Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.1109/TIFS.2018.2881657

2018-11-14

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.48550/arXiv.1709.06440

2017-09-19

Cryptography and Security

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.

Donghong Sun,Xuefeng Li,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/ctc.2010.16

2010-01-01

Abstract:A widespread botnet is often used to carry cyber attacks, which results in serious threats to networks and properties. The application of combining botnets and P2P technology is powerful but complicated. This paper shows the differences of control mechanisms, running functions and working performance between central-controlled botnets and P2P-conctrolled botnets by analysis of several famous botnets. Futher more, This paper also reseaches on Command-and- Control (C&C) mechanism which works as the core component of botnets' architecture, giving out the definition and evaluation parameters of this mechanism, finally proposing a new architecture. It is useful to finding vulnerabilities of P2P botnets and guiding defenders to design effective detection and defending methods.

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Mohammad Jafari Dehkordi,Babak Sadeghiyan

DOI: https://doi.org/10.1049/iet-com.2018.5286

2020-04-08

Abstract:Breaking down botnets have always been a big challenge. The robustness of C&C channels is increased, and the detection of botmaster is harder in P2P botnets. In this paper, we propose a probabilistic method to reconstruct the topologies of the C&C channel for P2P botnets. Due to the geographic dispersion of P2P botnet members, it is not possible to supervise all members, and there does not exist all necessary data for applying other graph reconstruction methods. So far, no general method has been introduced to reconstruct C&C channel topology for all type of P2P botnet. In our method, the probability of connections between bots is estimated by using the inaccurate receiving times of several cascades, network model parameters of C&C channel, and end-to-end delay distribution of the Internet. The receiving times can be collected by observing the external reaction of bots to commands. The results of our simulations show that more than 90% of the edges in a 1000-member network with node degree mean 50, have been accurately estimated by collecting the inaccurate receiving times of 22 cascades. In case the receiving times of just half of the bots are collected, this accuracy of estimation is obtained by using 95 cascades.

Cryptography and Security

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Guangli Wu,Xingyue Wang,Jing Zhang

DOI: https://doi.org/10.1016/j.cose.2024.103775

IF: 5.105

2024-02-24

Computers & Security

Abstract:P2P botnets are distributed with complex topology and communication behavior, making them harder to detect and remove. Individuals or organizations can effectively detect P2P botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting deterministic traffic interaction features, which are highly dependent on statistical features. Moreover, these methods are mainly aimed at generalized botnet detection and lack specificity for detecting P2P botnets. They ignore the topological information of P2P botnets, resulting in unsatisfactory detection accuracy. Among the few existing methods targeting P2P botnets, they consider the topological information but mainly rely on classical graph theory statistical features, such as degree, feature vector centrality, etc. This limits the generalization ability of the detection model. In this paper, we delve into the topological features of P2P botnets from the perspective of complex graph theory. We propose a P2P botnet detection method that combines representation learning and graph contrastive learning, dubbed PeerG. Specifically, we construct the communication graphs based on the flow interaction behavior between components of the P2P botnets. The Line algorithm is employed to embed the nodes of the communication graph into a low-dimensional representation vector space. Subsequently, the graph contrastive learning approach is utilized to optimize the feature extractor, enabling it to capture more representative node features. PeerG serves as a benchmark detection model for identifying P2P botnet nodes. Additionally, we devise two optimized contrastive detection strategies (PeerG-PreG and PeerG-PreF) based on graph-level and feature-level to boost the performance of PeerG. Extensive experiments demonstrate that PeerG brings significant improvements in detection accuracy over state-of-art detection methods. Furthermore, compared with PeerG, the detection strategies PeerG-PreG and PeerG-PreF have further improved detection performance, and achieve the best detection accuracy among multiple filtered P2P botnet types.

computer science, information systems

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Sajjad Arshad,Maghsoud Abbaspour,Mehdi Kharrazi,Hooman Sanatkar

DOI: https://doi.org/10.1109/ICCAIE.2011.6162198

2018-11-02

Abstract:Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive.

Cryptography and Security

Xiaobo Ma,Xiaohong Guan,Jing Tao,Qinghua Zheng,Yun Guo,Lu Liu,Shuang Zhao

DOI: https://doi.org/10.1109/ICC.2010.5502092

2010-01-01

Abstract:Botnets have become a serious threat to Internet and are often deployed to control a large pool of zombies and perform notorious activities such as DDoS, information theft and spam sending. In this paper, a new method is developed for detecting IRC botnets by analyzing the characteristic of packet size sequence of the TCP conversation between IRC zombies and their command and control (C&C) servers. In comparison with IRC chat, the TCP conversations within IRC botnets show a nature of approximate periodicity defined as quasi-periodicity in this paper. A simple yet effective detection method is presented to detect IRC botnets by measuring the quasi-periodicity degree and packet average size of IRC conversations based on ukkonen algorithm. We evaluated our method using real-world IRC botnet traces captured from honeynet. The results show that our method can detect real-world IRC botnets from IRC traffic with high accuracy and has a low false positive rate.

Mark Scanlon,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1409.8490

2014-09-30

Abstract:Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.

Cryptography and Security,Networking and Internet Architecture

Andrea E. Medina Paredes,Yuan-Yuan Su,Wei Wu,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-030-46828-6_26

2016-01-01

Proceedings of Engineering and Technology Innovation

Abstract:The war against botnet infection is fought every day by users that want to feel safe against any threat of compromise hosts. In this paper we are going to focus on the behavior of Peer 2 Peer (P2P) botnets, which along with hybrid botnets is a growing trend among attackers. The main approach will consist of a behavior comparison among features extracted from network flows, focusing only in the flows from P2P applications including P2P botnets.

Yousof Al-Hammadi,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1004.2860

2010-04-16

Abstract:In the past few years, IRC bots, malicious programs which are remotely controlled by the attacker through IRC servers, have become a major threat to the Internet and users. These bots can be used in different malicious ways such as issuing distributed denial of services attacks to shutdown other networks and services, keystrokes logging, spamming, traffic sniffing cause serious disruption on networks and users. New bots use peer to peer (P2P) protocols start to appear as the upcoming threat to Internet security due to the fact that P2P bots do not have a centralized point to shutdown or traceback, thus making the detection of P2P bots is a real challenge. In response to these threats, we present an algorithm to detect an individual P2P bot running on a system by correlating its activities. Our evaluation shows that correlating different activities generated by P2P bots within a specified time period can detect these kind of bots.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Pedro Camelo,Joao Moura,Ludwig Krippahl

DOI: https://doi.org/10.48550/arXiv.1410.8747

2014-10-31

Cryptography and Security

Abstract:Botnets represent a global problem and are responsible for causing large financial and operational damage to their victims. They are implemented with evasion in mind, and aim at hiding their architecture and authors, making them difficult to detect in general. These kinds of networks are mainly used for identity theft, virtual extortion, spam campaigns and malware dissemination. Botnets have a great potential in warfare and terrorist activities, making it of utmost importance to take action against. We present CONDENSER, a method for identifying data generated by botnet activity. We start by selecting appropriate the features from several data feeds, namely DNS non-existent domain responses and live communication packages directed to command and control servers that we previously sinkholed. By using machine learning algorithms and a graph based representation of data, then allows one to identify botnet activity, helps identifying anomalous traffic, quickly detect new botnets and improve activities of tracking known botnets. Our main contributions are threefold: first, the use of a machine learning classifier for classifying domain names as being generated by domain generation algorithms (DGA); second, a clustering algorithm using the set of selected features that groups network communication with similar patterns; third, a graph based knowledge representation framework where we store processed data, allowing us to perform queries.

Swechchha Gupta,Singh,Buddha Singh

DOI: https://doi.org/10.1016/j.cose.2024.103783

IF: 5.105

2024-02-01

Computers & Security

Abstract:In increasingly interconnected digital world, the threat of cyber-attacks and data breaches are a pervasive and growing concern. The Botnets are the most dangerous threats that launch a wide range of cyberattacks such as distributed denial of service (DDoS) attacks, sending spam emails, spreading malware, and stealing sensitive information. The identification and categorization of botnets has become a highly complex and critical process due to the massive amount of network traffic generated every second. This paper presents a multilayer botnet detection and classification framework based on explainable machine learning algorithms. The proposed approach comprises of three distinct layers: Feature Selection Layer, Botnet Detection Layer and Botnet Classification Layer. The Feature Selection Layer reduces the dataset into six essential features, that enhance the accuracy and efficiency of the framework. The botnet detection layer detects botnet activity by filtering the reduced dataset into normal packets and botnet packets. The filtered botnet packets further examined by botnet classification layer to classify the botnet packets into different types of botnets. Moreover, SHAP (SHapley Additive exPlanations) technique is utilized to provide transparency to the model's decision-making process. To evaluate the effectiveness of the proposed model, NCC-2 and CTU-13 datasets are examined. 10-fold cross-validation technique is applied to validate the experimental findings. The average accuracy achieved by proposed approach in botnet detection stands impressively at 99.98%, while the average accuracy achieved in classifying botnet families is 99.30%, exhibiting an exceptional level of performance. The comparative analysis is performed which demonstrates its superiority over existing methods in terms of accuracy, precision, recall, F1-Score.

computer science, information systems

Amit Kumar,Nitesh Kumar,Anand Handa,Sandeep Kumar Shukla

DOI: https://doi.org/10.1007/978-3-030-20951-3_24

2019-01-01

Abstract:A bot-net is a network of infected hosts (bots) that works independently under the control of a Botmaster (Bot herder), which issues commands to bots using command and control (C&C) servers. Bot-net architectures have advanced over time, to evade detection and disruption. Traditionally, bot-nets used a centralized client-server architecture which had a single point of failure but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of the P2P architecture, botmasters started using P2P based communication mechanism. P2P bot-nets are highly resilient against detection even after some bots are identified or taken down. P2P bot-nets provide central frameworks for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this paper, we propose PeerClear, an approach for identifying P2P bot-nets using network traffic analysis. PeerClear uses a two-step process for identifying P2P bots. In the first step, the hosts involved in P2P traffic are detected and in the second step, the detected hosts are further analyzed to detect bot-nets. Our evaluation shows that our approach PeerClear outperformed several recent approaches and achieves a high detection rate of 99.85%. We also implement multiple new approaches reported in the literature and test on the same dataset to evaluate their relative performance.

Harshvardhan P. Joshi,Rudra Dutta

DOI: https://doi.org/10.1109/ICC45855.2022.9838876

2022-03-24

Abstract:Peer-to-peer (P2P) botnets use decentralized command and control networks that make them resilient to disruptions. The P2P botnet overlay networks manifest structures in mutual-contact graphs, also called communication graphs, formed using network traffic information. It has been shown that these structures can be detected using community detection techniques from graph theory. These previous works, however, treat the communication graphs and the P2P botnet structures as static. In reality, communication graphs are dynamic as they represent the continuously changing network traffic flows. Similarly, the P2P botnets also evolve with time, as new bots join and existing bots leave either temporarily or permanently. In this paper we address the problem of detecting such evolving P2P botnet communities in dynamic communication graphs. We propose a reinforcement-based approach, suitable for large communication graphs, that improves precision and recall of P2P botnet community detection in dynamic communication graphs.

Networking and Internet Architecture,Cryptography and Security

Xuefeng Li,Haixin Duan,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/icgcs.2010.5543027

2010-01-01

Abstract:Nowadays Botnets have been identified as one of the most serious threats to network security, especially the peer-to-peer (P2P)based Botnets. Security experts destroy the botnets by target-attacking the weaknesses of high degree nodes or high betweens edges of the botnets. To make this work, the security experts need to know the features of the topology of botnets. But, topics such as how botnets' topology is formed and what the features of botnets' topology are are rarely studied up to now. Inspired by the method of complex network, we propose the growing model of botnets to try to resolve these questions. As far as we know, the growing model of Botnets has not been studied. Here, we focuse on the network metrics of Botnets, present a growing model of Botnets and discusse the performance of Botnets when their topology construction parameters change.