Discussions and Future Work

As we can find in the evaluation part, in general, the SPRT-FOD scheme outperforms the ITD and CTD schemes. The main reason is because in SPRT-FOD scheme, we make use of all the network information to do the SPRT test. In contrast, in CTD/ITD scheme, only partial network information is used in detection, e.g. up to three most popular behaviors are considered. Therefore, when using more stable behaviors information in the test, it is possible to improve the performance of CTD and ITD.

However, this improvement requires checking more number of nodes during BMDT and BPT. On the other hand, only a small number of nodes need to be checked in SPRT-FOD, which is the direct benefit from SPRT. We can also apply our detection schemes by monitoring a subset of nodes that has a higher probability of being infected, depending on the version of

0.050 0.1 0.15 0.2 0.25

Figure 4.9 Detection rate of SPRT-FOD for subnet003, 008, 010, 026

OS, history of being infected, number of abnormal behaviors in the past, etc.

In addition, as shown in the evaluations on the realistic case, we consider all the destina-tions bots communicates with being recorded in the training data. In practice, it will rarely happen and at least a portion of destinations used by bots will be unseen in the training data.

Therefore, an additional attribute recording the number of unseen destinations during behavior profiling will further improve the performance of ITD/CTD and SPRT-FOD in detection. On the other hand, we regard the evaluation results the lower bound performance of all proposed schemes.

4.5.4.2 Possible Evasion

There are several possible ways for P2P botnets to evade proposed detection approaches.

Firstly, the botmaster can evade the detection by using random and long response (hours or days) delay in C&C. This is to reduce the bot sample size available in each detection period such that there is no evident statistical change in the node behaviors. If this happens, possible

solutions include extending the detection time window (e.g. from 10 to 20 minutes or longer) and considering additional attributes such as unseen destination and DNS. As the P2P botnet may connect to the destinations unseen in the training data and use DNS during C&C. We can also use weight for different attributes according to the importance to the detection. Currently, we set all attributes with weight 1.

On the other hand, as noted in [97], if bots are forced to use a very long response delay, the utility of the botnet to botmaster is reduced or limited because the botmaster can no longer command his bots promptly and reliably. For example, the computers infected with bot may be shut down or disconnected from the Internet by the users or security professionals during this time, hence become removed from the botnet.

Furthermore, it is also possible that botnets may try to utilize popular destinations and services that match the ones used in the corresponding subnet for C&C to evade detection, e.g.

use HTTP and IRC protocols and corresponding servers for C&C. However, for any subnet, the number popular destinations are very small when compared to the unpopular ones, and the popular destinations usually have higher security protection, which makes it harder for C&C. Moreover, the use of popular services in C&C gives additional information on potential protocols used in C&C. Consequently, the detection problem of this kind is very similar to the ones considered in centralized botnet detection, protocol-specific detection schemes can be further applied, which is out of the scope of this Chapter.

Last but not least, covert channels [118] can be used to by botnets hide their actual C&C communications. It is widely acknowledged and in general, communication randomization, mimicry attacks and covert channel represent limitations for all traffic-based detection ap-proaches [97]. Therefore, to achieve a better performance, detection schemes at different levels (e.g. network-wide, protocol-specific, host-based and content-based) should be used jointly to make evasion more difficult.

4.5.4.3 Future Work

To detect the P2P botnet using multiple protocols for C&C, the most difficult part is to detect its existence. As shown in the evaluation section, the proposed ITD, CTD and SPRT-FOD schemes can achieve good performance in both simple and realistic cases. On the other hand, once the existence of C&C is detected, either attack correlation based techniques [27] or active approaches [30] can be used to locate the bot. However, to achieve a more accurate detection for ITD and CTD in the realistic case, in addition to considering more popular behavior profiles, time effects (daytime or nighttime, weekday or weekend) should be further considered during behavior profiling and detection, as the behavior profiles will be quite different in different times, e.g. backup traffic is usually generated in the nighttime.

In addition, there are normal behaviors that only occur occasionally, e.g. payroll at the end of each month or final grades at the end of each semester. In this case, a whitelist of normal but uncommon behavior profiles will help to reduce the false positive rates greatly, especially for ITD and CDT. Further, more trace data from different enterprise networks are also required for a thorough evaluation. To implementation of our schemes, TCP traffic can be divided into P2P and non-P2P traffic, detection schemes of each traffic part can be further implemented. We will consider the above in our future work.

On the other hand, as noted in the previous section, the node behavior simplification ap-proach and the SPRT-FOD/ITD/CTD scheme in this Chapter should be able to work with any other node behavior profiling schemes. And the performance of SPRT-FOD could be further improved by any other better behavior profiling schemes in the literature. Possible enhancements include considering additional representative attributes, using weight for differ-ent attributes according to their importance for the detection, classifying the destinations into inner and outer parts.

One main concern of our scheme is the unbounded sample size needed under certain situ-ations for SPRT [130] [132]. In this case, truncated SPRT can be further used if the sample size required is too large before decision. Also, since each round of SPRT requires making a decision (stop or continue), the performance can be further improved by the group based

SPRT method [132].

It is also worth mentioning that for the t-test used in detection, in addition to independency, it requires that the sample has equal variance and residuals are normally distributed. In our analysis of the data, we found that a small number of samples do not have equal variance and their residuals are not normally distributed. To solve these issues, transformations (e.g.

Box-Cox) can be used before the t-test to achieve equal variance, nonparametric test (e.g. One Sample Wilcoxon Sign Rank Test) can be used to solve the normality issue. As the t-test provides correct results for the data considered in this Chapter, we regard it one of our future work.

4.6 Conclusion

In this Chapter, we discussed the problem of detecting the P2P botnet via its C&C. Based on the observation of correlations of node behaviors at different times, we used a correlation based node behavior profiling scheme which can be further used for statistical tests. By validating the assumptions, we designed algorithms based on statistical tests to check if there is any unseen subtle group activity from C&C in P2P botnets. We also propose a fast and optimized detection scheme based on SPRT under the worst case attack model. The results of the experiments on the real user traces from enterprise networks are encouraging in terms of high detection and low false positive rate.

CHAPTER 5. A Novel Background Traffic Modeling Structure for NIDS