Mark Scanlon,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1409.8490

2014-09-30

Abstract:Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.

Cryptography and Security,Networking and Internet Architecture

Jianping Wu

2012-01-01

Abstract:The key problems in the construction of P2P-botnets are how to identify the honeynet(the network of honeypots) and how to avoid integrating the honeypots into the P2P-botnet.P2P-botnet construction includes propagation,node joining,and topology construction.This paper presents a construction method for a honeynet-aware P2P-botnet based on three modules.The propagation module includes the monitoring nodes in the designed attack list.The node joining module differentiates botnet nodes from the honeypot.The topology construction module constructs the topology of the P2P-botnet using a genetic algorithm.The construction mechanism effectively identifies the honeypots,constructs the P2P-botnet propagation model,and compares it with the honeypot-aware botnet model.The results show that this method is more efficient for certain conditions.Methods are given to defend against honeynet-aware attacks.

Jia Yan,Lingyun Ying,Yi Yang,Purui Su,Qi Li,Hui Kong,Dengguo Feng

DOI: https://doi.org/10.1007/978-3-319-11698-3_10

2014-01-01

Abstract:Botnet armed with P2P protocol is especially robust against various attacks used to be very effective against centralized network. It's especially significant to enhance our understanding of unstructured P2P Botnets which prove to be resilient against various dismantle efforts. Node injection technique is quite effective in enumerating infected hosts from P2P Botnets, but no previous work has investigated the effectiveness of this method in a quantitative manner. In this paper, we propose a peer popularity boosting algorithm to put the popularity of injected peer under control, and a method to tune the node injection rate to achieve better compromise between consumed bandwidth and completeness of node enumeration. Furthermore, we evaluate our methods with varied level of node injections on three live P2P Botnets, the result shows that our method is quite effective in boosting and manipulating injected peer's popularity. In contrast to other methods without manipulation of injected peer's magnitude of dispersion in network, our method not only unlock the full potential of node injections, but also could be adapted to measurements of various needs.

Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

JIANG Jian,ZHUGE Jian-Wei,DUAN Hai-Xin,WU Jian-Ping

DOI: https://doi.org/10.3724/sp.j.1001.2012.04101

2012-01-01

Abstract:Botnets are one of the most serious threats to the Internet.Researchers have done plenty of research and made significant progress.However, botnets keep evolving and have become more and more sophisticated.Due to the underlying security limitation of current system and Internet architecture, and the complexity of botnet itself, how to effectively counter the global threat of botnets is still a very challenging issue.This paper first introduces the evolving of botnet's propagation, attack, command, and control mechanisms.Then the paper summarizes recent advances of botnet defense research and categorizes into five areas: Botnet monitoring, botnet infiltration, analysis of botnet characteristics, botnet detection and botnet disruption.The limitation of current botnet defense techniques, the evolving trend of botnet, and some possible directions for future research are also discussed.

LI Qing-peng,ZHENG Lian-qing,YANG Tong,ZHANG Chuan-rong

DOI: https://doi.org/10.3969/j.issn.1000-7024.2012.01.016

2012-01-01

Abstract:For the sake of defensing Botnets,methods of bot programming and network structures are researched.A bot is designed by analyzing the functional structure and working mechanism of Botnet.The program is broken down into four modules that are scan module,exploit module,upload module and communicate module.Then the four modules are implemented by programming,and performance of bot is tested in lab environment,the data show that,botnet can achieve the desired results.Finally,some kinds of prevention measures are presented.

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Jinquan Zeng,Weiwen Tang,Caiming Liu,Jianbin Hu,Lingxi Peng

DOI: https://doi.org/10.1007/978-3-642-34038-3_79

2012-01-01

Abstract:Botnet is an attack network composed of hundreds of millions of compromised computers. Botnet is emerging as the most serious threat against cyber-security and is used to launch Distributed Denial of Service (DDoS) attacks, malware dissemination, phishing, remote control, click fraud, and etc. Although botnet has posed serious security threat on Internet, the research of detecting and preventing botnet is still in its infancy. One effective technique for botnet detection is to identify botnet C&C traffic. In this paper, we present a case study of the IRC-based botnet C&C communication and then present a novel method to detect botnet C&C communications. We develop quantitative ways to assess the C&C communications between the bot and the C&C server; furthermore, we also illustrate the correlation methods within the same botnet's C&C communications to decrease the false positive rate.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.1109/TIFS.2018.2881657

2018-11-14

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Amit Kumar,Nitesh Kumar,Anand Handa,Sandeep Kumar Shukla

DOI: https://doi.org/10.1007/978-3-030-20951-3_24

2019-01-01

Abstract:A bot-net is a network of infected hosts (bots) that works independently under the control of a Botmaster (Bot herder), which issues commands to bots using command and control (C&C) servers. Bot-net architectures have advanced over time, to evade detection and disruption. Traditionally, bot-nets used a centralized client-server architecture which had a single point of failure but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of the P2P architecture, botmasters started using P2P based communication mechanism. P2P bot-nets are highly resilient against detection even after some bots are identified or taken down. P2P bot-nets provide central frameworks for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this paper, we propose PeerClear, an approach for identifying P2P bot-nets using network traffic analysis. PeerClear uses a two-step process for identifying P2P bots. In the first step, the hosts involved in P2P traffic are detected and in the second step, the detected hosts are further analyzed to detect bot-nets. Our evaluation shows that our approach PeerClear outperformed several recent approaches and achieves a high detection rate of 99.85%. We also implement multiple new approaches reported in the literature and test on the same dataset to evaluate their relative performance.

Xuefeng Li,Haixin Duan,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/icgcs.2010.5543027

2010-01-01

Abstract:Nowadays Botnets have been identified as one of the most serious threats to network security, especially the peer-to-peer (P2P)based Botnets. Security experts destroy the botnets by target-attacking the weaknesses of high degree nodes or high betweens edges of the botnets. To make this work, the security experts need to know the features of the topology of botnets. But, topics such as how botnets' topology is formed and what the features of botnets' topology are are rarely studied up to now. Inspired by the method of complex network, we propose the growing model of botnets to try to resolve these questions. As far as we know, the growing model of Botnets has not been studied. Here, we focuse on the network metrics of Botnets, present a growing model of Botnets and discusse the performance of Botnets when their topology construction parameters change.

Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1712.03455

2017-12-10

Abstract:The scalable, low overhead attributes of Peer-to-Peer (P2P) Internet protocols and networks lend themselves well to being exploited by criminals to execute a large range of cybercrimes. The types of crimes aided by P2P technology include copyright infringement, sharing of illicit images of children, fraud, hacking/cracking, denial of service attacks and virus/malware propagation through the use of a variety of worms, botnets, malware, viruses and P2P file sharing. This project is focused on study of active P2P nodes along with the analysis of the undocumented communication methods employed in many of these large unstructured networks. This is achieved through the design and implementation of an efficient P2P monitoring and crawling toolset. The requirement for investigating P2P based systems is not limited to the more obvious cybercrimes listed above, as many legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, voice over IP, instant messaging, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. In this work we introduce the Universal P2P Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in P2P network functionality. In combination with a reference database of known network characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework, which can intelligently determine the best investigation methodology and greatly expedite the evidence gathering process. A proof of concept tool was developed for conducting investigations on the BitTorrent network.

Cryptography and Security,Networking and Internet Architecture

Jing Zhuge,Thorsten Holz,Xinhui Han,Jinpeng Guo,Wei Zou

2007-01-01

Abstract:Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area. Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command \& Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

Xuefeng Li,Haixin Duan,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/uic-atc.2009.49

2009-01-01

Abstract:The botnet construction mechanism (BCM) is one of the key technologies of the botnets and the most important issue to both the attackers and the defenders. To the best of our knowledge, although the BCM has been mentioned in many researching papers, it has not been systemically studied. In this paper, we attempt to discuss the BCM methodically. We first give both the definition and its formalized definition of the BCM, and then address the BCM through four components: the bot propagating mechanism, the bot joining mechanism, the construction mechanism of topology and the performances of the botnet. We further detail the elements of the four components and study the compatibilities between those elements. Finally we discuss the advantages and disadvantages of each element.

Andrea E. Medina Paredes,Yuan-Yuan Su,Wei Wu,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-030-46828-6_26

2016-01-01

Proceedings of Engineering and Technology Innovation

Abstract:The war against botnet infection is fought every day by users that want to feel safe against any threat of compromise hosts. In this paper we are going to focus on the behavior of Peer 2 Peer (P2P) botnets, which along with hybrid botnets is a growing trend among attackers. The main approach will consist of a behavior comparison among features extracted from network flows, focusing only in the flows from P2P applications including P2P botnets.

Guangli Wu,Xingyue Wang,Jing Zhang

DOI: https://doi.org/10.1016/j.cose.2024.103775

IF: 5.105

2024-02-24

Computers & Security

Abstract:P2P botnets are distributed with complex topology and communication behavior, making them harder to detect and remove. Individuals or organizations can effectively detect P2P botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting deterministic traffic interaction features, which are highly dependent on statistical features. Moreover, these methods are mainly aimed at generalized botnet detection and lack specificity for detecting P2P botnets. They ignore the topological information of P2P botnets, resulting in unsatisfactory detection accuracy. Among the few existing methods targeting P2P botnets, they consider the topological information but mainly rely on classical graph theory statistical features, such as degree, feature vector centrality, etc. This limits the generalization ability of the detection model. In this paper, we delve into the topological features of P2P botnets from the perspective of complex graph theory. We propose a P2P botnet detection method that combines representation learning and graph contrastive learning, dubbed PeerG. Specifically, we construct the communication graphs based on the flow interaction behavior between components of the P2P botnets. The Line algorithm is employed to embed the nodes of the communication graph into a low-dimensional representation vector space. Subsequently, the graph contrastive learning approach is utilized to optimize the feature extractor, enabling it to capture more representative node features. PeerG serves as a benchmark detection model for identifying P2P botnet nodes. Additionally, we devise two optimized contrastive detection strategies (PeerG-PreG and PeerG-PreF) based on graph-level and feature-level to boost the performance of PeerG. Extensive experiments demonstrate that PeerG brings significant improvements in detection accuracy over state-of-art detection methods. Furthermore, compared with PeerG, the detection strategies PeerG-PreG and PeerG-PreF have further improved detection performance, and achieve the best detection accuracy among multiple filtered P2P botnet types.

computer science, information systems

Shuai Wang,Xiang Cui,Peng Liao,Dan Li

DOI: https://doi.org/10.1007/978-3-642-35795-4_52

2013-01-01

Abstract:The rapid development of 3G/WiFi network and Smartphone has greatly stimulated the evolution of mobile botnets. Mobile botnets have attracted extensive attentions from the academic community. In this paper, we introduce our design of an advanced mobile botnet called SUbot which exploits a novel command and control (C&C) strategy named Shorten-URL Flux (short for S-URL Flux). The proposed SUbot would have desirable features including being stealthy, resilient and low-cost (i.e., low battery power consumption, low traffic consumption and low money cost).This paper focuses on the design principle of the mobile botnet. In comparison to traditional mobile botnet, SUbot has stronger adaptability and stability. It's of great significance to research and defend against such kind of advance mobile botnet. © Springer-Verlag Berlin Heidelberg 2013.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.48550/arXiv.1709.06440

2017-09-19

Cryptography and Security

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.

Mohammad Jafari Dehkordi,Babak Sadeghiyan

DOI: https://doi.org/10.1049/iet-com.2018.5286

2020-04-08

Abstract:Breaking down botnets have always been a big challenge. The robustness of C&C channels is increased, and the detection of botmaster is harder in P2P botnets. In this paper, we propose a probabilistic method to reconstruct the topologies of the C&C channel for P2P botnets. Due to the geographic dispersion of P2P botnet members, it is not possible to supervise all members, and there does not exist all necessary data for applying other graph reconstruction methods. So far, no general method has been introduced to reconstruct C&C channel topology for all type of P2P botnet. In our method, the probability of connections between bots is estimated by using the inaccurate receiving times of several cascades, network model parameters of C&C channel, and end-to-end delay distribution of the Internet. The receiving times can be collected by observing the external reaction of bots to commands. The results of our simulations show that more than 90% of the edges in a 1000-member network with node degree mean 50, have been accurately estimated by collecting the inaccurate receiving times of 22 cascades. In case the receiving times of just half of the bots are collected, this accuracy of estimation is obtained by using 95 cascades.

Cryptography and Security

HAN Xin-hui,GUO Jin-peng,ZHOU Yong-lin,ZHUGE Jian-wei,ZOU Wei

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.029

2007-01-01

Abstract:Botnets have become the first-choice attack platform for the network attackers to launch distributed denial of service attacks,steal sensitive information and send spam.They have raised serious threats to normal operation of the Internet and the benefits of the Internet users.The investigation on the wild botnets activities is the necessary for the fur-ther monitering and countermeasure against world-wide botnets.Based on the investigation and analysis on tracking re-cords of 1 961 wild botnets,it shows the statistical results of botnet activities,including amount of botnets,command and control channel distributions,botnet size and end-host distributions,and various types of botnet attack activities.