C4I Center



   C4I Home

   Center Overview
   C4I Brief
   C4I People

   Objectives
   Programs
   Funding & Support
   Industry Partners

   Publications
   Recordings
   Open Source Software

   C4I Events
   News

   Internet Conference


GMU C4I Center Seminar


A First Step Toward Live Botmaster Traceback

Xinyuan Wang, Ph.D., Department of Computer Science at George Mason University

Friday, October 17, 2008 at 3:00 PM

Science & Technology II building, Room 430A

ABSTRACT

Despite the increasing botnet threat, research in the area of botmaster traceback is limited. The four main obstacles are 1) the low-traffic nature of the bot-to-botmaster link; 2) chains of "stepping stones"; 3) the use of encryption along these chains; and 4) mixing with traffic from other bots. Most existing traceback approaches can address one or two of these issues individually, but they cannot handle all of them simultaneously. To address all four problems, we present a novel flow watermarking technique that allows us to uniquely identify and trace any IRC-based botnet flow even if 1) it is encrypted (e.g., via SSL/TLS); 2) it passes multiple intermediate stepping stones (e.g., IRC server, SOCKs); 3) it is mixed with other botnet traffic. Our watermarking scheme relies on adding whitespace padding characters to outgoing IRC messages at the application layer. This produces specific differences in lengths between randomly chosen pairs of messages in a given stream. As a result, our botnet flow watermarking technique only requires a few dozens of packets to be effective. To the best of our knowledge, this is the first approach that has the potential to allow real-time botmaster traceback across the Internet. We have empirically validated the effectiveness of our botnet flow watermarking approach with live experiments on Planetlab nodes and public IRC servers on different continents. We have been able to achieve virtually 100% detection rate of watermarked (encrypted and unencrypted) IRC traffic with false positive rate on the order of 10-5 in all our experiments. Due to the message queuing and throttling functionality of IRC servers, mixing chaff with the watermarked flow does not significantly impact the effectiveness of our watermarking approach.

BIO

Xinyuan Wang received his Ph.D. degree in Computer Science from N.C. State University in 2004. His research interests are around computer network and system security. He has developed the first inter-packet timing based packet flow watermarking scheme that is provably robust against timing perturbation, and this work has won the Third Place of the 2004 ACM Worldwide (Graduate) Student Research Competition Grand Finals. He first demonstrated that it is feasible to track encrypted, anonymous peer-to-peer VoIP calls on the Internet. In his later work, he has demonstrated the fundamental limitations of existing low-latency anonymous communication systems against timing based correlation, and developed the first practical attack that has "penetrated" the Total Net ShieldTM. - the "ultimate solution in online identity protection."




Last updated: 06/09/2014