Military Communications and Information Technology: A Trusted ...

398 Military Communications and Information Technology...
At this point, we want to leave the field of traditional intrusion detection
and take a look at a small set of approaches from the field of traffic classification.
The first is BLINC [8], which tries to infer the applications running on a particular
host only from basic properties of netflows, describing the behaviour of applications
with graphlets. These graphs describe for a specific IP address the volume
of destination IP addresses, source and destination ports and transport protocol
expected for a given type of application. Graphlets can also be combined to characterise
a host running several applications at the same time. While the authors
present examples for some attacks, they do not provide general models for malicious
activities. Also, often the graphlets provided refer to a coarse class of application
rather than a specific protocol, indicating that the feature set may be too small to
provide more accurate discrimination.
Bernaille et al. [9] demonstrated that with only considering the size and direction
of the first few packets of a flow with application payload, you can achieve
a significant level of accuracy with regard to which protocol the flow’s payload
belongs to. A similar approach by Crotti et al. [10] uses a superset of features that
do not require access to the payload and are aggregated for a complete flow to
reliably assign one of four classes, including an “other” class, to a particular flow.
They later extended their method to detect tunnelling through other protocols [11].
Instead of manually designed application signatures, these approaches rely on
correctly preclassified training sets that allow them to determine the distribution
functions of the observed features for each of the applications they are designed
to discriminate.
The selection of features to observe is a critical part in some of the above but
also our own approach. An essential part of identifying the most promising features
is to analyse the behaviour of the applications we want to detect and how it will
differ from other applications. Thus, our starting point is the bot herder’s intent
of hiding and securing their botnets’ C 2 channel and we explore the design which
is likely to emerge from this intent in section IV. This, together with an analysis
of the relation between observations on the network layer and the application that
generated it in section V, provides a background for identifying the features we
want to observe for detecting future botnets.
IV. Future botnets
Bot herders generally aim for improving the resilience of their botnets against
takedown, takeover and detection efforts. Thus, we expect more sophisticated approaches
for protection and obfuscation, in particular in regard to the C 2 channel.
These approaches may include measures in the three domains we discuss in this
section, custom protocols or protocol implementations (section IV.A), steganography
and cryptography (sections IV.B and IV.C and, respectively). Section IV.D
summarises the conclusions implied by our analysis.