Timing analysis in P2P botnet traffic using probabilistic context-free grammars

Quantified Score

Visualization

Abstract

Botnets are becoming a major source of spam, private data and money steal and other cybercrime. During the battle with security communities, botnets became Tailored Trustworthy Spaces (TTS). Bot herders first used encryption and access control of the botnet command and control channel to secure botnet communications. The use of fastflux and P2P technologies help botnets become more resilient to detection and takendown. Their fast evolving propagation, command and control, and attacks make botnets good examples of moving targets. Detecting and removing botnets has become a difficult and important task for security community. In this paper, we apply timing analysis on P2P hierarchical botnet traffic, since timing signatures commonly exist in automated network processes. We extend previous work to use probabilistic context-free grammars (PCFGs), a more expressive grammar in the Chomsky hierarchy. Experiment results of simulated P2P botnet show that PCFGs have accurate detection rates. Our approach provides possible "exploits" to compromise TTS and moving target systems. Therefore timing signatures should be considered in design to make the system more secure and resilient.