawn Song47334385.37