Kademlia: A Peer-to-Peer Information System Based on the XOR Metric
IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
A multifaceted approach to understanding the botnet phenomenon
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Proceedings of the 38th conference on Winter simulation
Revealing botnet membership using DNSBL counter-intelligence
SRUTI'06 Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet - Volume 2
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
An advanced hybrid peer-to-peer botnet
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Wide-scale botnet detection and characterization
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Rishi: identify bot contaminated hosts by IRC nickname evaluation
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
A case study of the rustock rootkit and spam bot
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Characterizing botnets from email spam records
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
The heisenbot uncertainty problem: challenges in separating bots from chaff
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Spamming botnets: signatures and characteristics
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Traffic Aggregation for Malware Detection
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
BotTracer: Execution-Based Bot-Like Malware Detection
ISC '08 Proceedings of the 11th international conference on Information Security
Overbot: a botnet protocol based on Kademlia
Proceedings of the 4th international conference on Security and privacy in communication netowrks
Towards Next-Generation Botnets
EC2ND '08 Proceedings of the 2008 European Conference on Computer Network Defense
SS'08 Proceedings of the 17th conference on Security symposium
ICCCN '09 Proceedings of the 2009 Proceedings of 18th International Conference on Computer Communications and Networks
A Systematic Study on Peer-to-Peer Botnets
ICCCN '09 Proceedings of the 2009 Proceedings of 18th International Conference on Computer Communications and Networks
Your botnet is my botnet: analysis of a botnet takeover
Proceedings of the 16th ACM conference on Computer and communications security
Take a deep breath: a stealthy, resilient and cost-effective botnet using skype
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
RatBot: anti-enumeration peer-to-peer botnets
ISC'11 Proceedings of the 14th international conference on Information security
Hi-index | 0.00 |
Botnets have emerged as one of the most severe cyber-threats in recent years. To evade detection and improve resistance against countermeasures, botnets have evolved from the first generation that relies on IRC chat channels to deliver commands to the current generation that uses highly resilient P2P (peer-to-peer) protocols to spread their C&C (Command and Control) information. On an encouraging note, the seminal work done by Holz et al. [14] showed that P2P botnets, although relieved from the single point of failure that IRC botnets suffer, can be easily disrupted using pollution-based mitigation schemes. For white-hat cyber-security practitioners to be better prepared for potentially destructive P2P botnets, it is necessary for them to understand the strategy space from the attacker's perspective. Against this backdrop, we analyze a new type of P2P botnets, which we call AntBot, that aims to spread their C&C information to individual bots even though an adversary persistently pollutes keys used by seized bots to search the C&C information. The tree-like structure of AntBot, together with the randomness and redundancy in its design, renders it possible that individual bots, when captured, reveal only limited information. We mathematically analyze the performance of AntBot from the perspectives of reachability, resilience to pollution, and scalability. To evaluate the effectiveness of AntBot against pollution-based mitigation in a practical setting, we develop a distributed high-fidelity P2P botnet simulator that uses the actual implementation code of aMule, a popular Kademlia-based P2P client. The simulator offers us a tool to evaluate the attacker's strategy in the cyber space without causing ethical or legal issues, which may result from real-world deployment. Using extensive simulation, we demonstrate that AntBot operates resiliently against pollution-based mitigation. We further suggest a few potential defense schemes that could effectively disrupt AntBot operations and also present challenges that researchers need to address when developing these techniques in practice.