Abstract
It’s increasingly difficult to detect botnets since the introduction of P2P communication. The flow characteristics and behaviors can be easily hidden if an attacker exploits the common P2P applications’ protocol to build the network and communicate. In this paper, we analyze two potential command and control mechanisms for Parasite P2P Botnet, we then identify the quasi periodical pattern of the request packets caused by Parasite P2P Botnet sending requests to search for the Botmaster’s commands in PULL mode. Considering our observation, a Parasite P2P Botnet detection framework and a mathematical model are proposed, and two algorithms named Passive Match Algorithm and Active Search Algorithm are developed. Our experimental results are inspiring and suggest that our approach is capable of detecting the P2P botnet leeching in eMule-like networks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Feily, M., Shahrestani, A., Ramadass, S.: A survey of botnet and botnet detection. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 268–273. IEEE (2009)
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.H., Dagon, D.: Peer-to-peer botnets: Overview and case study. In: 1st USENIX Workshop on Hot Topics in Understanding Botnets, HostBots 2007 (2007)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET 2008 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, p. 9. USENIX Association (2008)
Wang, P., Aslam, B., Zou, C.C.: Peer-to-Peer Botnets: The Next Generation of Botnet Attacks. Electrical Engineering, 1–25 (2010)
Wang, P., Sparks, S., Zou, C.C.: An advanced hybrid peer-to-peer botnet. In: Proceedings of the First Workshop on Hot Topics in Understanding Botnets, p. 2. USENIX Association (2007)
Vogt, R., Aycock, J., Jacobson, M.: Army of botnets. In: Proceedings of NDSS 2007, Citeseer, pp. 111–123 (2007)
Starnberger, G., Kruegel, C., Kirda, E.: Overbot: a botnet protocol based on Kademlia. In: 4th Int. Conf. on Security and Privacy in Communication Networks (SecureComm 2008), pp. 1–9. ACM (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: 16th USENIX Security Symp. (Security 2007), pp. 167–182. USENIX Association (2007)
Kang, J., Song, Y.-Z., Zhang, J.-Y.: Accurate detection of peer-to-peer botnet using Multi-Stream Fused scheme. Journal of Networks 6, 807–814 (2011)
Villamarin-Salomon, R., Brustoloni, J.C.: Bayesian bot detection based on DNS traffic similarity. In: 24th Annual ACM Symposium on Applied Computing, pp. 2035–2041. Association for Computing Machinery (2009)
Huang, Z., Zeng, X., Liu, Y.: Detecting and blocking P2P botnets Through contact tracing chains. International Journal of Internet Protocol Technology 5, 44–54 (2010)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol and structure independent botnet detection. In: 17th USENIX Security Symp., pp. 139–154. USENIX Association (2008)
Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: de Capitani di Vimercati, S., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)
Wang, P., Wu, L., Cunningham, R., Zou, C.C.: Honeypot detection in advanced botnet attacks. International Journal of Information and Computer Security 4, 30–51 (2010)
Lee, J.S., Jeong, H.C., Park, J.H., Kim, M., Noh, B.-N.: The activity analysis of malicious http-based botnets using degree of periodic repeatability. In: 2008 International Conference on Security Technology, pp. 83–86. Inst. of Elec. and Elec. Eng. Computer Society (2008)
AsSadhan, B., Moura, J.M.F., Lapsley, D.: Periodic behavior in botnet command and control channels traffic. In: 2009 IEEE Global Telecommunications Conference. Institute of Electrical and Electronics Engineers Inc. (2009)
Ma, X., Guan, X., Tao, J., Zheng, Q., Guo, Y., Liu, L., Zhao, S.: A novel IRC botnet detection method based on packet size sequence. In: 2010 IEEE International Conference on Communications. Institute of Electrical and Electronics Engineers Inc. (2010)
Saroiu, S., Gummadi, K.P., Gribble, S.D.: Measuring and analyzing the characteristics of Napster and Gnutella hosts. Multimedia Systems 9, 170–184 (2003)
eMule 0.47 code, eMule project (2011), http://www.emule-project.net/home/perl/general.cgi?l=42&rm=download
Kernel, H.: Emule Kad protocol Manual (2009), http://easymule.googlecode.com/files/Emule
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Qiao, Y., Yang, Y., He, J., Liu, B., Zeng, Y. (2012). Detecting Parasite P2P Botnet in eMule-like Networks through Quasi-periodicity Recognition. In: Kim, H. (eds) Information Security and Cryptology - ICISC 2011. ICISC 2011. Lecture Notes in Computer Science, vol 7259. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31912-9_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-31912-9_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31911-2
Online ISBN: 978-3-642-31912-9
eBook Packages: Computer ScienceComputer Science (R0)