Conference Paper

Measuring the effectiveness of infrastructure-level detection of large-scale botnets.

Univ. of Michigan, Ann Arbor, MI, USA
DOI: 10.1109/IWQOS.2011.5931312 Conference: 19th International Workshop on Quality of Service, IWQoS 2011, San Jose, California, USA, 6-7 June 2011.
Source: DBLP

ABSTRACT Botnets are one of the most serious security threats to the Internet and its end users. In recent years, utilizing P2P as a Command and Control (C&C) protocol has become popular due to its decentralized nature that can help hide the botmaster's identity. Most bot detection approaches targeting P2P botnets either rely on behavior monitoring or traffic flow and packet analysis, requiring fine-grained information collected locally. This requirement limits the scale of detection. In this paper, we consider detection of P2P botnets at a high-level - the infrastructure level-by exploiting their structural properties from a graph analysis perspective. Using three different P2P overlay structures, we measure the effectiveness of detecting each structure at various locations (the Autonomous System (AS), the Point of Presence (PoP), and the router rendezvous) in the Internet infrastructure.

0 Followers
 · 
98 Views
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In recent years, the Internet has enabled access to widespread remote services in the distributed computing environment; however, integrity of data transmission in the distributed computing platform is hindered by a number of security issues. For instance, the botnet phenomenon is a prominent threat to Internet security, including the threat of malicious codes. The botnet phenomenon supports a wide range of criminal activities, including distributed denial of service (DDoS) attacks, click fraud, phishing, malware distribution, spam emails, and building machines for illegitimate exchange of information/materials. Therefore, it is imperative to design and develop a robust mechanism for improving the botnet detection, analysis, and removal process. Currently, botnet detection techniques have been reviewed in different ways; however, such studies are limited in scope and lack discussions on the latest botnet detection techniques. This paper presents a comprehensive review of the latest state-of-the-art techniques for botnet detection and figures out the trends of previous and current research. It provides a thematic taxonomy for the classification of botnet detection techniques and highlights the implications and critical aspects by qualitatively analyzing such techniques. Related to our comprehensive review, we highlight future directions for improving the schemes that broadly span the entire botnet detection research field and identify the persistent and prominent research challenges that remain open.
    Journal of Zhejiang University: Science C 11/2014; 15(11). DOI:10.1631/jzus.C1300242 · 0.38 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Botnets, which are networks formed by malware-compromised machines, have become a serious threat to the Internet. Such networks have been created to conduct large-scale illegal activities, even jeopardizing the operation of private and public services in several countries around the world. Although research on the topic of botnets is relatively new, it has been the subject of increasing interest in recent years and has spawned a growing number of publications. However, existing studies remain somewhat limited in scope and do not generally include recent research and developments. This paper presents a comprehensive review that broadly discusses the botnet problem, briefly summarizes the previously published studies and supplements these with a wide ranging discussion of recent works and solution proposals spanning the entire botnet research field. This paper also presents and discusses a list of the prominent and persistent research problems that remain open.
    Computer Networks 02/2013; 57(2):378–403. DOI:10.1016/j.comnet.2012.07.021 · 1.28 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: In order to evade detection of ever-improving defense techniques, modern botnet masters are constantly looking for new communication platforms for delivering C&C (Command and Control) information. Attracting their attention is the emergence of online social networks such as Twitter, as the information dissemination mechanism provided by these networks can naturally be exploited for spreading botnet C&C information, and the enormous amount of normal communications co-existing in these networks makes it a daunting task to tease out botnet C&C messages.Against this backdrop, we explore graph-theoretic techniques that aid effective monitoring of potential botnet activities in large open online social networks. Our work is based on extensive analysis of a Twitter dataset that contains more than 40 million users and 1.4 billion following relationships, and mine patterns from the Twitter network structure that can be leveraged for improving efficiency of botnet monitoring. Our analysis reveals that the static Twitter topology contains a small-sized core sugraph, after removing which, the Twitter network breaks down into small connected components, each of which can be handily monitored for potential botnet activities. Based on this observation, we propose a method called Peri-Watchdog, which computes the core of a large online social network and derives the set of nodes that are likely to pass botnet C&C information in the periphery of online social network. We analyze the time complexity of Peri-Watchdog under its normal operations. We further apply Peri-Watchdog on the Twitter graph injected with synthetic botnet structures and investigate the effectiveness of Peri-Watchdog in detecting potential C&C information from these botnets.To verify whether patterns observed from the static Twitter graph are common to other online social networks, we analyze another online social network dataset, BrightKite, which contains evolution of social graphs formed by its users in half a year. We show not only that there exists a similarly relatively small core in the BrightKite network, but also this core remains stable over the course of BrightKite evolution. We also find that to accommodate the dynamic growth of BrightKite, the core has to be updated about every 18 days under a constrained monitoring capacity.
    Computer Networks 02/2013; 57(2):540–555. DOI:10.1016/j.comnet.2012.07.016 · 1.28 Impact Factor

Preview

Download
1 Download
Available from