Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Donghong Sun,Xuefeng Li,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/ctc.2010.16

2010-01-01

Abstract:A widespread botnet is often used to carry cyber attacks, which results in serious threats to networks and properties. The application of combining botnets and P2P technology is powerful but complicated. This paper shows the differences of control mechanisms, running functions and working performance between central-controlled botnets and P2P-conctrolled botnets by analysis of several famous botnets. Futher more, This paper also reseaches on Command-and- Control (C&C) mechanism which works as the core component of botnets' architecture, giving out the definition and evaluation parameters of this mechanism, finally proposing a new architecture. It is useful to finding vulnerabilities of P2P botnets and guiding defenders to design effective detection and defending methods.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.1109/TIFS.2018.2881657

2018-11-14

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.48550/arXiv.1709.06440

2017-09-19

Cryptography and Security

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.

Amit Kumar,Nitesh Kumar,Anand Handa,Sandeep Kumar Shukla

DOI: https://doi.org/10.1007/978-3-030-20951-3_24

2019-01-01

Abstract:A bot-net is a network of infected hosts (bots) that works independently under the control of a Botmaster (Bot herder), which issues commands to bots using command and control (C&C) servers. Bot-net architectures have advanced over time, to evade detection and disruption. Traditionally, bot-nets used a centralized client-server architecture which had a single point of failure but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of the P2P architecture, botmasters started using P2P based communication mechanism. P2P bot-nets are highly resilient against detection even after some bots are identified or taken down. P2P bot-nets provide central frameworks for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this paper, we propose PeerClear, an approach for identifying P2P bot-nets using network traffic analysis. PeerClear uses a two-step process for identifying P2P bots. In the first step, the hosts involved in P2P traffic are detected and in the second step, the detected hosts are further analyzed to detect bot-nets. Our evaluation shows that our approach PeerClear outperformed several recent approaches and achieves a high detection rate of 99.85%. We also implement multiple new approaches reported in the literature and test on the same dataset to evaluate their relative performance.

Yousof Al-Hammadi,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1004.2860

2010-04-16

Abstract:In the past few years, IRC bots, malicious programs which are remotely controlled by the attacker through IRC servers, have become a major threat to the Internet and users. These bots can be used in different malicious ways such as issuing distributed denial of services attacks to shutdown other networks and services, keystrokes logging, spamming, traffic sniffing cause serious disruption on networks and users. New bots use peer to peer (P2P) protocols start to appear as the upcoming threat to Internet security due to the fact that P2P bots do not have a centralized point to shutdown or traceback, thus making the detection of P2P bots is a real challenge. In response to these threats, we present an algorithm to detect an individual P2P bot running on a system by correlating its activities. Our evaluation shows that correlating different activities generated by P2P bots within a specified time period can detect these kind of bots.

Artificial Intelligence,Cryptography and Security,Neural and Evolutionary Computing

Andrea E. Medina Paredes,Yuan-Yuan Su,Wei Wu,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-030-46828-6_26

2016-01-01

Proceedings of Engineering and Technology Innovation

Abstract:The war against botnet infection is fought every day by users that want to feel safe against any threat of compromise hosts. In this paper we are going to focus on the behavior of Peer 2 Peer (P2P) botnets, which along with hybrid botnets is a growing trend among attackers. The main approach will consist of a behavior comparison among features extracted from network flows, focusing only in the flows from P2P applications including P2P botnets.

Xiaobo Ma,Xiaohong Guan,Jing Tao,Qinghua Zheng,Yun Guo,Lu Liu,Shuang Zhao

DOI: https://doi.org/10.1109/ICC.2010.5502092

2010-01-01

Abstract:Botnets have become a serious threat to Internet and are often deployed to control a large pool of zombies and perform notorious activities such as DDoS, information theft and spam sending. In this paper, a new method is developed for detecting IRC botnets by analyzing the characteristic of packet size sequence of the TCP conversation between IRC zombies and their command and control (C&C) servers. In comparison with IRC chat, the TCP conversations within IRC botnets show a nature of approximate periodicity defined as quasi-periodicity in this paper. A simple yet effective detection method is presented to detect IRC botnets by measuring the quasi-periodicity degree and packet average size of IRC conversations based on ukkonen algorithm. We evaluated our method using real-world IRC botnet traces captured from honeynet. The results show that our method can detect real-world IRC botnets from IRC traffic with high accuracy and has a low false positive rate.

Guangli Wu,Xingyue Wang,Jing Zhang

DOI: https://doi.org/10.1016/j.cose.2024.103775

IF: 5.105

2024-02-24

Computers & Security

Abstract:P2P botnets are distributed with complex topology and communication behavior, making them harder to detect and remove. Individuals or organizations can effectively detect P2P botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting deterministic traffic interaction features, which are highly dependent on statistical features. Moreover, these methods are mainly aimed at generalized botnet detection and lack specificity for detecting P2P botnets. They ignore the topological information of P2P botnets, resulting in unsatisfactory detection accuracy. Among the few existing methods targeting P2P botnets, they consider the topological information but mainly rely on classical graph theory statistical features, such as degree, feature vector centrality, etc. This limits the generalization ability of the detection model. In this paper, we delve into the topological features of P2P botnets from the perspective of complex graph theory. We propose a P2P botnet detection method that combines representation learning and graph contrastive learning, dubbed PeerG. Specifically, we construct the communication graphs based on the flow interaction behavior between components of the P2P botnets. The Line algorithm is employed to embed the nodes of the communication graph into a low-dimensional representation vector space. Subsequently, the graph contrastive learning approach is utilized to optimize the feature extractor, enabling it to capture more representative node features. PeerG serves as a benchmark detection model for identifying P2P botnet nodes. Additionally, we devise two optimized contrastive detection strategies (PeerG-PreG and PeerG-PreF) based on graph-level and feature-level to boost the performance of PeerG. Extensive experiments demonstrate that PeerG brings significant improvements in detection accuracy over state-of-art detection methods. Furthermore, compared with PeerG, the detection strategies PeerG-PreG and PeerG-PreF have further improved detection performance, and achieve the best detection accuracy among multiple filtered P2P botnet types.

computer science, information systems

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Jia Yan,Lingyun Ying,Yi Yang,Purui Su,Qi Li,Hui Kong,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-11698-3_10

2014-01-01

Abstract:Botnet armed with P2P protocol is especially robust against various attacks used to be very effective against centralized network. It's especially significant to enhance our understanding of unstructured P2P Botnets which prove to be resilient against various dismantle efforts. Node injection technique is quite effective in enumerating infected hosts from P2P Botnets, but no previous work has investigated the effectiveness of this method in a quantitative manner. In this paper, we propose a peer popularity boosting algorithm to put the popularity of injected peer under control, and a method to tune the node injection rate to achieve better compromise between consumed bandwidth and completeness of node enumeration. Furthermore, we evaluate our methods with varied level of node injections on three live P2P Botnets, the result shows that our method is quite effective in boosting and manipulating injected peer's popularity. In contrast to other methods without manipulation of injected peer's magnitude of dispersion in network, our method not only unlock the full potential of node injections, but also could be adapted to measurements of various needs.

Jing Zhuge,Thorsten Holz,Xinhui Han,Jinpeng Guo,Wei Zou

2007-01-01

Abstract:Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area. Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command \& Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

Mark Scanlon,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1409.8490

2014-09-30

Abstract:Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.

Cryptography and Security,Networking and Internet Architecture

Shi Wan-Chen,Sun Hung-Min

DOI: https://doi.org/10.1007/s00500-020-04963-z

IF: 3.732

2020-01-01

Soft Computing

Abstract:Over the decades, as the technology of Internet thrives rapidly, more and more kinds of cyber-attacks are blasting out around the world. Among them, botnet is one of the most noxious attacks which has always been challenging to overcome. The difficulties of botnet detection stem from the various forms of attack since the viruses keep evolving to avoid themselves from being found. Rule-based botnet detection has its shortcoming of detecting dynamically changing features. On the other hand, the more the Internet functionalities are developed, the severer the impacts botnets may cause. In recent years, many network devices have suffered from botnet attacks as the Internet of things technology prospers, which caused great damage in many industries. Consequently, botnet detection has always been a critical issue in computer security field. In this paper, we introduce a method to detect potential botnets by inspecting the behaviors of network traffics from network packets. In the beginning, we sample the given packets by a period of time and extract the behavioral features from a series of packets. By analyzing these features with proposed deep learning models, we can detect the threat of botnets and classify them into different categories.

Sajjad Arshad,Maghsoud Abbaspour,Mehdi Kharrazi,Hooman Sanatkar

DOI: https://doi.org/10.1109/ICCAIE.2011.6162198

2018-11-02

Abstract:Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive.

Cryptography and Security

Yousof Al-Hammadi,U. Aickelin,Julie Greensmith

DOI: https://doi.org/10.1109/CEC.2008.4631034

IF: 4.755

2010-01-01

Clinical Orthopaedics and Related Research

Abstract:Ensuring the security of computers and their associated networks is a non-trivial task, with many techniques used by malicious users to compromise these systems. In recent years a new threat has emerged in the form of networks of hijacked zombie machines used to perform complex distributed attacks such as denial of service and to obtain sensitive data such as password information. These zombie machines are said to be infected with a 'bot' - a malicious piece of software which is installed on a host machine and is controlled by a remote attacker, termed the 'botmaster of a botnet'. In this work, we use the biologically inspired Dendritic Cell Algorithm (DCA) to detect the existence of a single bot on a compromised host machine. The DCA is an immune-inspired algorithm based on an abstract model of the behaviour of the dendritic cells of the human body. The basis of anomaly detection performed by the DCA is facilitated using the correlation of behavioural attributes such as keylogging and packet flooding behaviour. The results of the application of the DCA to the detection of a single bot show that the algorithm is a successful technique for the detection of such malicious software without responding to normally running programs. I. INTRODUCTION Computer systems and networks come under frequent attack from a diverse set of malicious programs and activity. Computer viruses posed a large problem in the late 1980's and computer worms were problematic in the 1990s through to the early 21st Century. While the detection of such worms and viruses is improving a new threat has emerged in the form of the botnet. Botnets are decentralised, distributed networks of subverted machines, controlled by a central commander, affectionately termed the 'botmaster'. A single bot is a malicious piece of software which, when installed on an unsuspecting host, transforms host into a zombie machine. Bots can install themselves on host machines through sev- eral different mechanisms, with common methods including direct download from the internet, through malicious files received as emails or via the exploitation of bugs present in internet browsing software (15). Bots typically exploit traditional networking protocols for the communication component of their 'command and control' structure. Such variants of bots IRC (Internet Relay Chat) bots, HTTP bots and more recently Peer-to-Peer bots. In this research we are primarily interested in the detection of IRC bots as they appear to be highly prevalent within the botnet community, and seemingly little research has been performed within this area of computer security. IRC is a chat based protocol consisting of various 'channels' to which a user of the IRC network can connect. Upon infection

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Abdelaziz Amara korba,Aleddine Diaf,Yacine Ghamri-Doudane

2024-07-22

Abstract:In the rapidly evolving landscape of cyber threats targeting the Internet of Things (IoT) ecosystem, and in light of the surge in botnet-driven Distributed Denial of Service (DDoS) and brute force attacks, this study focuses on the early detection of IoT bots. It specifically addresses the detection of stealth bot communication that precedes and orchestrates attacks. This study proposes a comprehensive methodology for analyzing IoT network traffic, including considerations for both unidirectional and bidirectional flow, as well as packet formats. It explores a wide spectrum of network features critical for representing network traffic and characterizing benign IoT traffic patterns effectively. Moreover, it delves into the modeling of traffic using various semi-supervised learning techniques. Through extensive experimentation with the IoT-23 dataset - a comprehensive collection featuring diverse botnet types and traffic scenarios - we have demonstrated the feasibility of detecting botnet traffic corresponding to different operations and types of bots, specifically focusing on stealth command and control (C2) communications. The results obtained have demonstrated the feasibility of identifying C2 communication with a 100% success rate through packet-based methods and 94% via flow based approaches, with a false positive rate of 1.53%.

Cryptography and Security,Artificial Intelligence