SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets

Rossow, Christian; Andriesse, Dennis; Werner, Tillmann; Stone-Gross, Brett; Plohmann, Daniel; Dietrich, Christian; Bos, Herbert

doi:10.1109/sp.2013.17

Cited by 140 publications

(127 citation statements)

References 16 publications

(24 reference statements)

Supporting

Mentioning

122

Contrasting

Order By: Relevance

“…column gives the number of infections extrapolated as described in Section IV-D. The population estimate is much lower than previously published estimates [27], [33], which suggest the ZeroAccess bot population is between 1.2 to 9 million. However, our estimates are only for the 976 binaries we obtained and know to engage in Bitcoin mining for specific wallets.…”

Section: B Zeroaccessmentioning

confidence: 75%

Botcoin: Monetizing Stolen Cycles

Huang

Dharmdasani

Meiklejohn

et al. 2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-At the current stratospheric value of Bitcoin, miners with access to significant computational horsepower are literally printing money. For example, the first operator of a USD $1,500 custom ASIC mining platform claims to have recouped his investment in less than three weeks in early February 2013, and the value of a bitcoin has more than tripled since then. Not surprisingly, cybercriminals have also been drawn to this potentially lucrative endeavor, but instead are leveraging the resources available to them: stolen CPU hours in the form of botnets. We conduct the first comprehensive study of Bitcoin mining malware, and describe the infrastructure and mechanism deployed by several major players. By carefully reconstructing the Bitcoin transaction records, we are able to deduce the amount of money a number of mining botnets have made.

show abstract

Section: B Zeroaccessmentioning

confidence: 75%

Botcoin: Monetizing Stolen Cycles

Huang

Dharmdasani

Meiklejohn

et al. 2014

Proceedings 2014 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Botmasters have utilized the resilience offered by P2P networks to build botnets wherein bots communicate, pass on commands and update other bots in a P2P fashion [14]. Just as a P2P network is resilient to break-down if a few peers leave the network, P2P botnets have proven to be highly resilient even if a certain number of bots are identified and taken-down [15], [16].…”

Section: Introductionmentioning

confidence: 99%

PeerShark: Detecting Peer-to-Peer Botnets by Tracking Conversations

Narang

Ray

Hota

et al. 2014

2014 IEEE Security and Privacy Workshops

View full text Add to dashboard Cite

Abstract-The decentralized nature of Peer-to-Peer (P2P) botnets makes them difficult to detect. Their distributed nature also exhibits resilience against take-down attempts. Moreover, smarter bots are stealthy in their communication patterns, and elude the standard discovery techniques which look for anomalous network or communication behavior. In this paper, we propose PeerShark, a novel methodology to detect P2P botnet traffic and differentiate it from benign P2P traffic in a network. Instead of the traditional 5-tuple 'flow-based' detection approach, we use a 2-tuple 'conversation-based' approach which is port-oblivious, protocol-oblivious and does not require Deep Packet Inspection. PeerShark could also classify different P2P applications with an accuracy of more than 95%.

show abstract

“…Unlike with BotProfiler, controlling the false positive rate is generally difficult with these anomaly-based systems, and they are also difficult to deploy in a large and real network. Rossow et al proposed a method to observe and model P2P botnets such as Zeus, ZeroAccess, and Kelihos [25]. Also, Zhang et al proposed a method to detect such P2P botnet activities in a network [26].…”

Section: Modeling and Detecting Botnetsmentioning

confidence: 99%

BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure

Chiba

Yagi

Akiyama

et al. 2016

IEICE Trans. Commun.

View full text Add to dashboard Cite

SUMMARY Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating networkbased signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

show abstract

SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets

Cited by 140 publications

References 16 publications

Botcoin: Monetizing Stolen Cycles

Botcoin: Monetizing Stolen Cycles

PeerShark: Detecting Peer-to-Peer Botnets by Tracking Conversations

BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure

Contact Info

Product

Resources

About