research-article

Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts

Authors:

Nasir MemonAuthors Info & Claims

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

Pages 131 - 140

https://doi.org/10.1145/1920261.1920283

Published: 06 December 2010 Publication History

Abstract

In this work we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is based on an analysis of connections made by the hosts in the network. It turns out that if bots select their peers randomly and independently (i.e. unstructured topology), any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify potential members of an unstructured P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data, including data obtained from both observing and crawling the Nugache botnet.

References

[1]

R. Bhagwan, S. Savage, and G. M. Voelker. Understanding availability. In The 2nd International Workshop on Peer-to-peer systems, 2003.

[2]

J. R. Binkley and S. Singh. An algorithm for anomaly-based botnet detection. In SRUTI'06: Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, 2006.

Digital Library

[3]

J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proceedings of the 16th ACM Conference on Computer and Communication Security, Chicago, IL, November 2009.

Digital Library

[4]

CERT Coordination Center. SiLK: System for internet-level knowledge. Available at http://tools.netsa.cert.org/silk/.

[5]

D. R. Choffnes, J. Duch, D. Malmgren, R. Guierma, F. E. Bustamante, and L. Amaral. Swarmscreen: Privacy through plausible deniability in P2P systems. Technical report, Northwestern EECS Technical Report, March 2009.

[6]

D. Dagon, G. Gu, C. Lee, and W. Lee. A taxonomy of botnet structures. In Proceedings of the 23 Annual Computer Security Applications Conference (ACSAC'07), December 2007.

[7]

L. K. Dawn and D. Song. Privacy-preserving set operations. In in Advances in Cryptology - CRYPTO 2005, LNCS, pages 241--257, 2005.

Digital Library

[8]

D. Dittrich and S. Dietrich. Discovery techniques for P2P botnets. In Stevens Institute of Technology CS Technical Report 2008--4, September 2008.

[9]

D. Dittrich and S. Dietrich. New directions in peer-to-peer malware. In Sarnoff Symposium, 2008 IEEE, April 2008.

[10]

D. Dittrich and S. Dietrich. P2P as botnet command and control: A deeper insight. In MALWARE 2008. 3rd International Conference on Malicious and Unwanted Software, 2008.

[11]

P. Erdos and A. Renyi. On random graphs I. Publ. Math. Debrecen 6, pages 290--297, 1959.

[12]

P. Erdos and A. Renyi. The evolution of random graphs. Magyar Tud. Akad. Mat. Kutato Int. Kozl 5, pages 17--61, 1960.

[13]

J. Goebel and T. Holz. Rishi: identify bot contaminated hosts by IRC nickname evaluation. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[14]

J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon. Peer-to-peer botnets: overview and case study. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[15]

G. Gu, R. Perdisci, J. Zhang, and W. Lee. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security'08), 2008.

Digital Library

[16]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee. BotHunter: Detecting malware infection through ids-driven dialog correlation. In Proceedings of the 16th USENIX Security Symposium (Security'07), August 2007.

Digital Library

[17]

G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS'08), February 2008.

[18]

T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: a case study on Storm Worm. In LEET'08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, 2008.

Digital Library

[19]

M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, S. Singh, and G. Varghese. Network monitoring using traffic dispersion graphs (TDGs). In IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, pages 315--320, 2007.

Digital Library

[20]

M. Jelasity and V. Bilicki. Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats LEET'09, April 2009.

Digital Library

[21]

B. B. Kang, E. Chan-Tin, C. P. Lee, J. Tyra, H. J. Kang, C. N. Z. Wadler, G. Sinclair, N. Hopper, D. Dagon, and Y. Kim. Towards complete node enumeration in a peer-to-peer botnet. In Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS 2009), March 2009.

Digital Library

[22]

C. Kanich, K. Levchenko, B. Enright, G. M. Voelker, and S. Savage. The Heisenbot uncertainty problem: challenges in separating bots from chaff. In LEET'08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pages 1--9, 2008.

Digital Library

[23]

A. Karasaridis, B. Rexroad, and D. Hoeflin. Wide-scale botnet detection and characterization. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[24]

S. Kondo and N. Sato. Botnet traffic detection techniques by C&C session classification using svm. Advances in Information and Computer Security, pages 91--104, 2007.

Digital Library

[25]

C. Livadas, R. Walsh, D. Lapsley, and W. Strayer. Using machine learning technliques to identify botnet traffic. Local Computer Networks, Annual IEEE Conference on, 0:967--974, 2006.

[26]

S. Nagaraja, P. Mittal, C.-Y. Hong, M. Caesar, and N. Borisov. BotGrep: Finding P2P bots with structured graph analysis. In USENIX Security Conference, August 2010.

Digital Library

[27]

P. Porras, H. Saidi, and V. Yegneswaran. Conficker C P2P Protocol and Implementation, September 2009. http://mtc.sri.com/Conficker/P2P/.

[28]

G. Sinclair, C. Nunnery, and B.-H. Kang. The waledac protocol: The how and why. In Malicious and Unwanted Software (MALWARE), 2009 4th International Conference on, pages 69--77, October 2009.

[29]

E. Stinson and J. C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In WOOT'08: Proceedings of the 2nd conference on USENIX Workshop on offensive technologies, 2008.

Digital Library

[30]

S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich. Analysis of the storm and nugache trojans: P2P is here. In ;login: The USENIX Magazine, volume 32--6, December 2007.

[31]

W. Strayer, R. Walsh, C. Livadas, and D. Lapsley. Detecting botnets with tight command and control. Local Computer Networks, Annual IEEE Conference on, 0:195--202, 2006.

[32]

The Honeynet Project. Honeywall, 2009. https://projects.honeynet.org/honeywall/.

[33]

T.-F. Yen and M. K. Reiter. Traffic aggregation for malware detection. In DIMVA '08: Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 207--227, 2008.

Digital Library

Cited By

Mandlík ŠPevný TŠmídl VBajer L(2024)Malicious Internet Entity Detection Using Local Graph InferenceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.336086719(3554-3566)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3360867
Sandra AAshok ANair R(2023)Blockchain Based Peer to Peer Botnet Detection Using Louvain Algorithm2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT56998.2023.10307429(1-6)Online publication date: 6-Jul-2023
https://doi.org/10.1109/ICCCNT56998.2023.10307429
Joshi HDutta R(2022)A Reinforcement Approach for Detecting P2P Botnet Communities in Dynamic Communication GraphsICC 2022 - IEEE International Conference on Communications10.1109/ICC45855.2022.9838876(56-61)Online publication date: 16-May-2022
https://doi.org/10.1109/ICC45855.2022.9838876
Show More Cited By

Index Terms

Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Enhancing Intrusion Detection System with proximity information

Intrusion Detection Systems (IDSes) proposed to identify or prevent the wide spread of worms can be largely classified as signature-based or anomaly-based. Modern worms are often sufficiently intelligent to hide their activities and evade anomaly ...
Isolating P2P Botnet Using EigenTrust Algorithm in P2P File Sharing Networks
BDIoT '19: Proceedings of the 4th International Conference on Big Data and Internet of Things

In computing networks, a peer to peer botnet is a cluster of malicious peers connected to each other via a peer to peer application, each of which runs one or more robots. Generally, botnets can be used to perform a distributed Denial of Service attack (...
Stream clustering guided supervised learning for classifying NIDS alerts
Abstract
A Network Intrusion Detection System (NIDS) is a network monitoring technology for identifying cyber attacks, botnet command and control traffic, and other unwanted network activity. Unfortunately, organizational NIDS solutions can often generate ...
Highlights
- Novel NIDS alert processing framework.
- The pipeline of low-cost unsupervised stream clustering and supervised machine learning.
- Method for the creation of labeled NIDS alert training data sets.
- Large publicly available NIDS ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '10: Proceedings of the 26th Annual Computer Security Applications Conference

December 2010

419 pages

ISBN:9781450301336

DOI:10.1145/1920261

Conference Chair:
Carrie Gates
CA Labs
,
Program Chairs:
Michael Franz
University of California, Irvine
,
John McDermott
Naval Research Lab

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 December 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '10

Sponsor:

ACSA

ACSAC '10: 2010 Annual Computer Security Applications Conference

December 6 - 10, 2010

Texas, Austin, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

59
Total Citations
View Citations
603
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Mandlík ŠPevný TŠmídl VBajer L(2024)Malicious Internet Entity Detection Using Local Graph InferenceIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.336086719(3554-3566)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3360867
Sandra AAshok ANair R(2023)Blockchain Based Peer to Peer Botnet Detection Using Louvain Algorithm2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT56998.2023.10307429(1-6)Online publication date: 6-Jul-2023
https://doi.org/10.1109/ICCCNT56998.2023.10307429
Joshi HDutta R(2022)A Reinforcement Approach for Detecting P2P Botnet Communities in Dynamic Communication GraphsICC 2022 - IEEE International Conference on Communications10.1109/ICC45855.2022.9838876(56-61)Online publication date: 16-May-2022
https://doi.org/10.1109/ICC45855.2022.9838876
Alieyan KAlmomani AAbdullah RAlmutairi BAlauthman M(2021)Botnet and Internet of Things (IoTs)Research Anthology on Combating Denial-of-Service Attacks10.4018/978-1-7998-5348-0.ch007(138-150)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-5348-0.ch007
Giaretta LLekssays ACarminati BFerrari EGirdzijauskas Š(2021)LiMNet: Early-Stage Detection of IoT Botnets with Lightweight Memory NetworksComputer Security – ESORICS 202110.1007/978-3-030-88418-5_29(605-625)Online publication date: 30-Sep-2021
https://doi.org/10.1007/978-3-030-88418-5_29
Roeling MNadeem AVerwer S(2021)Hybrid Connection and Host Clustering for Community Detection in Spatial-Temporal Network DataECML PKDD 2020 Workshops10.1007/978-3-030-65965-3_12(178-204)Online publication date: 2-Feb-2021
https://doi.org/10.1007/978-3-030-65965-3_12
Prabhu SBhat S(2020)Cyber Attacks Mitigation: Detecting Malicious Activities in Network Traffic – A Review of LiteratureInternational Journal of Case Studies in Business, IT, and Education10.47992/IJCSBE.2581.6942.0078(40-64)Online publication date: 8-Dec-2020
https://doi.org/10.47992/IJCSBE.2581.6942.0078
Alieyan KAlmomani AAbdullah RAlmutairi BAlauthman M(2020)Botnet and Internet of Things (IoTs)Security, Privacy, and Forensics Issues in Big Data10.4018/978-1-5225-9742-1.ch013(304-316)Online publication date: 2020
https://doi.org/10.4018/978-1-5225-9742-1.ch013
Jiang JYin QShi ZXu GKang X(2020)A Behavior-Based Method for Distinguishing the Type of C&C ChannelAlgorithms and Architectures for Parallel Processing10.1007/978-3-030-38991-8_41(624-636)Online publication date: 22-Jan-2020
https://doi.org/10.1007/978-3-030-38991-8_41
Yang ZWang B(2019)P2P Botnet Detection Based on Nodes Correlation by the Mahalanobis DistanceInformation10.3390/info1005016010:5(160)Online publication date: 1-May-2019
https://doi.org/10.3390/info10050160
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents