PeerShark: Detecting Peer-to-Peer Botnets by Tracking Conversations

The decentralized nature of Peer-to-Peer (P2P) botnets makes them difficult to detect. Their distributed nature also exhibits resilience against take-down attempts. Moreover, smarter bots are stealthy in their communication patterns, and elude the standard discovery techniques which look for anomalous network or communication behavior. In this paper, we propose PeerShark, a novel methodology to detect P2P botnet traffic and differentiate it from benign P2P traffic in a network. Instead of the traditional 5-tuple 'flow-based' detection approach, we use a 2-tuple 'conversation-based' approach which is port-oblivious, protocol-oblivious and does not require Deep Packet Inspection. PeerShark could also classify different P2P applications with an accuracy of more than 95%.

[1]  Baris Coskun,et al.  Gangs of the internet: Towards automatic discovery of peer-to-peer communities , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[2]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[3]  Eng Keong Lua,et al.  P2p Networking And Applications , 2009 .

[4]  Remco R. Bouckaert,et al.  Bayesian Network Classifiers in Weka for Version 3-5-7 , 2007 .

[5]  Shaojun Zhang Conversation-based P2P botnet detection with decision fusion , 2013 .

[6]  Diomidis Spinellis,et al.  A survey of peer-to-peer content distribution technologies , 2004, CSUR.

[7]  Yoav Freund,et al.  Experiments with a New Boosting Algorithm , 1996, ICML.

[8]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[9]  Pratik Narang,et al.  Feature selection for detection of peer-to-peer botnet traffic , 2013, COMPUTE.

[10]  Rong-An Shang,et al.  Ethical Decisions About Sharing Music Files in the P2P Environment , 2008 .

[11]  Chris Kanich,et al.  Show Me the Money: Characterizing Spam-advertised Revenue , 2011, USENIX Security Symposium.

[12]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[13]  Kang Li,et al.  PeerRush: Mining for unwanted P2P traffic , 2013, J. Inf. Secur. Appl..

[14]  Thomas E. Anderson,et al.  Privacy-preserving P2P data sharing with OneSwarm , 2010, SIGCOMM '10.

[15]  网行者 最“变态”的下载:BitTorrent , 2003 .

[16]  Michael K. Reiter,et al.  Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[17]  Michalis Faloutsos,et al.  Entelecheia: Detecting P2P botnets in their waiting stage , 2013, 2013 IFIP Networking Conference.

[18]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[19]  Kang Li,et al.  PeerRush: Mining for Unwanted P2P Traffic , 2013, DIMVA.

[20]  Shunyi Zhang,et al.  Real-Time P2P Traffic Identification , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[21]  George Varghese,et al.  Graph-Based P2P Traffic Classification at the Internet Backbone , 2009, IEEE INFOCOM Workshops 2009.

[22]  Jung-Tae Kim,et al.  Security issues in peer-to-peer systems , 2005, The 7th International Conference on Advanced Communication Technology, 2005, ICACT 2005..

[23]  R. Schoof,et al.  Detecting peer-to-peer botnets , 2007 .

[24]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[25]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[26]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[27]  Sven Dietrich,et al.  P2P as botnet command and control: A deeper insight , 2008, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE).

[28]  Herbert Bos,et al.  SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets , 2013, 2013 IEEE Symposium on Security and Privacy.

[29]  Herbert Bos,et al.  Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus , 2013, 2013 8th International Conference on Malicious and Unwanted Software: "The Americas" (MALWARE).

[30]  Xiapu Luo,et al.  Building a Scalable System for Stealthy P2P-Botnet Detection , 2014, IEEE Transactions on Information Forensics and Security.

[31]  Radu State,et al.  BotTrack: Tracking Botnets Using NetFlow and PageRank , 2011, Networking.