Skip to main content
SpringerLink
Log in

Detecting P2P botnets by discovering flow dependency in C&C traffic

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Barford P, Yegneswaran V (2006) An inside look at botnets. Special Workshop on Malware Detection, Advances in Information Security, Springer Verlag, Part III 27: 171–191

  2. Lu W, Rammidi G, Ghorbani A (2011) Clustering botnet communication traffic based on n-gram feature selection. Comput Commun 34(3):502–514

    Article  Google Scholar 

  3. Erdil D (2011) Simulating peer-to-peer cloud resource scheduling. Peer-to-Peer Netw Appl 5:219–230

    Article  Google Scholar 

  4. Clark K, Warnier M, Brazier F (2011) BotClouds: the future of cloud-based Botnets. In Proceedings of the 1st International Conference on Cloud Computing and Services Science

  5. Zeng Y, Hu X, Shin K (2008) Detection of botnets using combined host- and network-level information. In Proceedings of International Conference on Dependable Systems & Networks

  6. Huang Z, Zeng X, Liu Y (2010) Detecting and blocking P2P botnets through contact tracing chains. Int J Internet Protoc Technol 5(1/2):44–54

    Article  Google Scholar 

  7. Grizzard J, Sharma V, Nunnery C, Kang B, Dagon D (2007) Peer-to-peer botnets: overview and case study. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots’07)

  8. Wang P, Wu L, Aslam B, Zou C (2009) A systematic study on peer-to-peer botnets. In Proceedings of the 18th International Conference on Computer Communications and Networks

  9. Jacobs T, Pandurangan G (2012) Stochastic analysis of a churn-tolerant structured peer-to-peer scheme. Peer-to-Peer Netw Appl, in press

  10. Stover S, Dittrich D, Hernandez J, Dietrich S (2007) Analysis of the Storm and Nugache Trojans: P2P is here. USENIX Mag 32(6):18–27

    Google Scholar 

  11. Porras P, Saidi H, Yegneswaran V (2007) A multi-perspective analysis of the storm (Peacomm) worm. Computer Science Laboratory, SRI International, Tech Rep

  12. Holz T, Steiner M, Dahl F, Biersack E, Freiling F (2008) Measurements and mitigation of peer-to-peer-based botnets: a case study on Storm worm. In USENIX Wksh. Large-Scale Exploits and Emergent Threats

  13. Dittrich D, Dietrich S (2008) P2P as botnet command and control: a deeper insight. In Proceedings of 3rd International Conference on Malicious and Unwanted Software, MALWARE

  14. Jang D, Kim M, Jung H, Noh B (2009) Analysis of HTTP2P botnet: case study Waledac. In Proceedings of the 2009 IEEE 9th Malaysia International Conference on Communications

  15. Stock B, Gobel J, Engelberth M, Freiling F, Holz T (2009) Walowdac—analysis of a peer-to-peer botnet. In Proceedings of European Conference on Computer Network Defense

  16. Sinclair G, Nunnery C, Kang B (2009) The Waledac protocol: the how and why. In Proceedings of the 4th International Conference on Malicious and Unwanted Software, MALWARE

  17. Prasad K, Reddy A, Karthik M (2011) Flooding attacks to internet threat monitors (ITM): modeling and counter measures using botnet and honeypots. In Proceedings of International Journal of Computer Science & Information Technology

  18. Udhayan J, Anitha R, Hamsapriya T (2010) Lightweight C&C based botnet detection using Aho-Corasick NFA. In Proceedings of International Journal of Network Security & Its Applications

  19. Raahemi B, Zhong W, Liu J (2009) Exploiting unlabeled data to improve peer-to-peer traffic classification using incremental tri-training method. Peer-to-Peer Netw Appl 2:87–97

    Article  Google Scholar 

  20. Gu G, Porras P, Yegneswaran V, Fong M, Lee W (2007) BotHunter: detecting malware infection through IDSdriven dialog correlation. In USENIX Secur Symp

  21. Gu G, Perdisci R, Zhang J, Lee W (2008) BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th conference on Security Symposium

  22. Nagaraja S, Mittal P, Hong C, Caesar M, Borisov N (2010) BotGrep: finding P2P bots with structured graph analysis. In Proceedings of the 19th USENIX Conference on Security

  23. Francois J, Wang S, State R, Engel T (2011) BotTrack: tracking botnets using NetFlow and PageRank. Lect Note Comput Sci, Part I LNCS 6640:1–14

    Article  Google Scholar 

  24. Coskun B, Dietrich S, Memon N (2010) Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In Proceedings of Annual Computer Security Applications Conference

  25. Zhang J, Perdisci R, Lee W, Sarfraz U, Luo X (2011) Detecting stealthy P2P botnets using statistical traffic fingerprints. In Proceedings of IEEE/IFIP 41st International Conference on Dependable Systems and Networks

  26. Kato D, Elkhiyaoui K, Kunieda K, Yamada K, Michiardi P (2010) A scalable interest-oriented peer-to-peer pub/sub network. Peer-to-Peer Netw Appl 4:165–177

    Article  Google Scholar 

  27. Yen T (2011) Detecting stealthy malware using behavioral features in network traffic. Carnegie Mellon University, Dissertation

    Google Scholar 

  28. Jain A, Dubes R (1998) Algorithms for clustering data. Prentice-Hall

  29. Jain A, Murty M, Flynn P (1999) Data clustering: a review. ACM Comput Surv 31(3):264–323

    Article  Google Scholar 

  30. Sun X, Torres R, Rao S (2010) On the feasibility of exploiting P2P systems to launch DDoS attacks. Peer-to-Peer Netw Appl 3(1):36–51

    Article  Google Scholar 

Download references

Acknowledgements

This paper is supported partly by the Key Project of Tianjin: 11jczdjc28100. The authors would like to thank the network center of Tianjin Polytechnic University for providing us environment to capture data and the editor/reviews for their hard work.

Author information

Authors and Affiliations

  1. College of Information Technical Science, Nankai University, Tianjin, China

    Hongling Jiang & Xiuli Shao

Authors
  1. Hongling Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiuli Shao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hongling Jiang.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jiang, H., Shao, X. Detecting P2P botnets by discovering flow dependency in C&C traffic. Peer-to-Peer Netw. Appl. 7, 320–331 (2014). https://doi.org/10.1007/s12083-012-0150-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-012-0150-x

Keywords

Search

Navigation