Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems

Bossert, Georges; Hiet, Guillaume; Henin, Thibaut

doi:10.1109/sar-ssi.2011.5931397

Cited by 14 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Other applications target generating behavioral specifications of Web applications [61], the new biometric European passport [4], bot nets [12], and enterprise applications [73]. Margaria et al showed that model learning may help to increase confidence that a legacy component and a refactored implementation have the same behavior [53].…”

Section: Related Work and Applicationsmentioning

confidence: 99%

Combining Black-Box and White-Box Techniques for Learning Register Automata

Howar

Jönsson

Vaandrager

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Model learning is a black-box technique for constructing state machine models of software and hardware components, which has been successfully used in areas such as telecommunication, banking cards, network protocols, and control software. The underlying theoretic framework (active automata learning) was first introduced in a landmark paper by Dana Angluin in 1987 for finite state machines. In order to make model learning more widely applicable, it must be further developed to scale better to large models and to generate richer classes of models. Recently, various techniques have been employed to extend automata learning to extended automata models, which combine control flow with guards and assignments to data variables. Such techniques infer guards over data parameters and assignments from observations of test output. In the black-box model of active automata learning this can be costly and require many tests, while in many application scenarios source code is available for analysis. In this paper, we explore some directions for future research on how black-box model learning can be enhanced using white-box information extraction methods, with the aim to maintain the benefits of dynamic black-box methods while making effective use of information that can be obtained through white-box techniques.

show abstract

Section: Related Work and Applicationsmentioning

confidence: 99%

Combining Black-Box and White-Box Techniques for Learning Register Automata

Howar

Jönsson

Vaandrager

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In our scenario, this is the ProxyOracle Figure 8. Learned model of an e-commerce application, learned with the setup descriptor of Figure 6 (lines [4][5]. This oracle translates symbols of a special form to invocations on the proxy object.…”

Section: Usage In Learnlibmentioning

confidence: 99%

“…In recent years, automata learning has been employed to create formal models of real-life systems, such as electronic passports [1], telephony systems [5,7], web applications [14,15], communication protocol entities [3], and malicious networked agents [4]. The wide scope of application areas gives testimony on the universality of the automata learning approach.…”

Section: Introductionmentioning

confidence: 99%

Automated Learning Setups in Automata Learning

Merten

Isberner

Howar

et al. 2012

Leveraging Applications of Formal Methods, Verification and Validation. Technologies for Mastering Change

View full text Add to dashboard Cite

Test drivers are an essential part of any practical active automata learning setup. These components to accomplish the translation of abstract learning queries into concrete system invocations while managing runtime data values in the process. In current practice test drivers typically are created manually for every single system to be learned. This, however, can be a very time-consuming and thus expensive task, making it desirable to find general solutions that can be reused. This paper discusses how test drivers can be created for LearnLib, a flexible automata learning framework. Starting with the construction of application-specific test drivers by hand, we will discuss how a generic test driver can be employed by means of configuration. This configuration is created manually or (semi-)automatically by analysis of the target system's interface.

show abstract

“…Les messages qui déclenchent une vulnérabilité peuvent être traduits en signatures et ajoutés à un système de détection d'intrusion, par exemple. L'analyse de protocoles de malware (Bossert et al, 2011 ;Caballero et al, 2009 ;Caballero Bayerri, 2010) s'appuie sur la rétro-conception. En effet, bon nombre de malware, comme les bots, utilisent des protocoles pour communiquer avec leur serveur de Command & Control.…”

Section: Introductionunclassified

Outils pour la rétro-conception de protocoles. Analyse et classification

Alata¹,

Nicomette²,

Duchêne³

et al. 2016

Techniques et sciences informatiques

View full text Add to dashboard Cite

La rétro-conception de protocoles de communication consiste à développer des méthodes et outils permettant d'inférer un modèle de ce protocole. Elle est utilisée dans de nombreux domaines d'application, allant de l'interopérabilité à l'audit de sécurité. Durant les douze dernières années, de nombreux outils ont été développés pour automatiser tout ou partie de l'inférence de protocole. Ils s'aident de différentes techniques, que les auteurs choisissent et adaptent en fonction du but final de leur rétro-conception. Le but de cet article est de présenter un état de l'art de ces différents outils, en essayant de dégager les grandes familles de techniques utilisées jusqu'à ce jour. ABSTRACT. Communication protocols reverse engineering consists in developing methods and techniques enabling the inference of a model of these protocols. It is used for different purposes such as to ensure interoperability or to perform security audits. During the last twelve years, numerous tools have been developed to automate, totally or partially, the inference of protocols. The tools rely of various techniques, that are selected and tuned depending on the goal of the reverse engineering activity. The aim of this paper is to present the state of the art of reverse engineering tools, and to identify the major categories of techniques used by these tools. MOTS-CLÉS : rétro-conception, inférence de protocole, analyse de traces réseau, analyse d'applications binaires.

show abstract

Modelling to Simulate Botnet Command and Control Protocols for the Evaluation of Network Intrusion Detection Systems

Cited by 14 publications

References 11 publications

Combining Black-Box and White-Box Techniques for Learning Register Automata

Combining Black-Box and White-Box Techniques for Learning Register Automata

Automated Learning Setups in Automata Learning

Outils pour la rétro-conception de protocoles. Analyse et classification

Contact Info

Product

Resources

About