Storm botnet
5 stars based on
34 reviews
To receive news and publication updates for The Scientific World Journal, enter your email address in the box below. This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use, distribution, and reproduction in any medium, provided the original work is storm botnet p2p cited.
Botnets are a serious security threat to the storm botnet p2p Internet infrastructure. In this paper, we propose a novel direction for P2P botnet detection called node-based detection. This approach focuses on the network characteristics of individual nodes.
Comparison with other similar approaches on the same data sets shows that our storm botnet p2p outperforms the existing approaches. Botnets are groups of computers which are libked to each storm botnet p2p through similar network processes which perform coordinated tasks like information crawling, Internet Relay Chatting IRCand information sharing.
While botnets can be used for benign purposes, over the past decade, there has been a drastic increase in the number of malicious botnets [ 1 ] which have become a serious concern to the security of Internet applications and networking infrastructure.
To build a malicious botnet, the attacker, known as botmaster, uses one or storm botnet p2p central servers to compromise and acquire control of vulnerable computers using malware. The botmaster uses these channels to deliver additional malware and instructions to the bots for launching different kinds of attacks. Malicious botnets are capable of a wide range of attacks including storm botnet p2p spam, keystroke logging, packet sniffing, DoS attacks, and identifying new targets for enlisting in the botnet, among others [ 2 — 6 ].
This botnet is operating in a centralized mode; that is, one or two servers control the bots in the network. To increase resiliency to detection, recent botnets are built using peer-to-peer networking principles where any node can act as a client as well as a server. In this paper, we focus on the problem of detecting P2P bots in a distributed network. As shown in Figure 3even if some bots are blocked by firewalls, the botmaster can continue communication with these bots along alternate routing paths as long as the blocked nodes storm botnet p2p connected to at least storm botnet p2p other P2P bot.
This implies that it is essential to detect the bots in a systematic and comprehensive manner. Furthermore, the malware programs used in P2P bots are, typically, self-propagating—which help in discovering new peers and mutating as well—to avoid signature-based detection. Due to their resilience, P2P botnets represent a major threat storm botnet p2p the Storm botnet p2p applications and infrastructure.
Therefore, to safeguard the Internet from strategic storm botnet p2p attacks, there is an urgent need to devise solutions to detect P2P bots and render the P2P botnets ineffective. The existing storm botnet p2p for P2P botnet detection can be broadly classified into signature [ 7 — 13 ] and flow-based detection [ 141515 — 18 ]. Signature-based P2P bot detection is based on inspecting each packet in the network traffic, entering storm botnet p2p leaving the Internet gateway of the network, for the storm botnet p2p of special features such as port numbers, byte sequences in the payload, and blacklisted IP address.
Storm botnet p2p special features, known as signatures, are extracted from known botnet infections in the past and stored in a signature database. While signature-based detection has good detection rate and is easily deployed, it has two major limitations.
First, it is deterministic and relies only on detecting known botnet infections and cannot detect unknown bots. Even known bots can evade signature detection by changing ports of communication or use packet payload encryption to hide the bot specific features. Second, inspection of each packet results in performance degradation especially when the traffic consists of a large storm botnet p2p of benign data. Flow analysis based bot detection examines network flows between two nodes where a flow is defined as storm botnet p2p set of packets which have the same source address, source port, destination address, and destination port.
The intuition in these approaches is that the storm botnet p2p features, such as the count of the packets in the flow, the order of the packet arrivals, and the interval between packets, can model the botnet communication patterns more accurately than direct packet inspection.
Storm botnet p2p extracted features are used to construct a classifier that can differentiate normal flows and malicious bot flows. Since classifiers use statistical profiling, flow-based analysis is capable of detecting unknown bots which exhibit behavioral similarities to known bots.
However, flow-based techniques suffer from two key limitations. First, there are several flows between any two network nodes which need to be analyzed and, usually, most of these flows belong to normal network processes. Second, the flow features need to be extracted at runtime which implies that flow-based analysis requires storm botnet p2p computational overhead at runtime.
At any given instant, there are a significant number of flows in the network which exaggerate the impact of these limitations further. In this paper, we describe a novel P2P bot detection approach, called node-based bot detection, in which we analyze the network profile of nodes to detect bot characteristics. A sample network profile of a node may comprise the different protocols used by the node, the number of flows in a particular time period, packet statistics, and so on.
Our approach is based on the intuition that P2P bots exhibit a distinct storm botnet p2p profile due to the various P2P network maintenance related tasks they are required to perform.
A P2P bot will be more active in communicating with other P2P bots and storm botnet p2p various instructions related to control and command. Based storm botnet p2p these observations, our approach consists of identifying and quantifying the network profile features that are typical of a P2P bot. The final network profile of a node storm botnet p2p a combination of the features typical of P2P bots and the features observed from the network flows at the node. Finally, we use machine learning based classification techniques to detect whether the network profile of a node corresponds to the network profile of a P2P bot.
There are several technical challenges in our approach. First, the process of constant flow monitoring at a node results in a major computational and storage overhead. We address this issue by using a sampling approach, wherein we periodically sample a network flow at different time intervals. Although sampling may not detect the same number of bots as those detected by constant flow monitoring in the same time interval, due to the cyclic storm botnet p2p of P2P botnets, the sampling approach eventually detects all the bots in the P2P botnet.
Second, quantifying the network profile of P2P bots is nontrivial as different botnets exhibit different semantics and use variable protocols. To address this concern, we abstract and model the general network features of a P2P botnet using the profiles of few existing P2P botnets.
We focus on the communication patterns of P2P botnets and storm botnet p2p not consider the individual protocol and payload features. By avoiding the payload inspection we are storm botnet p2p to overcome the difficulty of handling encrypted payloads and also avoid compromising the privacy of individual users. We combine these unique bot specific features with the flow statistics of the node to obtain the network profile of storm botnet p2p node. Third, differentiating between the behavior of a storm botnet p2p node and a P2P bot is a complex problem.
Towards this, we use machine learning techniques to cluster and classify the collected network profile features. We use the storm botnet p2p tree technique because of its efficiency and ease of implementation. To storm botnet p2p our approach, we use real-life data sets which contain a mix of malicious and nonmalicious data. We ensure that the nonmalicious data dominates the malicious content in order to estimate the sensitivity of our approach.
The key contributions of our work are as follows. Our approach is a significant deviation from the signature-based and flow-based detection approaches. Our abstraction technique avoids dealing with issues like packet encryption and user privacy.
We also show that existing state-of-the-art techniques perform poorly on the same data set when compared to our approach. In Section 2we describe the related research in this domain. In Section 3we describe our node-based detection approach. In Section 4we perform a detailed evaluation of our approach. We compare our scheme with other existing approaches in this domain.
We summarize our paper and describe future directions in Section 5. Signature-based bot detection approach has been widely studied [ 7 — 13 ]. This approach is effective to detect known bots, for example, Phatbot. The utility of signature-based methods is limited as they are not capable of detecting unknown bots or variants of known bots. In the current Internet scenario numerous new bot variants are increasing rapidly, thereby necessitating the need for more adaptive approaches for bot detection.
Flow-based analysis for bot detection has better detection rate. These techniques [ 1415 ] were proposed to model a wider range of bot behaviors than those covered in signature-based techniques. This system consists of storm botnet p2p stages: However, the observed false positive rate is still very high, However, a botnet can easily evade this mechanism, if it rarely uses DNS at its initialization and limits or avoids DNS usage at latter stages.
However, this approach suffers from high performance and storage overhead while achieving similar detection accuracy as earlier approaches.
However, this model cannot achieve desirable detection accuracy when deployed in a large-scale network environment. The proposed method is unreliable or ineffective if only a single infected machine is present on the network. To the best of our knowledge, there has been no research focusing on the application of node-based analysis for Storm botnet p2p bot detection The node-based approach has distinct advantages that separate it from signature-based and flow-based techniques.
In this section, we describe our node-based P2P bot detection approach. Our approach consists of four important steps: P2P bot quantification, efficient flow monitoring, classification, storm botnet p2p evaluation. Using this model, we identify the features to quantify a P2P bot. In our node-based P2P bot detection approach, we monitor the communication flows at every node in the network to check for bot infection.
Since each flow can exhibit many features, it is important to identify and isolate features which are unique to P2P bots. Our model of P2P bots is based on two key observations. First, since a P2P bot is part of a P2P network, it exhibits the communication behavior of a normal P2P node but with some distinguishable differences. Second, a P2P bot exhibits different types of network activity compared to regular P2P nodes. Storm botnet p2p, using these observations, we identify several important features of a P2P bot.
We group storm botnet p2p features into two categories, P2P bot communication model and P2P bot behavior model, respectively, and describe them as follows. In a P2P network, a node might attempt to connect to one or more network peers periodically in order to maintain the connection status or to query for data of interest.
A P2P bot performs a similar activity but with the key difference being that the P2P bot attempts such connections more actively so as to ensure the connectivity across the P2P botnet.
This behavior is uniform across all P2P bots in the P2P botnet. Furthermore, unlike regular Storm botnet p2p communication, where the P2P node attempts connections based on responses received from other peers, the P2P bot attempts to initiate connections proactively.
Therefore, at the beginning of its activity, a bot sends connection requests to other bot nodes according to the peer list. A certain amount of such requests fails, because some peers are shutdown or not infected.
On the contrary, the success rate is usually high when normal P2P applications send connection requests. Thus, the success rate of connection requests is an storm botnet p2p criterion for P2P bot detection. To understand the unique features of P2P botnets, we chose four kinds of real P2P bots available in the wild.
Using a controlled virtual environment, with the help of VMware technology, we analyzed these bots. A summary of the results is shown in Table 1.
