Learning regular sets from queries and counterexamples
Information and Computation
Inference of finite automata using homing sequences
STOC '89 Proceedings of the twenty-first annual ACM symposium on Theory of computing
Equivalence checking using cuts and heaps
DAC '97 Proceedings of the 34th annual Design Automation Conference
Model checking
Introduction to Algorithms
Machine Learning
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Tor: the second-generation onion router
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
State Reduction in Incompletely Specified Finite-State Machines
IEEE Transactions on Computers
Polyglot: automatic extraction of protocol message format using dynamic binary analysis
Proceedings of the 14th ACM conference on Computer and communications security
Peer-to-peer botnets: overview and case study
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Wide-scale botnet detection and characterization
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Discoverer: automatic protocol reverse engineering from network traces
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Automated assumption generation for compositional verification
Formal Methods in System Design
Tupni: automatic reverse engineering of input formats
Proceedings of the 15th ACM conference on Computer and communications security
SS'08 Proceedings of the 17th conference on Security symposium
Prospex: Protocol Specification Extraction
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
FM '09 Proceedings of the 2nd World Congress on Formal Methods
ReFormat: automatic reverse engineering of encrypted messages
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Grammatical Inference: Learning Automata and Grammars
Grammatical Inference: Learning Automata and Grammars
Insights from the inside: a view of botnet management from infiltration
LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Fast and precise sanitizer analysis with BEK
SEC'11 Proceedings of the 20th USENIX conference on Security
MACE: model-inference-assisted concolic exploration for protocol and vulnerability discovery
SEC'11 Proceedings of the 20th USENIX conference on Security
B@bel: leveraging email delivery for spam mitigation
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Analysis of a "/0" stealth scan from a botnet
Proceedings of the 2012 ACM conference on Internet measurement conference
A theory of history dependent abstractions for learning interface automata
CONCUR'12 Proceedings of the 23rd international conference on Concurrency Theory
ISoLA'12 Proceedings of the 5th international conference on Leveraging Applications of Formal Methods, Verification and Validation: technologies for mastering change - Volume Part I
Learning techniques for software verification and validation
ISoLA'12 Proceedings of the 5th international conference on Leveraging Applications of Formal Methods, Verification and Validation: technologies for mastering change - Volume Part I
Survey and taxonomy of botnet research through life-cycle
ACM Computing Surveys (CSUR)
| Hi-index | 0.00 |
We propose a novel approach to infer protocol state machines in the realistic high-latency network setting, and apply it to the analysis of botnet Command and Control (C &C) protocols. Our proposed techniques enable an order of magnitude reduction in the number of queries and time needed to learn a botnet C &C protocol compared to classic algorithms (from days to hours for inferring the MegaD C &C protocol). We also show that the computed protocol state machines enable formal analysis for botnet defense, including finding the weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting. We validate our technique by inferring the protocol state-machine from Postfix's SMTP implementation and comparing the inferred state-machine to the SMTP standard. Further, our experimental results offer new insights into MegaD's C &C, showing our technique can be used as a powerful tool for defense against botnets.