Building a Scalable System for Stealthy P2P-Botnet Detection

Peer-to-peer (P2P) botnets have recently been adopted by botmasters for their resiliency against take-down efforts. Besides being harder to take down, modern botnets tend to be stealthier in the way they perform malicious activities, making current detection approaches ineffective. In addition, the rapidly growing volume of network traffic calls for high scalability of detection systems. In this paper, we propose a novel scalable botnet detection system capable of detecting stealthy P2P botnets. Our system first identifies all hosts that are likely engaged in P2P communications. It then derives statistical fingerprints to profile P2P traffic and further distinguish between P2P botnet traffic and legitimate P2P traffic. The parallelized computation with bounded complexity makes scalability a built-in feature of our system. Extensive evaluation has demonstrated both high detection accuracy and great scalability of the proposed system.

[1]  Daniel Stutzbach,et al.  Understanding churn in peer-to-peer networks , 2006, IMC '06.

[2]  Michalis Vazirgiannis,et al.  c ○ 2001 Kluwer Academic Publishers. Manufactured in The Netherlands. On Clustering Validation Techniques , 2022 .

[3]  John Kubiatowicz,et al.  Handling churn in a DHT , 2004 .

[4]  Dan Liu,et al.  A P2P-Botnet detection model and algorithms based on network streams analysis , 2010, 2010 International Conference on Future Information Technology and Management Engineering.

[5]  Guofei Gu,et al.  A Taxonomy of Botnet Structures , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[6]  Felix C. Freiling,et al.  Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm , 2008, LEET.

[7]  John Heidemann,et al.  Estimating P2P Traffic Volume at USC , 2007 .

[8]  Michael K. Reiter,et al.  Finding Peer-to-Peer File-Sharing Using Coarse Network Behaviors , 2006, ESORICS.

[9]  Ali A. Ghorbani,et al.  Detecting P2P botnets through network behavior analysis and machine learning , 2011, 2011 Ninth Annual International Conference on Privacy, Security and Trust.

[10]  Tian Zhang,et al.  BIRCH: an efficient data clustering method for very large databases , 1996, SIGMOD '96.

[11]  Wen-Hwa Liao,et al.  Peer to Peer Botnet Detection Using Data Mining Scheme , 2010, 2010 International Conference on Internet Technology and Applications.

[12]  Michael K. Reiter,et al.  Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems.

[13]  Nick Feamster,et al.  Boosting the scalability of botnet detection using adaptive traffic sampling , 2011, ASIACCS '11.

[14]  Brent Byunghoon Kang,et al.  The waledac protocol: The how and why , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[15]  Phillip A. Porras,et al.  A Multi-perspective Analysis of the Storm ( Peacomm ) Worm , 2007 .

[16]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[17]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[18]  Sherif Saad,et al.  Detecting P 2 P Botnets through Network Behavior Analysis and Machine Learning , 2011 .

[19]  Aleksandar Kuzmanovic,et al.  Measurement and Diagnosis of Address Misconfigured P2P Traffic , 2010, 2010 Proceedings IEEE INFOCOM.

[20]  Sven Dietrich,et al.  Analysis of the Storm and Nugache Trojans: P2P Is Here , 2007, login Usenix Mag..

[21]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[22]  Xiapu Luo,et al.  Detecting stealthy P2P botnets using statistical traffic fingerprints , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN).

[23]  Yao Zhao,et al.  BotGraph: Large Scale Spamming Botnet Detection , 2009, NSDI.

[24]  Prateek Mittal,et al.  BotGrep: Finding P2P Bots with Structured Graph Analysis , 2010, USENIX Security Symposium.

[25]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[26]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.