CT-ISG: Understanding Botnet Command and Control (C&C) Communication

CT-ISG：了解僵尸网络命令和控制（C

• 批准号: 0855297
• 负责人: Xuxian Jiang
• 金额: $ 40万
• 依托单位: North Carolina State University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-08-28 至 2013-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0855297&HistoricalAwards=false
• 关键词: CT; ISG; Understanding; Botnet; Command

National Science FoundationNSF Cyber Trust ProgramProposal Number: 0831160Principal Investigator: Xuxian JiangInstitution: George Mason UniversityProposal Title: CT-ISG: Understanding Botnet Command and Control (C&C) Communication Project Summary Botnets are recognized as one of the most serious threats to today's Internet. To combat them, one key step is to effectively understand how the botnet members communicate with each other. Unfortunately, the trend of adopting various obfuscation schemes (e.g., encryption) in recent bots greatly impedes our understanding. The main thrust of this research is the investigation of several interrelated key techniques to overcome the above challenges and significantly enrich the understanding of botnet command and control. Specifically, this work introduces a methodology called context-aware bot execution monitoring, from the following observations: (1) implementing the bot communication protocol, a bot program contains the authoritative protocol logic it will follow to respond and the ultimate specification of the bot messages it can handle; (2) a bot typically handles different fields of the bot message under different execution contexts, (e.g., with different run-time call stacks). As such, this research will collect, characterize, and analyze traces with execution context information to discern various protocol fields as well as associated semantics in the bot message. The broader impact of this research is two-fold: (1) It will significantly enrich the understanding of the botnet threat by not only observing and inferring the network-level interactions among bots, but also exposing the botnet C&C communication protocol logic behind detailed bot interactions. (2) Results from this research will also lead to the development of education materials for undergraduate and graduate courses and for professional training sessions. Intellectual merit of the work includes a novel approach to reverse engineering the botnet C&C communications protocol.

美国国家科学基金会网络信任计划提案编号：0831160主要研究者：江旭贤机构：乔治梅森大学提案标题：CT-ISG：理解僵尸网络命令和控制（C C）通信项目摘要僵尸网络被认为是当今互联网最严重的威胁之一。 为了对抗它们，关键的一步是有效地了解僵尸网络成员如何相互通信。 不幸的是，采用各种混淆方案（例如，加密）在最近的机器人极大地阻碍了我们的理解。 本研究的主要目的是研究几个相互关联的关键技术，以克服上述挑战，并显着丰富的理解僵尸网络的命令和控制。 具体而言，这项工作介绍了一种称为上下文感知机器人执行监控的方法，从以下观察：（1）实现机器人通信协议，机器人程序包含它将遵循的权威协议逻辑来响应以及它可以处理的机器人消息的最终规范;（2）机器人通常在不同的执行上下文下处理机器人消息的不同字段，（例如，具有不同的运行时调用堆栈）。 因此，本研究将收集、表征和分析具有执行上下文信息的跟踪，以识别机器人消息中的各种协议字段以及相关语义。 这项研究的更广泛的影响是两方面的：（1）它将显着丰富的僵尸网络威胁的理解，不仅观察和推断网络级的机器人之间的交互，但也揭示了僵尸网络C C通信协议逻辑背后的详细的机器人交互。 (2)这项研究的结果还将导致为本科生和研究生课程以及专业培训课程编写教材。知识的工作价值包括一种新的方法来逆向工程僵尸网络C C通信协议。