1. Applying TTA in multiple domains, including characterization of scam infrastructure and bot-based attacks
2. Transitioning TTA to deployable, production-ready capabilities for providers

``Botnets'' are distributed collections of compromised networked machines under common control. Botnets provide a formidable computing and communication platform by harnessing the power of thousands, or even millions, of nodes for a common collective purpose. Unfortunately, that purpose is often malicious and economically or politically motivated. This research investigates a unique approach to detecting bots, botnet infrastructure, and mitigating abusive traffic via Transport-level Traffic Analysis (TTA).

Significant prior research explores network reputation metrics, command-and-control communication structure, traffic signatures, etc. to detect botnets. However, reputation metrics, for instance using IP addresses as pseudo-identifiers, are unreliable and signature-based schemes are easily evaded. Our work exploits the discriminatory power of transport-layer traffic signal analysis to infer malicious and abusive behavior, especially from botnets. In particular, we have shown that by solely using transport-layer traffic features, \eg TCP retransmits, advertised receiver window, out-of-order packets, delay, jitter, etc., one can reliably infer whether the source of a traffic flow is legitimate or originating from a member of a botnet. The key insight is that local botnet behavior manifests remotely as a discriminative signal. Because bots are frequently attached via asymmetric residential connections with large buffers, they necessarily congest their local uplink -- an effect that is remotely detectable. Rather than relying on content signatures or reputation measures, this project exploits botnets' basic requirement to source large amounts of data, be it attacks, scam-hosting, spam, or other yet-to-be imagined malicious traffic.

Our IP and content agnostic approach provides new and novel capabilities. By using statistical traffic signal characterization methods, we construct a difficult-to-subvert discriminator. In addition to significantly enhancing the performance of other traffic classifiers, TTA is uniquely suited for use use amid stringent privacy laws, on constrained satellite links, etc. Further, by being privacy-preserving, TTA may be deployed within the network core and offers the possibility to stanch malicious traffic before it saturates access links.

• ttad man page

• Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection, USENIX LISA, 2011 (to appear).
• Adversarial TCP: An Offensive TCP Stack to Penalize Abusive Connections, USENIX LISA, 2011 (poster)
• New Approaches to Characterizing Scam-Hosting Connectivity, USENIX Security, 2011 (Poster).
• Exploiting Transport-Level Characteristics of Spam , CEAS 2008.

• Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection, USENIX LISA, 2011.
• New Approaches to Characterizing Scam-Hosting Connectivity, ITACS CENIC Meeting, 2011.
• Transport-Layer Abusive Traffic Detection and Mitigation, ITACS CENIC Meeting, 2011.
• Exploiting Transport-Level Characteristics of Spam , CEAS 2008.

• NSF SDCI-1127506
• Cisco University Research Grant