Botnets and Stepping Stones: Applications of Encrypted Traffic Analysis

As part of a push to improve network security, an increasing proportion of traffic on the Internet is now protected by end-to-end encryption. Though helpful for preventing eavesdropping and other attacks, encryption presents a challenge for network monitoring. In particular, attackers are using encryption to hide their activities from network intrusion detection systems. To address this threat, we must turn to traffic analysis: using side channel information, such as connection statistics, packet timings, etc., to detect attacks.

I will discuss two applications of encrypted traffic analysis: detecting stepping stones and identifying peer-to-peer botnets. Stepping stones are compromised computers that are used to relay attack traffic while masking its true origin. Traffic analysis can be used to correlate flows being relayed through an enterprise. I will discuss the use of network flow watermarks: intentional perturbations to packet timings that make it easy to identify flows that are being relayed. I will describe some of our recent work on network flow watermarks and compare them to passive traffic analysis techniques.

Botnets are armies of compromised computers that perform coordinated attack activities; they present a critical threat to network security. Botnet authors are making them increasingly stealthy and resilient by encrypting communication between bots and using peer-to-peer communication patterns. I will discuss our new work that shows how large ISPs can use traffic analysis to detect peer-to-peer activity and identify hosts that participate in botnets.
Nikita Borisov is an assistant professor at the University of Illinois at Urbana-Champaign. His research interests are online privacy and Internet-scale distributed systems. He is the co-designer of the “off-the-record” (OTR) instant messaging protocol and was responsible for the first public analysis of 802.11 security. He has also served as co-chair of the Privacy Enhancing Technologies Symposium in 2007 and 2008. Prof. Borisov received his PhD from the University of California, Berkeley in 2005 and a BMath from the University of Waterloo in 1998.