Detecting parasite p2p botnet in eMule-like networks through quasi-periodicity recognition

Authors:
Yong Qiao;Yuexiang Yang;Jie He;Bo Liu;Yingzhi Zeng
Affiliations:
School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China;School of Computer, National University of Defense Technology, Changsha, China
Venue:
ICISC'11 Proceedings of the 14th international conference on Information Security and Cryptology
Year:
2011

Citing 14
Cited 0

Measuring and analyzing the characteristics of Napster and Gnutella hosts

Multimedia Systems
Peer-to-peer botnets: overview and case study

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
An advanced hybrid peer-to-peer botnet

HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Overbot: a botnet protocol based on Kademlia

Proceedings of the 4th international conference on Security and privacy in communication netowrks
The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability

SECTECH '08 Proceedings of the 2008 International Conference on Security Technology
BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection

SS'08 Proceedings of the 17th conference on Security symposium
Bayesian bot detection based on DNS traffic similarity

Proceedings of the 2009 ACM symposium on Applied Computing
A Survey of Botnet and Botnet Detection

SECURWARE '09 Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies
Honeypot detection in advanced botnet attacks

International Journal of Information and Computer Security
Detecting and blocking P2P botnets through contact tracing chains

International Journal of Internet Protocol Technology
Periodic behavior in botnet command and control channels traffic

GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks

ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

It's increasingly difficult to detect botnets since the introduction of P2P communication. The flow characteristics and behaviors can be easily hidden if an attacker exploits the common P2P applications' protocol to build the network and communicate. In this paper, we analyze two potential command and control mechanisms for Parasite P2P Botnet, we then identify the quasi periodical pattern of the request packets caused by Parasite P2P Botnet sending requests to search for the Botmaster's commands in PULL mode. Considering our observation, a Parasite P2P Botnet detection framework and a mathematical model are proposed, and two algorithms named Passive Match Algorithm and Active Search Algorithm are developed. Our experimental results are inspiring and suggest that our approach is capable of detecting the P2P botnet leeching in eMule-like networks.