The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as P...The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer(P2P)networks.The P2P botnets leverage the privileges of the decentralized nature of P2P networks.Consequently,the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures.Some P2P botnets are smarter to be stealthy in their Commandand-Control mechanisms(C2)and elude the standard discovery mechanisms.Therefore,the other side of this cyberwar is the monitor.The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously.Some aspects pertain to the existing monitoring approaches,some pertain to the nature of P2P networks,and some to counter the botnets,i.e.,the anti-monitoring mechanisms.All these challenges should be considered in P2P botnet monitoring.To begin with,this paper provides an anatomy of P2P botnets.Thereafter,this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages.In addition,this paper groups the monitoring approaches into three groups:passive,active,and hybrid monitoring approaches.Furthermore,this paper also discusses the functional and non-functional requirements of advanced monitoring.In conclusion,this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.展开更多
Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P ...Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.展开更多
基金This work was supported by the Ministry of Higher Education Malaysia’s Fundamental Research Grant Scheme under Grant FRGS/1/2021/ICT07/USM/03/1.
文摘The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer(P2P)networks.The P2P botnets leverage the privileges of the decentralized nature of P2P networks.Consequently,the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures.Some P2P botnets are smarter to be stealthy in their Commandand-Control mechanisms(C2)and elude the standard discovery mechanisms.Therefore,the other side of this cyberwar is the monitor.The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously.Some aspects pertain to the existing monitoring approaches,some pertain to the nature of P2P networks,and some to counter the botnets,i.e.,the anti-monitoring mechanisms.All these challenges should be considered in P2P botnet monitoring.To begin with,this paper provides an anatomy of P2P botnets.Thereafter,this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages.In addition,this paper groups the monitoring approaches into three groups:passive,active,and hybrid monitoring approaches.Furthermore,this paper also discusses the functional and non-functional requirements of advanced monitoring.In conclusion,this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.
基金Project (Nos.61170286 and 61202486) supported by the National Natural Science Foundation of China
文摘Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.
