Scanning and Host Fingerprinting Methods for Command and Control Server Detection

Abstract: Background. Detecting malware command and control infrastructure has impor-tant applications for protecting against attacks. Much research has focused on thisproblem, but a majority of this research has used traffic monitoring methods fordetection. Objectives. In this thesis we explore methods based on network scanning and active probing, where detection is possible before an attack has begun, in theory resulting in the ability to bring the command and control server down preemptively. Methods. We use network scanning to discover open ports which are then fed into our probing tool for protocol identification and data gathering. Fingerprinting is performed on the open ports and running services of each host.We develop two methods for fingerprinting and classification of hosts. The first method uses a machine learning algorithm over the open ports and probe data, while the other computes distance scores between hosts. We compare these methods to the new but established JARM method for host fingerprinting, as well as to two other simple methods. Results. Our findings suggest that our general active probing method is feasible for use in detecting command and control infrastructure, but that the results vary strongly depending on the malware family, with certain malware families providing much better results than others. Conclusions. We end with discussions on the limitations of our methods and how they can be improved, as well as bring up our opinions on the potential for future work in this area.