Date of Award

3-12-2009

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

J. Todd McDonald, PhD

Abstract

With the increase in speed and availability of computers, our nation's computer and information systems are being attacked with increased sophistication. The Air Force Research Laboratory (AFRL) Information Directorate (RI) is researching a next generation network defense architecture, called Cybercraft, that provides automated and trusted cyber defense capabilities for AF network assets. This research we consider the issues to protect or obfuscate command and control aspects of Cybercraft. In particular, we present a methodology to hide aspects of Cybercraft platform initialization in context to formation of hierarchical, peer-to-peer groups that collectively form the Cybercraft network. Because malicious code networks (known as botnets) currently manifest many properties of obfuscating command and control sequencing, we evaluate and consider our proposed methodology in light of leading bot detection algorithms. This research subjects Bothunter to a series of tests to validate these claims. We use a leading bot detection utility, Bothunter, and an ARP validation tool, XArp, to build a case for the effectiveness of our approach. We present three scenarios that correlate to how we believe Cybercraft platforms integrate in the future and consider stealthiness in terms of these representative tools. Our research gives emphasis on measurable hiding related to the Cybercraft initialization sequence, and we show how common network protocols such as ARP, HTTP, and DNS may be modified to carry C2 commands while evading common detection methods found in current tools.

AFIT Designator

AFIT-GCS-ENG-09-07

DTIC Accession Number

ADA500658

Share

COinS