Abstract
A bot-net is a network of infected hosts (bots) that works independently under the control of a Botmaster (Bot herder), which issues commands to bots using command and control (C&C) servers. Bot-net architectures have advanced over time, to evade detection and disruption. Traditionally, bot-nets used a centralized client-server architecture which had a single point of failure but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of the P2P architecture, botmasters started using P2P based communication mechanism. P2P bot-nets are highly resilient against detection even after some bots are identified or taken down. P2P bot-nets provide central frameworks for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this paper, we propose PeerClear, an approach for identifying P2P bot-nets using network traffic analysis. PeerClear uses a two-step process for identifying P2P bots. In the first step, the hosts involved in P2P traffic are detected and in the second step, the detected hosts are further analyzed to detect bot-nets. Our evaluation shows that our approach PeerClear outperformed several recent approaches and achieves a high detection rate of 99.85%. We also implement multiple new approaches reported in the literature and test on the same dataset to evaluate their relative performance.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Internet world stats (2018). https://www.internetworldstats.com/stats.htm
Peerrush (2018). http://peerrush.cs.uga.edu/peerrush/
Tshark - Dump and Analyze Network Traffic, March 2018. https://www.wireshark.org/docs/man-pages/tshark.html
Vint Cerf: One Quarter of All Computers part of a Botnet (2018). http://www.tmttlt.com/archives/5289/
Alauthaman, M., Aslam, N., Zhang, L., Alasem, R., Hossain, M.A.: A P2P botnet detection scheme based on decision tree and adaptive multilayer neural networks. Neural Comput. Appl. 29(11), 991–1004 (2018)
Beiknejad, H., Vahdat-Nejad, H., Moodi, H.: P2P botnet detection based on traffic behavior analysis and classification. Int. J. Comput. Inf. Technol. 6(1), 01–12 (2018)
Chen, T., Guestrin, C.: XGBoost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 785–794. ACM (2016)
Comodo: Latest malware attacks, May 2018. https://enterprise.comodo.com/blog/tag/latest-malware-attacks/
Dhayal, H., Kumar, J.: Peer-to-Peer botnet detection based on bot behaviour. Int. J. Adv. Res. Comput. Sci. 8(3), 172–175 (2017)
Dillon, C.: Peer-to-Peer botnet detection using NetFlow. Master’s thesis, University of Amsterdam (2014)
Donges, N.: The Random Forest Algorithm (2018). https://towardsdatascience.com/the-random-forest-algorithm-d457d499ffcd
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (2008)
Kheir, N., Han, X., Wolley, C.: Behavioral fine-grained detection and classification of P2P bots. J. Comput. Virol. Hacking Tech. 11(4), 217–233 (2015)
KimiNewt: Python wrapper for tshark, allowing python packet parsing using wireshark dissectors, June 2018. https://github.com/KimiNewt/pyshark
Lelli, A.: Zeusbot/Spyeye P2P Updated, Fortifying the Botnet (2018). https://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
Lontivero: A Resilient Peer-to-Peer Botnet Agent in.NET, April 2017. https://github.com/lontivero/vinchuca
Narang, P., Ray, S., Hota, C.: PeerShark: detecting peer-to-peer botnets by tracking conversations. In: IEEE Security and Privacy Workshops (2014)
Nunnery, C., Sinclair, G., Kang, B.B.: Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure. In: Proceedings of the 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (2010)
Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)
Rodriguez-Gomez, R.A., Macia-Fernandez, G., GarcÃa-Teodoroa, P., Steiner, M., Balzarotti, D.: Resource monitoring for detection of parasite P2P botnets. Comput. Netw. 70, 302–3011 (2014)
Saiyod, S., Chanthakoummane, Y., Benjamas, N., Khamphakdee, N., Chaichawananit, J.: Improving intrusion detection on snort rules for botnet detection. Softw. Netw. 2018(1), 191–212 (2018)
Schollmeier, R.: A definition of peer-to-peer networking for the classification of peer-to-peer architectures and applications. In: First International Conference on Peer-to-Peer Computing (2002)
Singh, S.C.: High-tech and computer crimes: global challenges, global responses. In: Nirmal, B., Singh, R. (eds.) Contemporary Issues in International Law, pp. 413–437. Springer, Singapore (2018). https://doi.org/10.1007/978-981-10-6277-3_30
Yin, C.: Towards accurate node-based detection of P2P botnets. Sci. World J. 2014, 10 p. (2014)
Acknowledgement
This work was partially funded by Science and Engineering Research Board, Government of India.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Kumar, A., Kumar, N., Handa, A., Shukla, S.K. (2019). PeerClear: Peer-to-Peer Bot-net Detection. In: Dolev, S., Hendler, D., Lodha, S., Yung, M. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2019. Lecture Notes in Computer Science(), vol 11527. Springer, Cham. https://doi.org/10.1007/978-3-030-20951-3_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-20951-3_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-20950-6
Online ISBN: 978-3-030-20951-3
eBook Packages: Computer ScienceComputer Science (R0)