CMAND Logo

Center for Measurement and Analysis of Network Data @ NPS

Home | News | People | Projects | Papers | Data cmand.org : Transport Traffic Analysis
Transport Traffic Analysis (TTA) exploits the discriminatory power of TCP-layer traffic artifacts to identify and mitigate abusive traffic. Current research includes:
  1. Applying TTA in multiple domains, including characterization of scam infrastructure and bot-based attacks
  2. Transitioning TTA to deployable, production-ready capabilities for providers
Abstract:
``Botnets'' are distributed collections of compromised networked machines under common control. Botnets provide a formidable computing and communication platform by harnessing the power of thousands, or even millions, of nodes for a common collective purpose. Unfortunately, that purpose is often malicious and economically or politically motivated. This research investigates a unique approach to detecting bots, botnet infrastructure, and mitigating abusive traffic via Transport-level Traffic Analysis (TTA).

Significant prior research explores network reputation metrics, command-and-control communication structure, traffic signatures, etc. to detect botnets. However, reputation metrics, for instance using IP addresses as pseudo-identifiers, are unreliable and signature-based schemes are easily evaded. Our work exploits the discriminatory power of transport-layer traffic signal analysis to infer malicious and abusive behavior, especially from botnets. In particular, we have shown that by solely using transport-layer traffic features, \eg TCP retransmits, advertised receiver window, out-of-order packets, delay, jitter, etc., one can reliably infer whether the source of a traffic flow is legitimate or originating from a member of a botnet. The key insight is that local botnet behavior manifests remotely as a discriminative signal. Because bots are frequently attached via asymmetric residential connections with large buffers, they necessarily congest their local uplink -- an effect that is remotely detectable. Rather than relying on content signatures or reputation measures, this project exploits botnets' basic requirement to source large amounts of data, be it attacks, scam-hosting, spam, or other yet-to-be imagined malicious traffic.

Our IP and content agnostic approach provides new and novel capabilities. By using statistical traffic signal characterization methods, we construct a difficult-to-subvert discriminator. In addition to significantly enhancing the performance of other traffic classifiers, TTA is uniquely suited for use use amid stringent privacy laws, on constrained satellite links, etc. Further, by being privacy-preserving, TTA may be deployed within the network core and offers the possibility to stanch malicious traffic before it saturates access links.

Code: Papers: Talks: Funding:
Center for Measurement and Analysis of Network Data | Based at the Naval Postgraduate School
Contact Us