Aether

Network Beaconing & Session Monitor

Last updated June 22, 2026

The Aether Network Monitor is a lightweight, high-performance module designed to identify Command and Control (C2) beaconing activity and persistent TCP sessions. By analyzing active socket transitions over time, the engine distinguishes between legitimate, sporadic web traffic and structured, periodic adversary callback loops.

Technical Specifications

1. Connection Event Tracking

To monitor communication patterns without consuming excessive memory, the engine tracks active sockets using an ephemeral ring buffer.

  • Buffer Capacity: Each remote endpoint is allocated a 64-entry ring buffer to store precise high-resolution connection timestamps.
  • Transition Detection: A timestamp is recorded only when a connection newly transitions to an active state in the host operating system’s TCP table.
  • Persistence Normalization: A persistent session (e.g., maintaining an ESTABLISHED state across consecutive polls) is recorded as a single event. This prevents long-lived, legitimate connections (such as persistent WebSockets) from falsely accumulating hits and mimicking periodic beacons.
       POLL N                POLL N+1               POLL N+2
  [ ESTABLISHED ]  ===>  [ ESTABLISHED ]  ===>  [ ESTABLISHED ]
  |___________________________________________________________|
                     Recorded as ONE Event
Code language: PHP (php)

2. Previous-Set Differencing

To accurately map connection events, the monitor implements a differential analysis model on each poll cycle.

  • Mechanics: The monitor maintains a state key of all active endpoints observed during Poll $N$. During Poll $N+1$, the current endpoint set is compared against the historical state.
  • Delta Filtering: Only endpoints present in the current table that were absent in the prior poll are classified as new connection arrivals.
  • Efficacy: This differential step isolates a series of short-lived, distinct socket creations to a target server from a singular, continuously open connection.

Algorithmic Scoring

Coefficient of Variation (CoV) Analysis

Upon accumulating three or more discrete connection events for a unique remote endpoint, the monitor calculates the inter-arrival intervals ($\Delta t$) between consecutive timestamps. The engine derives the statistical mean ($\mu$), standard deviation ($\sigma$), and the dimensionless Coefficient of Variation:

CoV=σμ\text{CoV} = \frac{\sigma}{\mu}

This metric provides a mathematical classification of connection regularity, categorized into three distinct confidence tiers:

High Confidence Beacon (CoV < 0.20$)

The arrival intervals remain within 20% of the statistical mean, indicating a highly structured, machine-driven callback loop with negligible jitter.

  • Cobalt Strike (10% Jitter): Typically lands between CoV 0.06 and 0.12
  • Metasploit (Default reverse_https, 0% Jitter): Typically lands at CoV < 0.05.

Medium Confidence Beacon (CoV 0.20 – 0.40)

The intervals demonstrate moderate deviation but retain a clear periodic signature. This tier matches implants configured with higher jitter parameters or standard default behaviors of newer frameworks.

  • Cobalt Strike (30% to 40% Jitter): Matches this range.
  • Havoc C2 (Default sleep profile): Consistently falls within this classification.

Low Confidence / Noise (CoV > 0.40)

The connection intervals are highly erratic, signifying human-driven web browsing, bursted application telemetry, or standard background OS traffic. These events are quietly ignored and filtered out.

Persistent Session Identification

In addition to detecting periodic, short-lived connections (beacons), the module monitors the lifetime of long-lived communication channels.

  • Tracking Period: The engine monitors the active presence ratio of a socket over a defined temporal window.
  • Evaluation Criteria: If a connection remains active during $>50\%$ of the polling intervals for a continuous duration of at least 10 seconds, it is cataloged as a persistent session.
  • PERSIST Verdict: Sockets maintaining an active presence ratio of $\ge 80\%$ over the monitored lifespan are flagged with a PERSIST classification, highlighting potential persistent reverse shells or interactive tunnels.

Configuration & Performance Tuning

Command-Line Interface (CLI) Usage

The monitoring engine is controlled via the CLI using three core arguments:

./Aether.exe --hunt 12345 <SLEEP_MS> <DURATION_S>
ParameterTypeDescriptionDefault
--huntFlag / IntegerSpecifies the target Process Identifier (PID) to inspect.Required
SLEEP_MSIntegerPolling interval in milliseconds.2000
DURATION_SIntegerTotal duration of the monitoring run in seconds.120

Adaptive Duration Planning

Selecting the appropriate runtime parameters is critical for accurate detection:

  • Slower Beacons: A C2 implant configured with a 60-second sleep interval requires a minimum monitoring duration of 180 seconds to record at least three connection events, enabling valid $\text{CoV}$ calculations.
  • Fast / Sleep-0 Beacons: For aggressive implants or interactive sessions, polling can be speeded up. While extremely low intervals (such as 2ms) are functional in proof-of-concept tests, they impose heavy CPU overhead by repeatedly querying system TCP tables. A polling interval of 300ms to 500ms is highly recommended for fast implants, as it remains lightweight while offering comprehensive resolution.

Built-in Endpoint Filtering

To prevent local operating system noise from diluting analysis results, the monitor automatically drops and ignores several destination classes prior to calculations:

  • Loopback Addresses: 127.0.0.0/8
  • Link-Local Addresses: 169.254.0.0/16
  • Null/Unspecified Addresses: 0.0.0.0