Botnet protocol inference in the presence of encrypted traffic
| Autor: | Somesh Jha, Ruben Torres, Gaspar Modelo-Howard, Lorenzo De Carli, Alok Tongaonkar |
|---|---|
| Rok vydání: | 2017 |
| Předmět: |
business.industry
Computer science Botnet 020206 networking & telecommunications 02 engineering and technology Sality Encryption computer.software_genre ZeroAccess botnet Multiple encryption 0202 electrical engineering electronic engineering information engineering 40-bit encryption Malware 020201 artificial intelligence & image processing business Communications protocol Protocol (object-oriented programming) computer Computer network |
| Zdroj: | INFOCOM |
| DOI: | 10.1109/infocom.2017.8057064 |
| Popis: | Network protocol reverse engineering of botnet command and control (C&C) is a challenging task, which requires various manual steps and a significant amount of domain knowledge. Furthermore, most of today's C&C protocols are encrypted, which prevents any analysis on the traffic without first discovering the encryption algorithm and key. To address these challenges, we present an end-to-end system for automatically discovering the encryption algorithm and keys, generating a protocol specification for the C&C traffic, and crafting effective network signatures. In order to infer the encryption algorithm and key, we enhance state-of-the-art techniques to extract this information using lightweight binary analysis. In order to generate protocol specifications we infer field types purely by analyzing network traffic. We evaluate our approach on three prominent malware families: Sality, ZeroAccess and Ramnit. Our results are encouraging: the approach decrypts all three protocols, detects 97% of fields whose semantics are supported, and infers specifications that correctly align with real protocol specifications. |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|