Periodic Behavior in Botnet Command and Control Channels Traffic

A botnet is a large network of bots that are under the control of a bot herder. Botnets have become a significant threat to network communications and applications. Botnets' execution relies on Command and Control (C2) communication channels traffic, which occur prior to the attack activity itself. Therefore, the detection of C2 communication channels traffic enables the detection of the members of a botnet before any target is attacked. We study the periodic behavior of C2 traffic that is caused by the pre-programmed behavior of bots to check for and download updates every T seconds. We use this periodic behavior of the C2 traffic to detect bots. This involves evaluating the periodogram of traffic in the monitored network. Then applying Walker's large sample test to the maximum ordinate of the periodogram to determine if it is due to a high periodic component in the traffic or not, and, if it is, then it is bot traffic. We apply the test to a TinyP2P botnet generated by SLINGbot and show a strong periodic behavior in the bots traffic. We study the effect of the period's length and duty cycle of the C2 traffic on the test performance and find that it increases with the increase of the duty cycle and/or the decrease of the period length. We analyze the test's performance in the presence of injected random noise traffic and develop a lower and an upper bounds for the test performance.

[1]  Richard A. Davis,et al.  Time Series: Theory and Methods (2nd ed.). , 1992 .

[2]  José M. F. Moura,et al.  Detecting Botnets Using Command and Control Traffic , 2009, 2009 Eighth IEEE International Symposium on Network Computing and Applications.

[3]  Keinosuke Fukunaga,et al.  Introduction to statistical pattern recognition (2nd ed.) , 1990 .

[4]  S. Leigh,et al.  Probability and Random Processes for Electrical Engineering , 1989 .

[5]  D. B. Preston Spectral Analysis and Time Series , 1983 .

[6]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .

[7]  Alan V. Oppenheim,et al.  Discrete-Time Signal Pro-cessing , 1989 .

[8]  Carol G. Maclennan,et al.  Study of tidal periodicities using a Transatlantic telecommunications cable , 1986 .

[9]  Chin-Laung Lei,et al.  Inferring Speech Activity from Encrypted Skype Traffic , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[10]  Antonio Pescapè,et al.  Classification of Network Traffic via Packet-Level Hidden Markov Models , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[11]  Keinosuke Fukunaga,et al.  Statistical Pattern Recognition , 1993, Handbook of Pattern Recognition and Computer Vision.

[12]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory: Radar-Sonar Signal Processing and Gaussian Signals in Noise , 1992 .

[13]  P. Welch The use of fast Fourier transform for the estimation of power spectra: A method based on time averaging over short, modified periodograms , 1967 .

[14]  Anestis Karasaridis,et al.  NIS04-2: Detection of DNS Anomalies using Flow Data Analysis , 2006, IEEE Globecom 2006.

[15]  Rajesh Krishnan,et al.  Using signal processing to analyze wireless data traffic , 2002, WiSE '02.

[16]  Yiu-Tong Chan,et al.  Comparison of various periodograms for sinusoid detection and frequency estimation , 1999 .

[17]  H. V. Trees Detection, Estimation, And Modulation Theory , 2001 .

[18]  H. Jonathan Chao,et al.  PacketScore: a statistics-based packet filtering scheme against distributed denial-of-service attacks , 2006, IEEE Transactions on Dependable and Secure Computing.

[19]  W. Timothy Strayer,et al.  SLINGbot: A System for Live Investigation of Next Generation Botnets , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[20]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[21]  Richard A. Davis,et al.  Time Series: Theory and Methods , 2013 .

[22]  O. Yli-Harja,et al.  Robust Fisher's Test for Periodicity Detection in Noisy Biological Time Series , 2007, 2007 IEEE International Workshop on Genomic Signal Processing and Statistics.