The above analysis can be also applied to the control plane traffic packets [8]. Control plane traffic packets as AsSadhan et. al define [8] are the packets “that set, maintain, or tear down a connection”. Data plane traffic packets are those packets that are involved in the transmission of the actual data. For TCP packets, we treat a packet as a control plane packet if it is one of these four types:(1)

SYN packet.

We apply discrete time series analysis to TCP control plane traffic due to its similar behavior to the data plane traffic as discussed previously [8]. The reason behind this similarity is that the generation of data traffic is based on the generation of the control traffic [8]. Therefore, analyzing the control plane traffic only we might suffices for analyzing the whole traffic (i.e., control and data planes). Such analysis reduces the amount of traffic to look at, which further implies fewer computations and faster analysis, both contributing to higher scalability. We note that since UDP is a connectionless unreliable protocol, the information in a packet’s UDP header is not sufficient to decide whether to treat it as a control or data plane packet. Thus, unless we have access to the packet’s application header and this header has sufficient information, it is not possible to decompose UDP packets into control and data planes packets as in the case of TCP.

From Fig. 1’s bottom plots, we can see that the periodogram of any signal whether it is periodic or aperiodic will always have a peak. Thus, we need to have the ability to decide whether the peak is significant enough when compared to the rest of the periodogram’s ordinates to declare that the sequence contains a periodic component or not. We use binary hypothesis testing [17,18] to achieve this.

Before setting up the two hypotheses test, we state a basic assumption we adopt; the count-feature sequence extracted from the network traffic communication of a given host on a given port has a Poisson distribution. We acknowledge that Poisson statistics may or may not be an accurate model for network traffic at a given host on a given port. We use it to simplify the analysis. Other exponential family models will affect the threshold selection, but not the test itself.

The Poisson distribution is a good approximation to the binomial distribution when the binomial parameter n is large and the binomial parameter p is small1 [19]. A binomial random variable with a large n and its Poisson approximation (when p is small) can be, based on the central limit theorem, approximated by a Gaussian random variable [19]. Therefore, the count-feature sequence extracted from the packet trace after subtracting its mean and normalizing it by its standard deviation, can be treated as a standard Gaussian distribution (i.e., N (0, 1)).

We now set up the null hypothesis H₀; the count-feature sequence x[n] is Gaussian, against the alternative hypothesis H₁; x[n] has a periodic component at some unspecified frequency plus Gaussian noise. Under H₀, it can be shown that the ordinates P_xx[k₀] of the periodogram of x[n] are independent identically distributed (i.i.d.) [10]. Each P_xx[k₀] has a distribution that is proportional to a chi-square distribution with two degrees of freedom [10]. Specifically,Pxx[k0]/σx2=χ22.Since a chi-square distribution with two degrees of freedom is equivalent to an exponential distribution with mean 2, it follows that the probability density function of Pxx[k0]/σx2 isf(x)=12exp(-x/2),0≤x<∞Therefore, for z ⩾ 0,(1)Pr[Pxx[k0]/σx2≤z]=∫0z12exp(-x/2)dx=1-exp(-z/2).

Since we are interested in the periodogram’s ordinate that has the maximum value, we define the ratio test statistics,(2)γx=max0≤k≤m-1(Pxx[k])σx2.Since under H₀, the periodogram ordinates P_xx[k₀] are i.i.d., then it follows that, for z ⩾ 0,(3)Pr[γx>z]=1-Pr[γx≤z]=1-Pr[(Pxx[k0]/σx2)≤z,allk0]=1-(1-exp(-z/2))m,where m is the number of ordinates at the positive frequencies of the periodogram.

Eqs. (1)–(3) assume that the variance σx2 is known a priori. However, in practice, it is typically unknown, and an estimate is used. The variance σx2 can be estimated directly from the time sequence x[n] using the sample variance. But since x[n] might not be available, it is better to estimate σx2 directly from P_xx[k]. The estimate of σx2 according to Priestley [10] can be evaluated byσ^x2=12m∑k=0m-1Pxx[k]The quantity σ^x2 is an unbiased estimate of σx2, and we will use it in place of σx2 in (2) to define the sample ratio test statistic,(4)gx∗=max0≤k≤m-1(Pxx[k])12m∑k=0m-1Pxx[k].When m is large, σ^x2 will be a good approximation to σx2; thus, we can treat the denominator of (4) as σx2. Then, gx∗ will have the same distribution as γx, and asymptotically under H₀ we have, for z ⩾ 0,(5)Pr[gx∗>z]∼1-(1-exp(-z/2))m.The asymptotic distribution of gx∗ is the basis of Walker’s large sample test for max (P_xx[k]), [10].

Under the alternative hypothesis H₁, where the signal is periodic, the sample ratio test statistic gx∗ will be large. This enables us to use a one sided test and select the critical region gx∗>zα, where zα is selected so the right hand side of (5) is equal to α, which represents the false positive probability of the test. If the calculated value of gx∗ from the sample data is less than zα, we then accept H₀, and conclude that x[n] does not have any periodic component. If gx∗ is larger than zα, we then reject H₀, with a false positive probability of α and conclude that x[n] has a periodic component. The value of α is selected based on how small we would like the false positive probability to be.

We note that Fisher has derived an exact test for max (P_xx[k]) [10,12,20]. However, we use Walker’s test for the following reasons: first, Fisher’s test involves using combinatorial coefficients, which are limited in their accuracy as the number of sample points gets large; hence we lose the exactness of the test. Second, even if the number of sample points is not large, evaluating zα in the Fisher test to set the critical region to α is not straight forward. Instead, we need for each measured gx∗ to evaluate the probability that it would be greater than this value, and then check if the probability is smaller than α or not. Third, usually, we are not short of network traffic to get a good estimate σ^x2 to use in the denominator of (4).

In Walker’s test described above, when the peak of the periodogram, max (P_xx[k]), is significant, we can only declare that the count-feature sequence has a periodic component at some frequency f. The question would be can we conclude that the count-feature sequence has a periodic component with the frequency where max (P_xx[k]) is located. Hartley has answered the question and showed that the probability that the sequence has a periodic component at some other frequency f is less than α, the probability of false positive, [10]. Therefore, when the peak of the periodogram, max (P_xx[k]), is significant, we can conclude that the count-feature sequence contains a periodic component with the frequency where max (P_xx[k]) is located.

We use SLINGbot to set five bots and one bot master in a mesh topology; the bots use TinyP2P as its protocol of communication on port number 11375. Each bot is pre-programmed to update its data every 3 s by contacting other bots. The experiment was run for approximately 20 s. Since we notice that the C2 traffic of each of these six bots is similar, we will only discuss the traffic of one of them. We use an aggregation interval of 100 ms to extract the packet and address count sequences from the bot’s traffic.

Fig. 2’s top plots show the packet and address count sequences of the C2 communication traffic of a TinyP2P bot. The periodic behavior is apparent in both count sequences. At the start of each period, each bot contacts other bot to check whether there are any updates, and if so it downloads them; after that, it becomes silent until the next period starts. The bottom plots in the same figure show the modified periodograms of these count sequences after subtracting their means and normalizing them by their standard deviations.

In both plots, there is a single major peak at 313 mHz. This peak corresponds to a period of 3.2 s, which agrees with the 3-second pre-programmed period of the bot. We also notice that the peak of the periodogram of the address count sequence has a higher value than the one of the packet count sequence. This is due to the number of distinct addresses in the traffic flow, which has fewer fluctuations when compared to the number of packets.

We select the false positive probability, α, to be equal to 0.1%. This value is selected since, in general, it is desired to have a low false positive rate, in particular, in network anomaly detection systems. We equate the right hand side of (5) to α, to get a threshold, z_0.1%, of 23.5.3 We test the significance of the peak, max (P_xx[k]), of the two periodograms by evaluating the sample ratio test statistic gx∗ in (4) for both periodograms. The ratio value is found to be 61.7 and 70.7 for the periodogram of the packet and address count sequences, respectively. Since the two values of gx∗ are larger than z_0.1%, we reject the null hypothesis and conclude that both sequences contain a periodic component with a frequency of 313 mHz.

We use SLINGbot to set another TinyP2P botnet that consists of five bots and one bot master. Each of the five bots is pre-programmed to update its data with a different period; the periods that the bots use are 3, 4, 5, 6, and 7 s. The experiment was run for approximately 35 s. We use an aggregation interval of 100 ms to extract the packet count of each bot’s traffic.

Fig. 3’s top plots show the packet count sequences of two TinyP2P bot C2 traffic traces. The periods of the traffic for the first bot (top-left) and the second bot (top-right) are 4 and 6 s, respectively. As can be seen, the periodic behavior is apparent in both plots. Fig. 3’s bottom plots show the modified periodograms of the packet sequences after subtracting their means and normalizing them by their standard deviations. The periodogram of the first bot (bottom-left) consists of a large peak at 273 mHz. This peak corresponds to a period of 3.7 s, which agrees with the 4-second pre-programmed period of the bot. The periodogram of the first bot also consists of smaller peaks at the multiples of the frequency. The smaller peaks are the harmonic components as discussed in Section “Methodology: Test network traffic for periodic behavior using periodograms”. The same observations apply to the periodogram of the second bot (bottom-right), except that the peak is located at 176 mHz, which corresponds to a period of 5.7 s. Similar to what we get in the first TinyP2P botnets, this period agrees with the 6-second pre-programmed period of the bot. We test the significance of the peak, max (P_xx[k]), of each of the two periodograms by evaluating the sample ratio test statistic gx∗ in (4) for each periodogram.

We select the false positive probability, α, to be equal to 0.1%. We equate the right hand side of (5) to α, to get a threshold, z0.1%, of 24.9.4 We obtain the values of gx∗ for each of the two periodograms to be 101.4 and 77.0; both are larger than z0.1%. Therefore, we reject the null hypothesis and conclude that both sequences have a periodic component. We note that the two reported values of gx∗ in the packet count sequences of the second TinyP2P botnet C2 traffic traces (101.4 and 77.0) are higher than the one reported for the packet count of the first TinyP2P botnet C2 traffic traces (61.7). This is because the second botnet was run for a longer time (35 s), while the other one was run for a shorter time (20 s). This results in having a larger number of periods, which increases the traffic’s periodogram peak value.

We use SLINGbot to set 20 bots and one bot master in a star topology that uses IRC (Internet Relay Chat) as its protocol of communication on port number 6667. The bot master is pre-programmed to broadcast its updates to the 20 bots every 5 s. The experiment was run for approximately 40 s. Since we notice that the C2 traffic in each of these 21 bots is similar, we will only analyze the traffic of one of them.

Fig. 5’s top plots show the packet and address count sequences for the C2 communication traffic of an IRC bot. As in the TinyP2P botnets, the periodic behavior is apparent in both count sequences. The bottom plots in the same figure show the modified periodograms of these sequences after subtracting their means and normalizing them by their standard deviations. In both plots, there is a single major peak at 195 mHz. This peak corresponds to a period of 5.1 s, which agrees with the 5-second pre-programmed period of the bot. As in the TinyP2P bot, the peak, max (P_xx[k]), of the periodogram of the address count has a higher value than the one for the periodogram of the packet count.

The two values of gx∗ for the packet and address count sequences of the IRC botnet C2 traffic are 40.8 and 46.2, respectively. These two values are larger than z_0.1% = 24.9.5 Thus, we can conclude that both sequences contain a periodic component with a frequency of 195 mHz. However, the two values are not as large as the ones in the sequences of the TinyP2P botnet traffic. This makes it easier for the bot master to hide the periodic behavior of the C2 traffic by adding background traffic on the same port to bury its C2 traffic, which we address in Section “Experimental setup: Evaluation and analysis”. The low value of gx∗ is attributed to the low duty cycle of the count sequence, which resulted in higher harmonics in the frequency domain when compared to the periodogram’s peak.

A bot master can attempt to evade the detection of its botnet members by hiding the periodic behavior of the C2 traffic. This can be done in two ways; first, the bot master can carry the C2 communication channel session over a common port number used by other Internet applications (e.g., HTTP on port 80). This will decrease the percentage of C2 traffic’s volume over this port; hence, its periodic behavior may not be noticeable. Alternatively, the bot master can program the traffic over a pre-determined randomized sequence of port numbers instead of having the C2 traffic between different bots over a single port number. Such evasion schemes might prevent the detection of the periodic behavior of a bot’s C2 traffic by relying on monitoring the traffic of a host per transport port numbers.

In this section, we check whether we can continue to detect the periodic behavior of the C2 traffic of a given bot in the presence of background traffic. We use the packet traces collected by the Lawrence Berkeley National Laboratory/ International Computer Science Institute (LBNL/ICSI) Enterprise Tracing Project [22,23] as our background traffic. The packet traces were collected from two internal network locations at LBNL. LBNL is a research institute in the USA with a medium-sized enterprise network. Only packet header information is released to the public.

We use the HTTP traffic from the LBNL/ICSI packet trace as our background traffic, y[n]. We then add it to the C2 traffic of a TinyP2P bot, x[n]. The total traffic becomesz[n]=x[n]+y[n],

and the resulting ratio gz∗ becomes noisy.6 We use the Signal-to-Noise Ratio (SNR) to quantify the level of background traffic added. The SNR is the ratio of the power of the count-feature sequence of the botnet C2 traffic after subtracting its mean to the power of the count-feature sequence of the background traffic after subtracting its mean. In other words, the SNR is the ratio of the variances of the two sequences. The following formula is used to evaluate the SNR in dB:SNR=10logσˆx2σˆy2=10log1N∑n=0N-1(x[n]-μˆx)21N∑n=0N-1(y[n]-μˆy)2,where N is the number of sample points of x[n] and y[n].

Fig. 7’s plots show the packet (top) and address (bottom) count sequences for three HTTP traffic traces at port 80 in the LBNL/ICSI data set. The three traces were collected on October, 4, 2004. The IP addresses of the hosts that generated the traffic along with the start times (in PDT) of the traffic traces are as follows: HTTP 1 traffic: (131.243.86.124, 1:46:12 pm), HTTP 2 traffic: (131.243.125.239, 1:25:05), and HTTP 3 traffic (131.243.219.252, 2:53:02 pm). We note that the traffic of the three hosts get more bursty as we go to the right of the figure, specifically when we look at the packet count sequences. We add the traffic of each of these three hosts to the C2 traffic of the TinyP2P bot shown in Fig. 2 to observe the effect of this on the sample ratio test statistic gz∗.

Fig. 8’s plots show the packet and address count sequences for the TinyP2P bot C2 traffic after adding the HTTP 1 traffic trace to it. The periodic behavior is still apparent in both plots and the period is still found to be 3.2 s. The periodic behavior can also be noticed from the modified periodograms that are plotted in the bottom plots in the same figure after subtracting their means and normalizing them by their standard deviations, where a distinguished peak is still located at the frequency of the sequences at 313 mHz. However, the two values of gz∗ for the packet and address count sequences of the total traffic (botnet C2 and background traffic) are less than the ones we had for gx∗ in the absence of background traffic. In the case of the packet count, the value has decreased from 61.7 to 54.1, and in the case of the address count, it decreased from 70.7 to 57.7. Both values are still higher than z_0.1% (23.5), hence, the test declares both sequences to have a periodic component. The two values of gz∗ are still high because the background traffic had a low variance of, which resulted in a high SNR of 8.3 dB and 7.3 dB in the packet and address count sequences, respectively.

The case is different when we add either the HTTP 2 or HTTP 3 traffic traces to the TinyP2P bot C2 traffic as shown in Figs. 9 and 10. The periodic behavior is no longer apparent in the top plots of both the packet and address count sequences. This is due to the bursty nature of the HTTP 2 and HTTP 3 traffic traces that resulted in a low SNR. When adding HTTP 2 traffic, the SNR values are −9.2 dB and −1.3 dB for the packet count sequence and B the address count sequences, respectively. When adding HTTP 3 traffic, the SNR values are−9.8 dB and −1.3 dB for the packet count sequence and address count sequences, respectively. We make a note of the large difference in the SNR values between the packet and address count sequences. The very low SNR values in the packet count sequences cause the values of gz∗ to reach 21.4 and 14.6 when we add the HTTP 2 traffic and HTTP 3 traffic, respectively. Both values are lower than z_0.1% (23.5), hence, the test declares that the packet count sequences do not have a periodic component.

Contrary to the SNR values in the packet count sequences, they are not that low in the address count sequences. They only cause the values of gz∗ to reach 46.6 and 49.5 when we add the HTTP 2 traffic and HTTP 3 traffic, respectively. Both values are still significantly higher than z_0.1% (23.5), hence, the test declares that the address count sequences have a periodic component. The periodic behavior can also be seen from the modified periodograms that are plotted in the bottom-right plots in Figs. 9 and 10 after subtracting their means and normalizing them by their standard deviations, where a distinguished peak is located at 313 mHz. We explain the reason behind the different observations between the packet and address count sequences. This is because of the fact that the number of distinct addresses (i.e., hosts) that a given host communicates with during a given aggregation interval is much smaller than the number of packets it would send/receive from these hosts. This makes address count sequences more robust to evasion schemes than packet count sequences.

The previous plots show the effect of adding the traffic of a single HTTP connection to a bot’s C2 traffic. To examine the effect of adding the traffic of multiple HTTP connections to a bot’s traffic, we add all of the three HTTP traffic traces to the C2 traffic trace. The results are shown Fig. 11’s plots. The result we find in the packet count sequences is similar to the one we get after adding either the HTTP 2 or HTTP 3 traffic traces individually; i.e., the traffic trace no longer exhibits periodic behavior due to the low SNR. In the case of the address count sequences, the SNR is −4.3 dB, which is (in absolute value) half of the SNR value (−1.3 dB) when either the HTTP 2 or HTTP 3 traffic traces were added. The SNR value of −4.3 dB causes the value of gz∗ to reach 35.8, which is still higher than z_0.1% (23.5); hence, the test declares that the sequence has a periodic component. The periodic behavior can be seen from the modified periodograms that are plotted in the bottom-right plot in Fig. 11 after subtracting their means and normalizing them by their standard deviations, where a distinguished peak is located at 313 mHz.

To summarize, the detection of periodic behavior in botnet C2 traffic in the presence of background traffic depends on the count-feature sequence we test. In the case of packet count sequences, the test detects the periodic behavior down to a certain SNR level; below that level, it fails to detect the periodic behavior. We note that the results of adding background traffic to packet count sequences are similar to the results of AsSadhan et. al [6] when random noise traffic was injected. In the case of address count sequences, the test is much more robust to the background traffic and succeeds in detecting the periodic behavior. This is because of the fact that the number of distinct addresses (i.e., hosts) that a given host communicates with during a given aggregation interval is much smaller than the number of packets it would send/receive from these hosts. This illustrates that address count sequences are more robust to background traffic than packet count sequences.

We address some of the limitations of basing the detection of botnet C2 communication traffic on the detection of its periodic behavior. The bot master can attempt to hide the periodic behavior of its bots by uniformly randomizing the period within a certain small range. This can be modeled by a random phase. The detectability of the periodic behavior here will depend on how large the random phase is and on the period’s length and the duty cycle. In case the bot master uses a larger range, such that the signal is no longer periodic, it will succeed in evading our test. However, such evasion scheme will limit the effectiveness of the exchange of C2 channel traffic between different bots. This will result in not having C2 updates at pre-determined times, which might disturb the effectiveness of the attack carried out by the botnet. In addition, there are certain applications that have a periodic nature. The traffic of these applications can introduce false positives, however, they can be easily white listed once we are aware of them. Alternatively, the output traffic of the test can be tested further using a more complex method to determine whether the observed periodic behavior is due to botnet C2 traffic or not. We note that such complex method might not scale up if applied directly to the original traffic trace. Therefore, our method can serve as a scalable first stage.