Summary-invisible networking: techniques and defenses
ISC'10 Proceedings of the 13th international conference on Information security
Boosting the scalability of botnet detection using adaptive traffic sampling
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Challenges in experimenting with botnet detection systems
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
From throw-away traffic to bots: detecting the rise of DGA-based malware
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Botnets: a heuristic-based detection framework
Proceedings of the Fifth International Conference on Security of Information and Networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Understanding and overcoming cyber security anti-patterns
Computer Networks: The International Journal of Computer and Telecommunications Networking
Feature selection for detection of peer-to-peer botnet traffic
Proceedings of the 6th ACM India Computing Convention
PeerRush: mining for unwanted p2p traffic
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
| Hi-index | 0.01 |
Peer-to-peer (P2P) substrates are now widely used for both file-sharing and botnet command-and-control. Despite the commonality of their substrates, we show that the different goals and circumstances of these applications give rise to behaviors that can be distinguished in network flow records. Using features related to traffic volume, “churn” among peers, and differences between human-driven and machine-driven traffic, we develop a technique for identifying P2P bots (the Plotters) and, in particular, separating them from file-sharing hosts (the Traders). Evaluations performed on traffic recorded at the edge of a university network show that we can achieve, e.g., 87.50% detection of Storm bots with a 0.47% false positive rate. We also demonstrate the significant extent to which Plotter behaviors would need to change to evade our technique.