Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Donghong Sun,Xuefeng Li,Wu Liu,Jianping Wu

DOI: https://doi.org/10.1109/ctc.2010.16

2010-01-01

Abstract:A widespread botnet is often used to carry cyber attacks, which results in serious threats to networks and properties. The application of combining botnets and P2P technology is powerful but complicated. This paper shows the differences of control mechanisms, running functions and working performance between central-controlled botnets and P2P-conctrolled botnets by analysis of several famous botnets. Futher more, This paper also reseaches on Command-and- Control (C&C) mechanism which works as the core component of botnets' architecture, giving out the definition and evaluation parameters of this mechanism, finally proposing a new architecture. It is useful to finding vulnerabilities of P2P botnets and guiding defenders to design effective detection and defending methods.

Bowei Yang,Guanghua Song,Yao Zheng

DOI: https://doi.org/10.1109/IITSI.2010.37

2010-01-01

Abstract:Various P2P applications on the Internet were accused by organizations, corporations, individuals and countries. An important reason is that many popular P2P networks were not well controlled: The user generally does not need to be responsible for his behavior. As typical P2P-like applications, many C2C E-commerce websites adopt simple voluntary binary voting which leads to plenty of fake or insignificant voting results, and reduces the effectiveness of the voting system. In this paper, we proposed an innovative strategy based on information asymmetry to enhance the existing voting models, which lowers the ratio of arbitrarily or insignificant votings.

JunPeng Mao,Yanli Cui,JianHua Huang,JianBiao Zhang

DOI: https://doi.org/10.1109/isise.2008.58

2008-01-01

Abstract:How much service performance of searching and transmitting Is provided by P2P network for a concrete resource? How much success ratio and recall ratio of resource's searching of existing P2P network is? Rare research is deepened about those questions. This paper, for unstructured P2P network, construct P2P network queuing model, provide calculating method of service performance of concrete resource, analyze success ratio and recall ratio of resource's searching, by experiment simulation, discuss the influence of resource's popularity, Peer's quantity, initial number of objected resource, Peer's average degree and TTL value of protocol to the searching result of concrete resource. We conclude, during the resource searching process, the number of searching result linearly increases with initial number of objected resource, and exponentially increases with Peer's average degree and TTL value, but decreases nonlinearly with Peer's quantity.

JunPeng Mao,YanLi Cui,JianHua Huang,JianBiao Zhang

DOI: https://doi.org/10.1109/cmc.2009.286

2009-01-01

Abstract:Convenient, rapid, efficient and anonymous characteristic of P2P technology, enables P2P network gathering enormous users very quickly, and P2P traffic has occupied 60~80% bandwidth of Internet. Such giant traffic has formed a threat to the service quality of other Internet application and the security of Internet itself. However, most study about P2P traffic focuses on traffic monitoring and characteristic identifying technique. Rare study analyzes P2P traffic behavior from P2P mechanism itself. This paper construct P2P network queuing model, analyzes the influence of related factors to the load-scale of concrete resource. Main conclusion including, compared with other factors, average degree of node and TTL value is the most key factor to load-scale. Load-scale increases with node quantity, initial number of objected resource and resource’s total quantity, however, when those quantity reach to some critical threshold, the influence of those factors become quite weak to load-scale of resource.

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.1109/TIFS.2018.2881657

2018-11-14

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks.

Cryptography and Security,Networking and Internet Architecture,Social and Information Networks

Guangli Wu,Xingyue Wang,Jing Zhang

DOI: https://doi.org/10.1016/j.cose.2024.103775

IF: 5.105

2024-02-24

Computers & Security

Abstract:P2P botnets are distributed with complex topology and communication behavior, making them harder to detect and remove. Individuals or organizations can effectively detect P2P botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting deterministic traffic interaction features, which are highly dependent on statistical features. Moreover, these methods are mainly aimed at generalized botnet detection and lack specificity for detecting P2P botnets. They ignore the topological information of P2P botnets, resulting in unsatisfactory detection accuracy. Among the few existing methods targeting P2P botnets, they consider the topological information but mainly rely on classical graph theory statistical features, such as degree, feature vector centrality, etc. This limits the generalization ability of the detection model. In this paper, we delve into the topological features of P2P botnets from the perspective of complex graph theory. We propose a P2P botnet detection method that combines representation learning and graph contrastive learning, dubbed PeerG. Specifically, we construct the communication graphs based on the flow interaction behavior between components of the P2P botnets. The Line algorithm is employed to embed the nodes of the communication graph into a low-dimensional representation vector space. Subsequently, the graph contrastive learning approach is utilized to optimize the feature extractor, enabling it to capture more representative node features. PeerG serves as a benchmark detection model for identifying P2P botnet nodes. Additionally, we devise two optimized contrastive detection strategies (PeerG-PreG and PeerG-PreF) based on graph-level and feature-level to boost the performance of PeerG. Extensive experiments demonstrate that PeerG brings significant improvements in detection accuracy over state-of-art detection methods. Furthermore, compared with PeerG, the detection strategies PeerG-PreG and PeerG-PreF have further improved detection performance, and achieve the best detection accuracy among multiple filtered P2P botnet types.

computer science, information systems

Mark Scanlon

DOI: https://doi.org/10.48550/arXiv.1712.03455

2017-12-10

Abstract:The scalable, low overhead attributes of Peer-to-Peer (P2P) Internet protocols and networks lend themselves well to being exploited by criminals to execute a large range of cybercrimes. The types of crimes aided by P2P technology include copyright infringement, sharing of illicit images of children, fraud, hacking/cracking, denial of service attacks and virus/malware propagation through the use of a variety of worms, botnets, malware, viruses and P2P file sharing. This project is focused on study of active P2P nodes along with the analysis of the undocumented communication methods employed in many of these large unstructured networks. This is achieved through the design and implementation of an efficient P2P monitoring and crawling toolset. The requirement for investigating P2P based systems is not limited to the more obvious cybercrimes listed above, as many legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, voice over IP, instant messaging, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. In this work we introduce the Universal P2P Network Investigation Framework (UP2PNIF), a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in P2P network functionality. In combination with a reference database of known network characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework, which can intelligently determine the best investigation methodology and greatly expedite the evidence gathering process. A proof of concept tool was developed for conducting investigations on the BitTorrent network.

Cryptography and Security,Networking and Internet Architecture

Jianping Wu

2012-01-01

Abstract:The key problems in the construction of P2P-botnets are how to identify the honeynet(the network of honeypots) and how to avoid integrating the honeypots into the P2P-botnet.P2P-botnet construction includes propagation,node joining,and topology construction.This paper presents a construction method for a honeynet-aware P2P-botnet based on three modules.The propagation module includes the monitoring nodes in the designed attack list.The node joining module differentiates botnet nodes from the honeypot.The topology construction module constructs the topology of the P2P-botnet using a genetic algorithm.The construction mechanism effectively identifies the honeypots,constructs the P2P-botnet propagation model,and compares it with the honeypot-aware botnet model.The results show that this method is more efficient for certain conditions.Methods are given to defend against honeynet-aware attacks.

Mark Scanlon,M-Tahar Kechadi

DOI: https://doi.org/10.48550/arXiv.1409.8490

2014-09-30

Abstract:Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.

Cryptography and Security,Networking and Internet Architecture

Di Zhuang,J. Morris Chang

DOI: https://doi.org/10.48550/arXiv.1709.06440

2017-09-19

Cryptography and Security

Abstract:Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.

Shuyu Jiang,Yunxiang Qiu,Xian Mo,Rui Tang,Wei Wang

2023-12-05

Abstract:Social network alignment (SNA) holds significant importance for various downstream applications, prompting numerous professionals to develop and share SNA tools. Unfortunately, these tools can be exploited by malicious actors to integrate sensitive user information, posing cybersecurity risks. While many researchers have explored attacking SNA (ASNA) through a network modification attack way, practical feasibility remains a challenge. This paper introduces a novel approach, the node injection attack. To overcome the problem of modeling and solving within a limited time and balancing costs and benefits, we propose a low-cost, high-impact node injection attack via dynamic programming (DPNIA) framework. DPNIA models ASNA as a problem of maximizing the number of confirmed incorrect correspondent node pairs who have a greater similarity scores than the pairs between existing nodes, making ASNA solvable. Meanwhile, it employs a cross-network evaluation method to identify node vulnerability, facilitating a progressive attack from easy to difficult. Additionally, it utilizes an optimal injection strategy searching method, based on dynamic programming, to determine which links should be added between injected nodes and existing nodes, thereby achieving a high impact for attack effectiveness at a low cost. Experiments on four real-world datasets consistently demonstrate that DPNIA consistently and significantly outperforms various attack baselines.

Social and Information Networks

Mohammad Jafari Dehkordi,Babak Sadeghiyan

DOI: https://doi.org/10.1049/iet-com.2018.5286

2020-04-08

Abstract:Breaking down botnets have always been a big challenge. The robustness of C&C channels is increased, and the detection of botmaster is harder in P2P botnets. In this paper, we propose a probabilistic method to reconstruct the topologies of the C&C channel for P2P botnets. Due to the geographic dispersion of P2P botnet members, it is not possible to supervise all members, and there does not exist all necessary data for applying other graph reconstruction methods. So far, no general method has been introduced to reconstruct C&C channel topology for all type of P2P botnet. In our method, the probability of connections between bots is estimated by using the inaccurate receiving times of several cascades, network model parameters of C&C channel, and end-to-end delay distribution of the Internet. The receiving times can be collected by observing the external reaction of bots to commands. The results of our simulations show that more than 90% of the edges in a 1000-member network with node degree mean 50, have been accurately estimated by collecting the inaccurate receiving times of 22 cascades. In case the receiving times of just half of the bots are collected, this accuracy of estimation is obtained by using 95 cascades.

Cryptography and Security

Wang Jing-Xin,Wang Yue,Li Yi-Peng,Yuan Jian,Shan Xiu-Ming,Feng Zhen-Ming,Ren Yong

DOI: https://doi.org/10.7498/aps.60.118901

2011-01-01

Abstract:There are rich statistical characteristics in a peer-to-peer （p2p） network.The more refined statistical characteristics still need further understanding.In this paper we define the popularity threshold of the resource,and Abstract the user network based on the popularity threshold to reflect the refined structure characteristics.Through the emprical study of a workload from a dominant peer-to-peer file sharing system,we confirm that the user network based on the popularity threshold has more clear cluster features than the original network.With the popularity threshold of resource increasing,the clustering is more evident.The homoplasy of users within the same cluster is enhanced.The clustering accuracy is inproved.Furthermore,in this paper we extract the cluster fingerprints which can provide a high representation accuracy in low dimensions.

Jing Zhuge,Thorsten Holz,Xinhui Han,Jinpeng Guo,Wei Zou

2007-01-01

Abstract:Botnets, networks of compromised machines that can be remotely controlled by an attacker, are one of the most common attack platforms nowadays. They can, for example, be used to launch distributed denial-of-service (DDoS) attacks, steal sensitive information, or send spam emails. A long-term measurement study of botnet activities is useful as a basis for further research on global botnet mitigation and disruption techniques. We have built a distributed and fully-automated botnet measurement system which allows us to collect data on the botnet activity we observe in China. Based on the analysis of tracking records of 3,290 IRC-based botnets during a period of almost twelve months, this paper presents several novel results of botnet activities which can only be measured via long-term measurements. These include. amongst others, botnet lifetime, botnet discovery trends and distributions, command and control channel distributions, botnet size and end-host distributions. Furthermore, our measurements confirm and extend several previous results from this area. Our results show that the botnet problem is of global scale, with a scattered distribution of the control infrastructure and also a scattered distribution of the victims. Furthermore, the control infrastructure itself is rather flexible, with an average lifetime of a Command \& Control server of about 54 days. These results can also leverage research in the area of botnet detection, mitigation, and disruption: only by understanding the problem in detail, we can develop efficient counter measures.

Andrea E. Medina Paredes,Yuan-Yuan Su,Wei Wu,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-030-46828-6_26

2016-01-01

Proceedings of Engineering and Technology Innovation

Abstract:The war against botnet infection is fought every day by users that want to feel safe against any threat of compromise hosts. In this paper we are going to focus on the behavior of Peer 2 Peer (P2P) botnets, which along with hybrid botnets is a growing trend among attackers. The main approach will consist of a behavior comparison among features extracted from network flows, focusing only in the flows from P2P applications including P2P botnets.

Amit Kumar,Nitesh Kumar,Anand Handa,Sandeep Kumar Shukla

DOI: https://doi.org/10.1007/978-3-030-20951-3_24

2019-01-01

Abstract:A bot-net is a network of infected hosts (bots) that works independently under the control of a Botmaster (Bot herder), which issues commands to bots using command and control (C&C) servers. Bot-net architectures have advanced over time, to evade detection and disruption. Traditionally, bot-nets used a centralized client-server architecture which had a single point of failure but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of the P2P architecture, botmasters started using P2P based communication mechanism. P2P bot-nets are highly resilient against detection even after some bots are identified or taken down. P2P bot-nets provide central frameworks for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this paper, we propose PeerClear, an approach for identifying P2P bot-nets using network traffic analysis. PeerClear uses a two-step process for identifying P2P bots. In the first step, the hosts involved in P2P traffic are detected and in the second step, the detected hosts are further analyzed to detect bot-nets. Our evaluation shows that our approach PeerClear outperformed several recent approaches and achieves a high detection rate of 99.85%. We also implement multiple new approaches reported in the literature and test on the same dataset to evaluate their relative performance.

Lanjun Wang,Xinran Qiao,Yanwei Xie,Weizhi Nie,Yongdong Zhang,Anan Liu

DOI: https://doi.org/10.1145/3581783.3612396

2023-01-01

Abstract:Social platforms such as Twitter are under siege from a multitude of fraudulent users. In response, social bot detection tasks have been developed to identify such fake users. Due to the structure of social networks, the majority of methods are based on the graph neural network(GNN), which is susceptible to attacks. In this study, we propose a node injection-based adversarial attack method designed to deceive bot detection models. Notably, neither the target bot nor the newly injected bot can be detected when a new bot is added around the target bot. This attack operates in a black-box fashion, implying that any information related to the victim model remains unknown. To our knowledge, this is the first study exploring the resilience of bot detection through graph node injection. Furthermore, we develop an attribute recovery module to revert the injected node embedding from the graph embedding space back to the original feature space, enabling the adversary to manipulate node perturbation effectively. We conduct adversarial attacks on four commonly used GNN structures for bot detection on two widely used datasets: Cresci-2015 and TwiBot-22. The attack success rate is over 73% and the rate of newly injected nodes being detected as bots is below 13% on these two datasets.

Zhijia Chen,Yang Zhao,Chuang Lin,Xin Miao,Qingbo Wang

DOI: https://doi.org/10.1109/icdcsw.2009.34

2009-01-01

Abstract:With the explosive growth of data-concentrated applications over Internet, the distribution of huge data in large scales with guarantee of Quality of Service (QoS), remains an elusive goal in both current and future Internet. The potential integration of Peer-to-Peer (P2P) paradigm into the Internet content distribution infrastructure provides a disruptive market opportunity to scale the Internet for higher quality data delivery. While the theoretical benefits of P2P has been widely reported, it remains unknown on its performance for mass data delivery over the booming Internet with increasing users and access speed, highly promising yet controversial. This paper thus provides an experimental study in exploring the following questions: 1) How fast and how scalable the mass data delivery can be with the assistance of P2P networks? 2) What are the bottlenecks in adopting P2P for content distribution in high-speed networks? 3) How could P2P be integrated as a reliable platform for QoS-guaranteed data delivery among dedicated server farms in industry? Our explorations quantify the unique strength of P2P technology for mass data delivery in high-speed networks, and identify factors that influence the downloading time of end users, namely, peer upload rate, file piece size, and seed capacity.

Ioannis Pogkas,Vassil Kriakov,Zhongqiang Chen,Alex Delis

DOI: https://doi.org/10.1007/s12083-008-0018-2

IF: 3.488

2009-01-01

Peer-to-Peer Networking and Applications

Abstract:To address the two most critical issues in P2P file-sharing systems: efficient information discovery and authentic data acquisition, we propose a Gnutella-like file-sharing protocol termed Adaptive Gnutella Protocol (AGP) that not only improves the querying efficiency in a P2P network but also enhances the quality of search results at the same time. The reputation scheme in the proposed AGP evaluates the credibility of peers based on their contributions to P2P services and subsequently clusters nodes together according to their reputation and shared content, essentially transforming the P2P overlay network into a topology with collaborative and reputed nodes as its core. By detecting malicious peers as well as free-riders and eventually pushing them to the edge of the overlay network, our AGP propagates search queries mainly within the core of the topology, accelerating the information discovery process. Furthermore, the clustering of nodes based on authentic and similar content in our AGP also improves the quality of search results. We have implemented the AGP with the PeerSim simulation engine and conducted thorough experiments on diverse network topologies and various mixtures of honest/dishonest nodes to demonstrate improvements in topology transformation, query efficiency, and search quality by our AGP.