Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Scanning and Host Fingerprinting Methods for Command and Control Server Detection
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.
Blekinge Institute of Technology, Faculty of Computing, Department of Computer Science.
2021 (English)Independent thesis Advanced level (professional degree), 20 credits / 30 HE creditsStudent thesis
Abstract [en]

Background. Detecting malware command and control infrastructure has impor-tant applications for protecting against attacks. Much research has focused on thisproblem, but a majority of this research has used traffic monitoring methods fordetection. Objectives. In this thesis we explore methods based on network scanning and active probing, where detection is possible before an attack has begun, in theory resulting in the ability to bring the command and control server down preemptively. Methods. We use network scanning to discover open ports which are then fed into our probing tool for protocol identification and data gathering. Fingerprinting is performed on the open ports and running services of each host.We develop two methods for fingerprinting and classification of hosts. The first method uses a machine learning algorithm over the open ports and probe data, while the other computes distance scores between hosts. We compare these methods to the new but established JARM method for host fingerprinting, as well as to two other simple methods. Results. Our findings suggest that our general active probing method is feasible for use in detecting command and control infrastructure, but that the results vary strongly depending on the malware family, with certain malware families providing much better results than others. Conclusions. We end with discussions on the limitations of our methods and how they can be improved, as well as bring up our opinions on the potential for future work in this area.

Abstract [sv]

Bakgrund. Att kunna upptäcka command-and-control-infrastruktur kopplad till malware har viktiga tillämpningar för syftet att skydda mot attacker. Mycket forskning existerar som fokuserar på detta problem, men en majoritet använder metoder baserade på trafikmonitorering. Syfte. I denna uppsats utforskar vi istället metoder baserade på scanning och probing av nätverk, genom vilka detektering är möjlig innan en attack har ägt rum, med fördelen att en command-and-control-server i teorin kan tas ner förebyggande. Metod. Vi använder nätverks-scanning för att upptäcka öppna portar vilka matas in i vårt probing-verktyg som sedan utför protokoll-identifiering och datainsamling. Vi skapar ett fingeravtryck av varje server från de öppna portarna och de hostade tjänsterna. Två metoder för klassifiering av servrar togs fram. Den första metoden använder en maskininlärningsalgoritm över de öppna portarna och probe-datan, medan den andra beräknar en distans mellan två servrar. Vi jämför dessa metoder med den nya men etablerade JARM-metoden, som tar fram fingeravtryck av servrar från TLS-data, samt med två andra, simplare metoder. Resultat. Våra upptäckter visar att vår metod, som bygger på generell, aktiv probing är möjlig att använda för detektering av command-and-control-infrastruktur, men att resultaten varierar kraftigt beroende på malware-familj, där vissa familjer erbjuder mycket bättre resultat än andra. Slutsatser. Vi avslutar med att diskutera begränsningar i våra metoder och hur dessa kan förbättras, samt tar upp våra åsikter om potentialen för framtida forskning inom detta område.

Place, publisher, year, edition, pages
2021.
Keywords [en]
command and control, C2, CnC, botnet, scanning, probing
National Category
Computer Sciences
Identifiers
URN: urn:nbn:se:bth-21768OAI: oai:DiVA.org:bth-21768DiVA, id: diva2:1571926
External cooperation
Orange Cyberdefense
Subject / course
Degree Project in Master of Science in Engineering 30,0 hp
Educational program
DVACD Master of Science in Computer Security
Supervisors
Examiners
Available from: 2021-06-28 Created: 2021-06-23 Last updated: 2022-05-12Bibliographically approved

Open Access in DiVA

fulltext(1240 kB)1552 downloads
File information
File name FULLTEXT01.pdfFile size 1240 kBChecksum SHA-512
8a59af98356527b6a5432441f54a588f8e60663cee795767fe5f36ce4af363e3451f59f139afdc22890d500d399645669af19e5c54899d6c75801d3f20d62b49
Type fulltextMimetype application/pdf

By organisation
Department of Computer Science
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar
Total: 1555 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

urn-nbn

Altmetric score

urn-nbn
Total: 2372 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf