Skip to main content
SpringerLink
Log in

Behavioral fine-grained detection and classification of P2P bots

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Modern botnets are increasingly shifting towards overlay networks, using peer-to-peer (P2P) protocols, for command and control (C&C). P2P botnets are robust against detection and takedown as they avoid single nodes of failure, and mostly use custom encrypted C&C communications. Pattern-based signatures are also inappropriate, yet they cannot efficiently detect malware that uses benign P2P applications such as Kademlia and Overnet. This paper presents PeerMinor, a fully behavioral system that detects and classifies P2P bots inside corporate networks. PeerMinor learns the behavior of known malware and benign P2P applications in order to detect P2P bots and provide security administrators with a correct diagnosis of ongoing malware infections. PeerMinor operates in two phases, learning and detection. In the learning phase, it processes known malware and benign P2P traffic in order to build a two-stage classifier. In the first stage, PeerMinor uses supervised learning in order to build a detection model that separates malicious and benign P2P network activity. In the second stage, it builds a one-class classifier for each known P2P malware family, and uses these classifiers to associate detected P2P bots with a known malware family where possible, thus providing a better situational awareness for system administrators. During detection, PeerMinor processes network traffic using its learning-based model in order to detect P2P bots. To the best of our knowledge, PeerMinor is the first behavioral system that goes beyond simple detection in order to provide an accurate diagnosis about ongoing malware infections. Experimental results prove that PeerMinor achieves both scalability and accuracy. It uses only network features with no need of pattern-based signatures, which can be easily evaded by botnet herders.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. http://www.cuckoobox.org/.

  2. http://www.virustotal.com/.

  3. http://www.spywareremove.com/.

  4. RBLS is a free API to check multiple public IP blacklists—http://www.rbls.org/.

References

  1. Ollmann, G.: Botnet communication topologies: understanding the intricacies of botnet command-and-control. In: Damballa White Paper (2009)

  2. Kapoor, A., Mathur, R.: Predicting the future of stealth attacks. In: Virus Bulletin, McAfee (2011)

  3. Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: IEEE GLOBECOM, vol. 3, pp. 1532–1538 (2004)

  4. O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. In: IEEE Security and Privacy, pp. 41–47 (2011)

  5. Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proc. SSP (2006)

  6. Trusteer. No silver bullet: 8 ways malware defeats strong security controls. Whitepaper accessible on http://www.trusteer.com/resources/white-papers (2012)

  7. Rossowz, C., Andriessez, D., Werner, T., Stone-Grossy, B., Plohmannx, D., Dietrich, C.J., Bos, H.: Sok: P2pwned—modeling and evaluating the resilience of peer-to-peer botnets. In: IEEE Symposium on Security and Privacy (SSP) (2013)

  8. Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.: Peer-to-peer botnets: overview and case study. In: Proceedings of USENIX HotBots (2007)

  9. Aberer, K., Hauswirth, M.: An overview on peer-to-peer information systems. In: Proceedings of the 4th Workshop on Distributed Data and Structures (2002)

  10. Krishnamurthy, B., Wang, J.: Traffic classification for application specific peering. In: Proceedings of the 2nd SIGCOMM Workshop on Internet measurment, pp. 179–180 (2002)

  11. Dittrich, D., Dietrich, S.: P2p as botnet command and control: a deeper insight. In: Proceedings of the 3rd International Conference On Malicious and Unwanted Software (2008)

  12. Stutzbach, D., Rejaie, R.: Understanding churn in peer-to-peer networks. In: Proceedings of ACM SigComm Internet Measurement Conference (2006)

  13. Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: Botgrep: finding p2p bots with structured graph analysis. In: Proceedings of the 19th USENIX Security (2010)

  14. Wu, C.-C., Chen, K.-T., Chang, Y.-C., Lei, C.-L.: Detecting peer-to-peer activity by signaling packet counting. In: Proceedings of ACM SIGCOMM (2008)

  15. Karagiannis, T., Broido, A., Brownlee, N., Claffy, k, Faloutsos, M.: File-sharing in the internet: a characterization of p2p traffic in the backbone. In: UC Riverside Technical Report (2003)

  16. Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive dns analysis. In: Proceedings of the 18th Network and Distributed System Security Symposium (NDSS) (2011)

  17. Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: DISCLOSURE: detecting Botnet command and control servers through large-scale NetFlow analysis. In: Proceedings of the 28th Annual Computer Security Applications Conference Network and Distributed System (ACSAC) (2012)

  18. Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., Feamster, N.: Building a dynamic reputation system for DNS. In: Usenix Security Symposium (2010)

  19. Francois, J., Wang, S., State, R., Thomas, E.: Bottrack: tracking botnets using netflow and pagerank. In: IFIP Networking (2011)

  20. Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol and structure independent botnet detection. In: Proceedings of the IEEE Symposium on Security and Privacy (SSP) (2008)

  21. Yen, T.-F., Reiter, M.K.: Are your hosts trading or plotting? Telling p2p file-sharing and bots apart. In: 30th International Conference Distributed Computing Systems (2010)

  22. Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy p2p botnet using statistical traffic fingerprints. In: Proceedings of the 41st DSN (2011)

  23. Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: Peerrush: mining for unwanted p2p traffic. In: 10th Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA (2013)

  24. Hu, Y., Chiu, D.-M., Lui, J.C.S.: Profiling and identification of p2p traffic. In: Computer Networks, vol. 53, pp. 849–863 (2009)

  25. Claise, B.: Cisco systems netflow services export version 9. RFC 3954 (2004)

  26. Kheir, N., Wolley, C.: Botsuer: Suing stealthy p2p bots in network traffic through netflow analysis. In: Proceedings of the 12th International Conference on Cryptology and Network Security (CANS) (2013)

  27. Kheir, N., Han, X.: Peerviewer: behavioral tracking and classification of p2p malware. In: Proccedings of the 5th international symposium on Cyberspace Safety and Security (CSS) (2013)

  28. Anubis. Analyzing unknown binaries. http://anubis.iseclab.org (2011)

  29. Willems, C., Holz, T., Freiling, F.: Cwsandbox: towards automated dynamic binary analysis. In: IEEE Security and Privacy (2007)

  30. Davies, D.I., Bouldin, D.W.: A cluster seperation measure. In: IEEE Transactions on Pattern Analysis and Machine Intelligence (1979)

  31. Khan, S.S., Madden, M.G.: A survey of recent trends in one class classification. In: Artificial Intelligence and Cognitive Science, vol. 6206 of LNCS, pp. 188–197 (2010)

  32. Little, M.A., McSharry, P.E., Roberts, S.J., Costello, D.A., Moroz, I.M.: Exploiting nonlinear recurrence and fractal scaling properties for voice disorder detection. In: Biomedical Engineering Online, vol. 6 (2007)

  33. Cristianini, N., Shawe-Taylor, J.: An Introduction to Support Vector Machines and Other Kernel-Based Learning Methods. Cambridge University Press, Cambridge (2000)

    Book  MATH  Google Scholar 

  34. Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann Publishers, San Francisco (1993)

    Google Scholar 

  35. Falliere, N.: Sality: story of a peer-to-peer viral network. In: Symantec Security Response Version 1.0 (2011)

  36. Neugschwandtner, M., Comparetti, P.M., Platzer, C.: Detecting malware’s failover C&C strategies with squeeze. In: Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC) (2011)

Download references

Author information

Authors and Affiliations

  1. Orange Labs, Paris, France

    Nizar Kheir & Xiao Han

  2. Université d’Aix-Marseille, Marseille, France

    Chirine Wolley

Authors
  1. Nizar Kheir
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiao Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chirine Wolley
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Nizar Kheir.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kheir, N., Han, X. & Wolley, C. Behavioral fine-grained detection and classification of P2P bots. J Comput Virol Hack Tech 11, 217–233 (2015). https://doi.org/10.1007/s11416-014-0228-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0228-5

Keywords

Search

Navigation