Experimental Validation of a Command and Control Traffic Detection Model

Vugrin, Eric D.; Hanson, Seth Terence; Cruz, Gerardo Jerry; Glatter, Casey; Tarman, Thomas D.; Pinar, Ali

doi:10.1109/tdsc.2023.3266139

Experimental Validation of a Command and Control Traffic Detection Model

Journal Article · Wed Apr 19 00:00:00 EDT 2023 · IEEE Transactions on Dependable and Secure Computing

DOI:https://doi.org/10.1109/tdsc.2023.3266139· OSTI ID:2311734

^[1]; Hanson, Seth Terence ^[1]; Cruz, Gerardo Jerry ^[1]; Glatter, Casey ^[1]; Tarman, Thomas D. ^[1]; Pinar, Ali ^[1]

Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)

Network intrusion detection systems (NIDS) are commonly used to detect malware communications, including command-and-control (C2) traffic from botnets. NIDS performance assessments have been studied for decades, but mathematical modeling has rarely been used to explore NIDS performance. This paper details a mathematical model that describes a NIDS performing packet inspection and its detection of malware's C2 traffic. Here, the paper further describes an emulation testbed and a set of cyber experiments that used the testbed to validate the model. These experiments included a commonly used NIDS (Snort) and traffic with contents from a pervasive malware (Emotet). Results are presented for two scenarios: a nominal scenario and a “stressed” scenario in which the NIDS cannot process all incoming packets. Model and experiment results match well, with model estimates mostly falling within 95 % confidence intervals on the experiment means. Model results were produced 70-3000 times faster than the experimental results. Consequently, the model's predictive capability could potentially be used to support decisions about NIDS configuration and effectiveness that require high confidence results, quantification of uncertainty, and exploration of large parameter spaces. Furthermore, the experiments provide an example for how emulation testbeds can be used to validate cyber models that include stochastic variability.

View Accepted Manuscript (DOE)

Research Organization:: Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States)

Sponsoring Organization:: USDOE Laboratory Directed Research and Development (LDRD) Program; USDOE National Nuclear Security Administration (NNSA)

Grant/Contract Number:: NA0003525

OSTI ID:: 2311734

Report Number(s):: SAND--2023-03830J

Journal Information:: IEEE Transactions on Dependable and Secure Computing, Journal Name: IEEE Transactions on Dependable and Secure Computing Journal Issue: 3 Vol. 21; ISSN 1545-5971

Publisher:: IEEECopyright Statement

Country of Publication:: United States

Language:: English

References (26)

Survey on network‐based botnet detection methods García, Sebastián; Zunino, Alejandro; Campo, Marcelo Security and Communication Networks, Vol. 7, Issue 5 https://doi.org/10.1002/sec.800	journal	June 2013
Emotet exposed: looking inside highly destructive malware No authors listed Network Security, Vol. 2019, Issue 6 https://doi.org/10.1016/S1353-4858(19)30071-6	journal	June 2019
The 1999 DARPA off-line intrusion detection evaluation Lippmann, Richard; Haines, Joshua W.; Fried, David J. Computer Networks, Vol. 34, Issue 4 https://doi.org/10.1016/S1389-1286(00)00139-0	journal	October 2000
A flow-based approach for Trickbot banking trojan detection Gezer, Ali; Warner, Gary; Wilson, Clifford Computers & Security, Vol. 84 https://doi.org/10.1016/j.cose.2019.03.013	journal	July 2019
Performance comparison of intrusion detection systems and application of machine learning to Snort system Shah, Syed Ali Raza; Issac, Biju Future Generation Computer Systems, Vol. 80 https://doi.org/10.1016/j.future.2017.10.016	journal	March 2018
Improving network intrusion detection system performance through quality of service configuration and parallel technology Bul'ajoul, Waleed; James, Anne; Pannu, Mandeep Journal of Computer and System Sciences, Vol. 81, Issue 6 https://doi.org/10.1016/j.jcss.2014.12.012	journal	September 2015
Performance Evaluation Study of Intrusion Detection Systems Alhomoud, Adeeb; Munir, Rashid; Disso, Jules Pagna Procedia Computer Science, Vol. 5 https://doi.org/10.1016/j.procs.2011.07.024	journal	January 2011
BotDet: A System for Real Time Botnet Command and Control Traffic Detection Ghafir, Ibrahim; Prenosil, Vaclav; Hammoudeh, Mohammad IEEE Access, Vol. 6 https://doi.org/10.1109/ACCESS.2018.2846740	journal	January 2018
A taxonomy of Botnet detection techniques Zeidanloo, Hossein Rouhani; Shooshtari, Mohammad Jorjor Zadeh; Amoli, Payam Vahdani 2010 3rd International Conference on Computer Science and Information Technology https://doi.org/10.1109/ICCSIT.2010.5563555	conference	July 2010
Robust Early Stage Botnet Detection using Machine Learning Muhammad, Ali; Asad, Muhammad; Javed, Abdul Rehman 2020 International Conference on Cyber Warfare and Security (ICCWS) https://doi.org/10.1109/ICCWS48432.2020.9292395	conference	October 2020
Botnet: Survey and Case Study Li, Chao; Jiang, Wei; Zou, Xin 2009 Fourth International Conference on Innovative Computing, Information and Control (ICICIC) https://doi.org/10.1109/ICICIC.2009.127	conference	December 2009
Open Source PowerShell-Written Post Exploitation Frameworks Used by Cyber Espionage Groups Nelson, Tjada; Kettani, Houssain 2020 3rd International Conference on Information and Computer Technologies (ICICT) https://doi.org/10.1109/ICICT50521.2020.00078	conference	March 2020
Intrusion detection testing and benchmarking methodologies Athanasiades, N.; Abler, R.; Levine, J. First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings. https://doi.org/10.1109/IWIAS.2003.1192459	conference	January 2003
National Cyber Range Overview Ferguson, Bernard; Tall, Anne; Olsen, Denise 2014 IEEE Military Communications Conference https://doi.org/10.1109/MILCOM.2014.27	conference	October 2014
Detecting Botnets Using Command and Control Traffic AsSadhan, Basil; Moura, José M. F.; Lapsley, David 2009 Eighth IEEE International Symposium on Network Computing and Applications (NCA) https://doi.org/10.1109/NCA.2009.56	conference	July 2009
The DETER project: Advancing the science of cyber security experimentation and test Mirkovic, Jelena; Benzel, Terry V.; Faber, Ted 2010 IEEE International Conference on Technologies for Homeland Security (HST) https://doi.org/10.1109/THS.2010.5655108	conference	November 2010
A POMDP Approach to the Dynamic Defense of Large-Scale Cyber Networks Miehling, Erik; Rasouli, Mohammad; Teneketzis, Demosthenis IEEE Transactions on Information Forensics and Security, Vol. 13, Issue 10 https://doi.org/10.1109/TIFS.2018.2819967	journal	October 2018
The science of cyber security experimentation: the DETER project Benzel, Terry 27th Annual Computer Security Applications Conference, p. 137-148 https://doi.org/10.1145/2076732.2076752	conference	January 2011
Disclosure Bilge, Leyla; Balzarotti, Davide; Robertson, William Proceedings of the 28th Annual Computer Security Applications Conference https://doi.org/10.1145/2420950.2420969	conference	December 2012
Administrative evaluation of intrusion detection system Wang, Xinli; Kordas, Alex; Hu, Lihui Proceedings of the 2nd annual conference on Research in information technology https://doi.org/10.1145/2512209.2512216	conference	October 2013
Evaluating Computer Intrusion Detection Systems: A Survey of Common Practices Milenkoski, Aleksandar; Vieira, Marco; Kounev, Samuel ACM Computing Surveys, Vol. 48, Issue 1 https://doi.org/10.1145/2808691	journal	September 2015
Entropy-based detection of botnet command and control Richer, Toby J. Proceedings of the Australasian Computer Science Week Multiconference https://doi.org/10.1145/3014812.3014889	conference	January 2017
Cyber threat modeling and validation Vugrin, Eric D.; Cruz, Jerry; Reedy, Christian Proceedings of the 7th Symposium on Hot Topics in the Science of Security https://doi.org/10.1145/3384217.3385626	conference	September 2020
Flow-based Detection and Proxy-based Evasion of Encrypted Malware C2 Traffic Novo, Carlos; Morla, Ricardo Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security https://doi.org/10.1145/3411508.3421379	conference	November 2020
Comparing reproduced cyber experimentation studies across different emulation testbeds Tarman, Thomas; Rollins, Trevor; Swiler, Laura Cyber Security Experimentation and Test Workshop https://doi.org/10.1145/3474718.3474725	conference	August 2021
Exploration of Multifidelity uq Sampling Strategies for Computer Network Applications Geraci, Gianluca; Crussell, Jonathan; Swiler, Laura P. International Journal for Uncertainty Quantification, Vol. 11, Issue 1 https://doi.org/10.1615/Int.J.UncertaintyQuantification.2021033774	journal	January 2021

Similar Records

Botnet behaviour analysis: How would a data analytics-based system with minimum a priori information perform?

Journal Article · Mon May 08 20:00:00 EDT 2017 · International Journal of Network Management · OSTI ID:1543482

A hardware-in-the-loop (HIL) testbed for cyber-physical energy systems in smart commercial buildings

Journal Article · Sun Apr 14 20:00:00 EDT 2024 · Science and Technology for the Built Environment · OSTI ID:2567485

Evaluation of Anomaly Detection for Wide-Area Protection Using Cyber Federation Testbed

Conference · Thu Aug 01 00:00:00 EDT 2019 · 2019 IEEE Power & Energy Society General Meeting (PESGM) · OSTI ID:1985673

Related Subjects

mathematical model
97 MATHEMATICS AND COMPUTING
command and control
cyber experimentation
emulation
intrusion detection
validation

Experimental Validation of a Command and Control Traffic Detection Model

Citation Formats

References (26)

Similar Records

Related Subjects