access icon free Reconstruction of C&C channel for P2P botnet

© The Institution of Engineering and Technology
Received 09/05/2018, Accepted 19/02/2020, Revised 01/02/2020, Published 20/02/2020

Breaking down botnets has always been a big challenge. The robustness of command and control (C&C) channels is increased, and the detection of botmaster is harder in peer-to-peer (P2P) botnets. In this study, the authors proposed a probabilistic method to reconstruct the topologies of the C&C channel for P2P botnets. Due to the geographic dispersion of P2P botnet members, it is not possible to supervise all members, and there does not exist all necessary data for applying other graph reconstruction methods. So far, no general method has been introduced to reconstruct C&C channel topology for all type of P2P botnet. In their method, the probability of connections between bots is estimated by using the inaccurate receiving times of several cascades, network model parameters of C&C channel, and end-to-end delay distribution of the Internet. The receiving times can be collected by observing the external reaction of bots to commands. The results of their simulations show that more than 90% of the edges in a 1000-member network with node degree mean 50, have been accurately estimated by collecting the inaccurate receiving times of 22 cascades. In case the receiving times of just half of the bots are collected, this accuracy of estimation is obtained by using 95 cascades.

Inspec keywords: network theory (graphs); Internet; invasive software; computer network security; peer-to-peer computing; probability; graph theory

Other keywords: probabilistic method; botmaster detection; network model parameters; peer-to-peer botnets; end-to-end delay distribution; P2P botnet members; C&C channel topology; command and control channels; 1000-member network; graph reconstruction methods; Internet; geographic dispersion

Subjects: Other computer networks; Computer communications; Other topics in statistics; Other topics in statistics; Combinatorial mathematics; Data security; Combinatorial mathematics

References

    1. 1)
      • 26. Daneshmand, H., Gomez-Rodriguez, M., Song, L., et al: ‘Estimating diffusion network structures: recovery conditions, sample complexity & soft-thresholding algorithm’. Proc. of the Int. Conf. on Machine Learning, Beijing, China, 2014, pp. 793801.
    2. 2)
      • 19. Yin, J., Cui, X., Li, K.: ‘A reputation-based resilient and recoverable P2P botnet’. IEEE Second Int. Conf. on Data Science in Cyberspace (DSC), Shenzhen, China, 2017, pp. 275282.
    3. 3)
      • 10. Yen, T.F., Reiter, M.K.: ‘Revisiting botnet models and their implications for takedown strategies’, Lect. Notes Comput. Sci., 2012, 7215, pp. 249268.
    4. 4)
      • 13. Han, Q., Yu, W., Zhang, Y., et al: ‘Modeling and evaluating of typical advanced peer-to-peer botnet’, Perform. Eval., 2014, 72, pp. 115.
    5. 5)
      • 21. Kannan, S., Mathieu, C., Zhou, H.: ‘Graph reconstruction and verification’, ACM Trans. Algorithms, 2018, 14, (4), pp. 130.
    6. 6)
      • 18. Kang, J., Zhang, J.Y.: ‘Application entropy theory to detect new peer-to-peer botnets with multi-chart CUSUM’. Proc. of the 2nd Int. Symp. on Electronic Commerce and Security, Nanchang, China, 2009, pp. 470474.
    7. 7)
      • 3. Memon, G., Rejaie, R., Guo, Y., et al: ‘Montra: a large-scale DHT traffic monitor’, Comput. Netw., 2012, 56, (3), pp. 10801091.
    8. 8)
      • 6. Davis, C.R., Neville, C., Fernandez, J.M., et al: ‘Structured peer-to-peer overlay networks: ideal botnets command and control infrastructures?’, Lect. Notes Comput. Sci., 2008, 5283, pp. 461480.
    9. 9)
      • 24. Holbert, B., Tati, S., Silvestri, S., et al: ‘Network topology inference with partial information’, IEEE Trans. Netw. Serv. Manage., 2015, 12, (3), pp. 406419.
    10. 10)
      • 7. Dagon, D., Gu, G., Lee, C.P., et al: ‘A taxonomy of botnet structure’. Proceeding of the 23th Annual Computer Security Applications Conf. (ACSAC ‘07), Miami Beach, FL, 2007, pp. 325339.
    11. 11)
      • 9. Yan, J., Ying, L., Yang, Y., et al: ‘Long term tracking and characterization of P2P botnet’. IEEE 13th Int. Conf. on Trust, Security and Privacy in Computing and Communications, Beijing, China, 2014, pp. 244251.
    12. 12)
      • 27. Pajevic, S., Plenz, D.: ‘Efficient network reconstruction from dynamical cascades identifies small-world topology of neuronal avalanches’, PLoS Comput. Biol., 2009, 5, (1), pp. e1000271, pp. 1–20.
    13. 13)
      • 1. Thapliyal, M., Bijalwan, A., Garg, N., et al: ‘A generic process model for botnet forensic analysis’. Proc. of the Conf. on Advances in Communication and Control Systems, Dehradun, India, 2013, pp. 98102.
    14. 14)
      • 11. Godkin, T.: ‘Statistical assessment of peer-to-peer botnet features’ (Department Electrical and Computer Engineering, University of Victoria, Victoria, BC, Canada, 2013).
    15. 15)
      • 30. Angulo, M.T., Moreno, J.A., Lippner, G., et al: ‘Fundamental limitations of network reconstruction from temporal data’, J. R. Soc. Interface, 2017, 14, (127), p. 20160966.
    16. 16)
      • 16. Liao, M.Y., Li, J.H., Yang, C.S., et al: ‘Botnet topology reconstruction: a case study’. Proc. Int. Conf. Innovative Mobile and Internet Services in Ubiquitous Computing, Palermo, Italy, 2012, pp. 529534.
    17. 17)
      • 22. Erdos, D., Gemulla, R., Terzi, E.: ‘Reconstructing graphs from neighborhood data’, ACM Trans. Knowl. Discov. Data, 2014, 8, (4), pp. 23-123-22.
    18. 18)
      • 28. Fyson, N., Bie, T.D., Cristianini, N.: ‘The NetCover algorithm for the reconstruction of causal networks’, Neurocomputing, 2012, 96, pp. 1928.
    19. 19)
      • 8. Goldenberg, A., Zheng, A.X., Fienberg, S.E., et al: ‘A survey of statistical network models’, Found. Trends Mach. Learn., 2010, 2, (2), pp. 129233.
    20. 20)
      • 14. Rossow, C., Andriesse, D., Werner, T., et al: ‘P2PWNED: modeling and evaluating the resilience of peer-to-peer botnets’. Proc. of the 34th IEEE Symp. on Security and Privacy (S&P), Berkeley, CA, USA., 2013.
    21. 21)
      • 31. Braunstein, A., Ingrosso, A., Muntoni, A.P.: ‘Network reconstruction from infection cascades’, J. R. Soc. Interface, 2019, 16, (151), p. 20180844.
    22. 22)
      • 4. Wang, P., Sparks, S., Zou, C.: ‘An advanced hybrid peer-to-peer botnet’. Proc. of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots ‘07), Berkeley, CA, 2007.
    23. 23)
      • 25. Pouget-Abadie, J., Horel, T.: ‘Inferring graphs from cascades: a sparse recovery framework’. Proc. of the Int. Conf. on Machine Learning, Lille, France, 2015, pp. 977986.
    24. 24)
      • 23. Gomez-Rodriguez, M., Leskovec, J., Krause, A.: ‘Inferring networks of diffusion and influence’, ACM Trans. Knowl. Discov. Data, 2012, 5, (4), pp. 21-121-37.
    25. 25)
      • 20. Karuppayah, S., Vasilomanolakis, E., Haas, S., et al: ‘Boobytrap: on autonomously detecting and characterizing crawlers in P2P botnets’. IEEE int. Conf. on communications (ICC), Kuala Lumpur, Malaysia, 2016.
    26. 26)
      • 12. Böck, L., Vasilomanolakis, E., Mühlhäuser, M., et al: ‘Next generation P2P botnets: monitoring under adverse conditions’. Int. Symp. on Research in Attacks, Intrusions, and Defenses (RAID), Crete, Greece, 2018, pp. 511531.
    27. 27)
      • 2. Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., et al: ‘Botnets: a survey’, Comput. Netw., 2013, 57, (2), pp. 378403.
    28. 28)
      • 32. Bovy, C.J., Mertodimedjo, H.T., Hooghiemstra, G., et al: ‘Analysis of end-to-end delay measurements in internet’. Proc. of Passive and Active Measurement (PAM2002), Fort Collins, USA, 2002, pp. 2633.
    29. 29)
      • 29. Anandkumar, A., Hassidim, A., Kelner, J.: ‘Topology discovery of sparse random graphs with few participants’, Random Struct. Algorithms, 2012, 43, (1), pp. 1648.
    30. 30)
      • 5. Stanković, S., Simić, D.: ‘Defense strategies against modern botnets’, Int. J. Comput. Sci. Inf. Secur., 2009, 2, (1), pp. 1117.
    31. 31)
      • 17. Karuppayah, S., Fischer, M., Rossow, C., et al: ‘On advanced monitoring in resilient and unstructured P2P botnets’. IEEE Int. Conf. on Communications (ICC), Sydney, Australia, 2014.
    32. 32)
      • 15. Khosroshahy, M., Ali, M.K., Qiu, D.: ‘The SIC botnet lifecycle model: a step beyond traditional epidemiological models’, Comput. Netw., 2013, 57, (2), pp. 404421.
    33. 33)
      • 33. Bauckhage, C., Kersting, K., Rastegarpanah, B.: ‘The Weibull as a model of shortest path distributions in random networks’. Eleventh Workshop on Mining and Learning with Graphs, Chicago, Illinois, 2013.
http://iet.metastore.ingenta.com/content/journals/10.1049/iet-com.2018.5286
Loading

Related content

content/journals/10.1049/iet-com.2018.5286
pub_keyword,iet_inspecKeyword,pub_concept
6
6
Loading