论文信息 - P2P Botnet Detection Based on Irregular Phased Similarity

P2P Botnet Detection Based on Irregular Phased Similarity

Botnets provide a botmaster infrastructure of management and use of cyber attack capabilities and have become one of the most significant threats to the Internet. The emergence of P2P botnets, which are more stealthy, robust and hazardous, has posed great challenges to botnet detection researches. The paper proposes a novel common P2P botnet detection approach that is able to identify unknown P2P botnets, even in the case that the target network had only a single bot. The traffic generated by a P2P bot has phased similar patterns, which occur at irregular intervals. This feature is called Irregular Phased Similarity (IPS) in the paper. The proposed approach detects P2P bots by identifying IPS characteristic. The experimental evaluation shows the efficiency of the approach on detecting the Storm and Waledac botnets.

Guyu Hu | Huabo Li | Haiguang Lai | Jian Yuan

[1] Ali A. Ghorbani,et al. Detecting P2P botnets through network behavior analysis and machine learning , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[2] Su Chang,et al. P2P botnet detection using behavior clustering & statistical tests , 2009, AISec '09.

[3] Ting-Fang Yen,et al. Detecting Stealthy Malware Using Behavioral Features in Network Traffic , 2011 .

[4] Michael K. Reiter,et al. Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[5] Felix C. Freiling,et al. Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[6] Felix C. Freiling,et al. Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[7] Guofei Gu,et al. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.