Abstract
We consider the problem of using flow-level data for detection of botnet command and control (C&C) activity. We find that current approaches do not consider timing-based calibration of the C&C traffic traces prior to using this traffic to salt a background traffic trace. Thus, timing-based features of the C&C traffic may be artificially distinctive, potentially leading to (unrealistically) optimistic flow classification results. In this paper, we show that round-trip times (RTT) of the C&C traffic are significantly smaller than that of the background traffic. We present a method to calibrate the timing-based features of the simulated botnet traffic by estimating eligible RTT samples from the background traffic. We then salt C&C traffic, and design flow classifiers under four scenarios: with and without calibrating timing-based features of C&C traffic, without using timing-based features, and calibrating C&C traffic only in the test set. In the flow classifier, we strive to use features that are not readily susceptible to obfuscation or tampering such as port numbers or protocol-specific information in the payload header. We discuss the results for several supervised classifiers, evaluating botnet C&C traffic precision, recall, and overall classification accuracy. Our experiments reveal to what extent the presence of timing artifacts in botnet traces leads to changes in classifier results.
| Original language | English (US) |
|---|---|
| State | Published - 2011 |
| Event | 4th Workshop on Cyber Security Experimentation and Test, CSET 2011 - San Francisco, United States Duration: Aug 8 2011 → … |
Conference
| Conference | 4th Workshop on Cyber Security Experimentation and Test, CSET 2011 |
|---|---|
| Country/Territory | United States |
| City | San Francisco |
| Period | 8/8/11 → … |
All Science Journal Classification (ASJC) codes
- Computer Networks and Communications
- Safety, Risk, Reliability and Quality