PeerRush: Mining for unwanted P2P traffic

Rahbarinia, Babak; Perdisci, Roberto; Lanzi, Andrea; Li, Kang

doi:10.1016/j.jisa.2014.03.002

Cited by 37 publications

(62 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Flow-based systems [2]- [6], [8], [10]- [14], [18], [19] use header information of network packets (i.e., network flow characteristics) to capture botnets behaviors. Compared with payload-based systems, flow-based systems use less information from the network packets.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Zhuang

Chang

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks. Index Terms-P2P Botnet, intrusion detection, network security, community detection. J. Morris Chang (SM'08) is a professor in the Department of Electrical Engineering at the University of South Florida. He received the Ph.D. degree from the North Carolina State University. His past industrial experiences include positions at Texas Instruments, Microelectronic Center of North Carolina and AT&T Bell Labs. He received the University Excellence in Teaching Award at Illinois Institute of Technology in 1999. His research interests include: cyber security, wireless networks, and energy efficient computer systems. In the last six years, his research projects on cyber security have been funded by DARPA. Currently, he is leading a DARPA project under Brandeis program focusing on privacy-preserving computation over Internet. He is a handling editor of Journal of Microprocessors and Microsystems and an editor of IEEE IT Professional. He is a senior member of IEEE.

show abstract

Section: Related Workmentioning

confidence: 99%

“…In the experiments, we mixed a background network dataset [7] with 5 P2P botnets datasets and 4 legitimate P2P applications datasets [8]. To make our experimental evaluation as unbiased and challenging as possible, we propose a network traces sampling and mixing method to generate synthetic experimental datasets.…”

Section: Introductionmentioning

confidence: 99%

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Zhuang

Chang

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…In contrast, the human generated traffic does not contain any similarity due to miscellaneous activities. To capture the statistical similarity of botnet traffic, many P2P botnet detection schemes 2,[25][26][27][28][29][30][31][32][33][34][35][36][37][38][39][40] proposed in which a group of statistical features is introduced as a P2P botnet footprint. These features are extracted from the botnet traffic and context network traffic.…”

Section: Statistical Characteristicsmentioning

confidence: 99%

“…35,36 The host-based footprints are extracted from the network traffic of each host (like the number of IP addresses it connected to). 2,[37][38][39][40] The proposed footprints related to each class are detailed in following subsections.…”

Section: Statistical Characteristicsmentioning

confidence: 99%

On the resilience of P2P botnet footprints in the presence of legitimate P2P traffic

Daneshgar

Abbaspour

2019

Int J Communication

View full text Add to dashboard Cite

Summary Botnet is a distributed platform for illegal activities severely threaten the security of the Internet. Fortunately, although their complicated nature, bots leave some footprints during the C&C communication that have been utilized by security researchers to design detection mechanisms. Nevertheless, botnet designers are always trying to evade detection systems by leveraging the legitimate P2P protocol as C&C channel or even mimicking legitimate peer‐to‐peer (P2P) behavior. Consequently, detecting P2P botnet in the presence of normal P2P traffic is one of the most challenging issues in network security. However, the resilience of P2P botnet detection systems in the presence of normal P2P traffic is not investigated in most proposed schemes. In this paper, we focused on the footprint as the most essential part of a detection system and presented a taxonomy of footprints utilized in behavioral P2P botnet detection systems. Then, the resilience of mentioned footprints is analyzed using three evaluation scenarios. Our experimental and analytical investigations indicated that the most P2P botnet footprints are not resilient to the presence of legitimate P2P traffic and there is a pressing need to introduce more resilient footprints.

show abstract

“…We also obtained datasets of 2 popular P2P botnets, Storm and Waledac, from third parties. 20 The dataset of Storm included 13 individual bots, while the dataset of Waledac included 3 individual bots. Table 1 summarizes brief information of the datasets.…”

Section: Dataset Collectionmentioning

confidence: 99%

Adaptive traffic sampling for P2P botnet detection

Yang

Wang

et al. 2017

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Peer‐to‐peer (P2P) botnets have become one of the major threats to network security. Most existing botnet detection systems detect bots by examining network traffic. Unfortunately, the traffic volumes typical of current high‐speed Internet Service Provider and enterprise networks are challenging for these network‐based systems, which perform computationally complex analyses. In this paper, we propose an adaptive traffic sampling system that aims to effectively reduce the volume of traffic that P2P botnet detectors need to process while not degrading their detection accuracy. Our system first identifies a small number of potential P2P bots in high‐speed networks as soon as possible, and then samples as many botnet‐related packets as possible with a predefined target sampling rate. The sampled traffic then can be delivered to fine‐grained detectors for further in‐depth analysis. We evaluate our system using traffic datasets of real‐world and popular P2P botnets. The experiments demonstrate that our system can identify potential P2P bots quickly and accurately with few false positives and greatly increase the proportion of botnet‐related packets in the sampled packets while maintain the high detection accuracy of the fine‐grained detectors.

show abstract

PeerRush: Mining for unwanted P2P traffic

Cited by 37 publications

References 3 publications

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

On the resilience of P2P botnet footprints in the presence of legitimate P2P traffic

Adaptive traffic sampling for P2P botnet detection

Contact Info

Product

Resources

About