Skip to main content
SpringerLink
Log in

BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis

  • Conference paper
Cryptology and Network Security (CANS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8257))

Included in the following conference series:

Abstract

A large proportion of modern botnets are currently shifting towards structured overlay topologies, using P2P protocols, for command and control. These topologies provide a better resilience against detection and takedown as they avoid single nodes of failure in the botnet architecture. Yet current state of the art techniques to detect P2P bots mostly rely on swarm effects. They detect bots only when there is multiple infected nodes belonging to the same botnet inside a network perimeter. Indeed, they cannot detect botnets that use public P2P networks such as the TDSS malware using Kad, let alone botnets that encapsulate P2P overlays within HTTP traffic, such as waledac, or even hide behind Tor networks.

In this paper, we propose a new and fully behavioral approach to detect P2P bots inside a network perimeter. Our approach observes only high-level malware traffic features with no need of deep packet inspection. We run samples of P2P malware inside a sandbox and we collect statistical features about malware traffic. We further use machine learning techniques in order to first clean the features set by discarding benign-like malware P2P behavior, and second to build an appropriate detection model. Our experimental results prove that we are able to accurately detect single infected P2P bots, while also satisfying a very low false positives rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Cuckoo: Automated malware analysis system (2010), http://www.cuckoobox.org/

  2. Anubis: Analyzing unknown binaries (2011), http://anubis.iseclab.org

  3. Aberer, K., Hauswirth, M.: An overview on peer-to-peer information systems. In: Proceedings of the 4th workshop on Distributed Data and Structures (2002)

    Google Scholar 

  4. Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: Disclosure: Detecting botnet command and control servers through large-scale netflow analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC (2012)

    Google Scholar 

  5. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: Finding malicious domains using passive dns analysis. In: Proceedings of the 18th Network and Distributed System Security Symposium, NDSS (2011)

    Google Scholar 

  6. Claise, B.: Cisco systems netflow services export version 9. RFC 3954 (October 2004)

    Google Scholar 

  7. Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector Machines and Other Kernel-based Learning Methods. Cambridge University Press (2000)

    Google Scholar 

  8. Davies, D.I., Bouldin, D.W.: A cluster seperation measure. IEEE Transactions on Pattern Analysis and Machine Intelligence (1979)

    Google Scholar 

  9. François, J., Wang, S., State, R., Engel, T.: BotTrack: Tracking botnets using netFlow and pageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  10. Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.: Peer-to-peer botnets: Overview and case study. In: Proceedings of USENIX HotBots (2007)

    Google Scholar 

  11. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: Proceedings of the IEEE Symposium on Security and Privacy, SSP (2008)

    Google Scholar 

  12. Kapoor, A., Mathur, R.: Predicting the future of stealth attacks. In: Virus Bulletin (2011)

    Google Scholar 

  13. Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: IEEE GLOBECOM, vol. 3, pp. 1532–1538 (2004)

    Google Scholar 

  14. Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: File-sharing in the internet: A characterization of p2p traffic in the backbone. UC Riverside technical report (November 2003)

    Google Scholar 

  15. Little, M.A., McSharry, P.E., Roberts, S.J., Costello, D.A., Moroz, I.M.: Exploiting nonlinear recurrence and fractal scaling properties for voice disorder detection. Biomedical Engineering Online 6 (2007)

    Google Scholar 

  16. Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: Botgrep: Finding p2p bots with structured graph analysis. In: Proceedings of the 19th USENIX Security (2010)

    Google Scholar 

  17. Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware’s failover c&c strategies with squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC (2011)

    Google Scholar 

  18. O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: The hidden malware. In: IEEE Security & Privacy, pp. 41–47 (2011)

    Google Scholar 

  19. Ollmann, G.: Botnet communication topologies: Understanding the intricacies of botnet command-and-control. Damballa White Paper (2009)

    Google Scholar 

  20. Ordonez, C.: Clustering binary data streams with k-means. In: Proceedings of the 8th Workshop on Research Issues in Data Mining and Knowledge Discovery, pp. 12–19 (2003)

    Google Scholar 

  21. Porras, P., Saidi, H., Yegneswaran, V.: Conficker c p2p protocol and implementation. Technical report, Computer Science Laboratory, SRI International (2009)

    Google Scholar 

  22. Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers (1993)

    Google Scholar 

  23. Stover, S., Dittrich, D., Hernandez, J., Dietrich, S.: Analysis of the storm and nugache trojans: P2p is here. In: USENIX, vol. 32 (December 2007)

    Google Scholar 

  24. Stutzbach, D., Rejaie, R.: Understanding churn in peer-to-peer networks. In: Proc. ACM SigComm Internet Measurement Conference (2006)

    Google Scholar 

  25. Symantec. Internet security threat report. 2012 Trends 18 (April 2013)

    Google Scholar 

  26. Tenebro, G.: W32.waledac threat analysis. Symantec Technical Report (2009)

    Google Scholar 

  27. Trusteer. No silver bullet: 8 ways malware defeats strong security controls (2012), Whitepaper accessible on http://www.trusteer.com/resources/white-papers

  28. Willems, C., Holz, T., Freiling, F.: Cwsandbox: Towards automated dynamic binary analysis. In: IEEE Security & Privacy (2007)

    Google Scholar 

  29. Yen, T.-F., Reiter, M.K.: Are your hosts trading or plotting? Telling p2p file-sharing and bots apart. In: 30th Conf. Distributed Computing Systems (2010)

    Google Scholar 

  30. Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy p2p botnet using statistical traffic fingerprints. In: Proc. 41st DSN (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Orange Labs, Issy-Les-Moulineaux, France

    Nizar Kheir

  2. LSIS UMR 7296, Aix-Marseille University, Marseille, France

    Chirine Wolley

Authors
  1. Nizar Kheir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chirine Wolley
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. École Normale Supérieure and CNRS,, 45 rue d’Ulm, 75005, Paris, France

    Michel Abdalla

  2. Department of Computer Science, Purdue University, LWSN 2142J, 305 N. University Street,, 47907, West Lafayette, IN, USA

    Cristina Nita-Rotaru

  3. Institute of Computing, University of Campinas, Avenida Albert Einstein 1251, 13083-852, Campinas, SP, Brazil

    Ricardo Dahab

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Kheir, N., Wolley, C. (2013). BotSuer: Suing Stealthy P2P Bots in Network Traffic through Netflow Analysis. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds) Cryptology and Network Security. CANS 2013. Lecture Notes in Computer Science, vol 8257. Springer, Cham. https://doi.org/10.1007/978-3-319-02937-5_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-02937-5_9

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-02936-8

  • Online ISBN: 978-3-319-02937-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation