CLC number: TP393.08
On-line Access: 2024-08-27
Received: 2023-10-17
Revision Accepted: 2024-05-08
Crosschecked: 2013-08-07
Cited: 4
Clicked: 8700
Yong Qiao, Yue-xiang Yang, Jie He, Chuan Tang, Ying-zhi Zeng. Detecting P2P bots by mining the regional periodicity[J]. Journal of Zhejiang University Science C, 2013, 14(9): 682-700.
@article{title="Detecting P2P bots by mining the regional periodicity",
author="Yong Qiao, Yue-xiang Yang, Jie He, Chuan Tang, Ying-zhi Zeng",
journal="Journal of Zhejiang University Science C",
volume="14",
number="9",
pages="682-700",
year="2013",
publisher="Zhejiang University Press & Springer",
doi="10.1631/jzus.C1300053"
}
%0 Journal Article
%T Detecting P2P bots by mining the regional periodicity
%A Yong Qiao
%A Yue-xiang Yang
%A Jie He
%A Chuan Tang
%A Ying-zhi Zeng
%J Journal of Zhejiang University SCIENCE C
%V 14
%N 9
%P 682-700
%@ 1869-1951
%D 2013
%I Zhejiang University Press & Springer
%DOI 10.1631/jzus.C1300053
TY - JOUR
T1 - Detecting P2P bots by mining the regional periodicity
A1 - Yong Qiao
A1 - Yue-xiang Yang
A1 - Jie He
A1 - Chuan Tang
A1 - Ying-zhi Zeng
J0 - Journal of Zhejiang University Science C
VL - 14
IS - 9
SP - 682
EP - 700
%@ 1869-1951
Y1 - 2013
PB - Zhejiang University Press & Springer
ER -
DOI - 10.1631/jzus.C1300053
Abstract: Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays. Current methods for detecting P2P botnets, such as similarity analysis of network behavior and machine-learning based classification, cannot handle the challenges brought about by different network scenarios and botnet variants. We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase. In this paper, we propose a novel detection model named detection by mining regional periodicity (DMRP), including capturing the event time series, mining the hidden periodicity of host behaviors, and evaluating the mined periodic patterns to identify P2P bot traffic. As our detection model is built based on the basic properties of P2P protocols, it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C. For hidden periodicity mining, we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem. The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.
[1]Agrawal, R., Srikant, R., 1994. Fast Algorithms for Mining Association Rules. Proc. 20th Int. Conf. on Very Large Data Bases, p.487-499.
[2]Athanasopoulos, E., Makridakis, A., Antonatos, S., Antoniades, D., Ioannidis, S., Anagnostakis, K.G., Markatos, E.P., 2008. Antisocial networks: turning a social network into a botnet. LNCS, 5222:146-160.
[3]Bartlett, G., Heidemann, J., Papadopoulos, C., 2011. Low-Rate, Flow-Level Periodicity Detection. IEEE Conf. on Computer Communications Workshops, p.804-809.
[4]Berberidis, C., Aref, W.G., Atallah, M., Vlahavas, I., Elmagarmid, A.K., 2002. Multiple and Partial Periodicity Mining in Time Series Databases. European Conf. on Artificial Intelligence, p.370-374.
[5]Bracewell, R.N., Bracewell, R., 1986. The Fourier Transform and Its Applications. McGraw-Hill, New York.
[6]Cohen, L., 1992. Convolution, filtering, linear systems, the Wiener-Khinchin theorem: generalizations. SPIE, 1770:378-393.
[7]Fisher, D., 2007. Storm, Nugache Lead Dangerous New Botnet Barrage. Available from SearchSecurity.com.
[8]Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B.H., Dagon, D., 2007. Peer-to-Peer Botnets: Overview and Case Study. Proc. 1st Conf. on 1st Workshop on Hot Topics in Understanding Botnets, p.1.
[9]Gu, G., Perdisci, R., Zhang, J., Lee, W., 2008. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. USENIX Security Symp., p.139-154.
[10]Han, J., Dong, G., Yin, Y., 1999. Efficient Mining of Partial Periodic Patterns in Time Series Database. Proc. 15th IEEE Int. Conf. on Data Engineering, p.106-115.
[11]Han, J., Cheng, H., Xin, D., Yan, X., 2007. Frequent pattern mining: current status and future directions. Data Min. Knowl. Discov., 15(1):55-86.
[12]Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F., 2008. Measurements and Mitigation of Peer-to-Peer-Based Botnets: a Case Study on Storm Worm. USENIX Workshop on Large-Scale Exploits and Emergent Threats, p.1-9.
[13]Kang, J., Song, Y.Z., Zhang, J.Y., 2011. Accurate detection of peer-to-peer botnet using multi-stream fused scheme. J. Networks, 6(5):807-814.
[14]Lee, J.S., Jeong, H.C., Park, J.H., Kim, M., Noh, B.N., 2008. The Activity Analysis of Malicious HTTP-Based Botnets Using Degree of Periodic Repeatability. Int. Conf. on Security Technology, p.83-86.
[15]Li, Z., Ding, B., Han, J., Kays, R., Nye, P., 2010. Mining Periodic Behaviors for Moving Objects. Proc. 16th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining, p.1099-1108.
[16]Li, Z., Wang, J., Han, J., 2012. Mining Event Periodicity from Incomplete Observations. Proc. 18th ACM SIGKDD Int. Conf. on Knowledge Discovery and Data Mining, p.444-452.
[17]Ma, S., Hellerstein, J.L., 2001. Mining Partially Periodic Event Patterns with Unknown Periods. Proc. 17th IEEE Int. Conf. on Data Engineering, p.205-214.
[18]Masud, M.M., Gao, J., Khan, L., Han, J., Thuraisingham, B., 2008. Mining Concept-Drifting Data Stream to Detect Peer to Peer Botnet Traffic. Available from http://www.utdallas.edu/mmm058000/reports/UTDCS-05-08.pdf.
[19]Maymounkov, P., Mazieres, D., 2002. Kademlia: a Peer-to-Peer Information System Based on the XOR Metric. Peer-to-Peer Systems, p.53-65.
[20]Nappa, A., Fattori, A., Balduzzi, M., Dell’amico, M., Cavallaro, L., 2010. Take a Deep Breath: a Stealthy, Resilient and Cost-Effective Botnet Using Skype. In: Kreibich, C.J.M. (Ed.), Detection of Intrusions and Malware, and Vulnerability Assessment. Springer Berlin Heidelberg, p.81-100.
[21]Noh, S.K., Oh, J.H., Lee, J.S., Noh, B.N., Jeong, H.C., 2009. Detecting P2P Botnets Using a Multi-phased Flow Model. IEEE 3rd Int. Conf. on Digital Society, p.247-253.
[22]Perdisci, R., Gu, G., Lee, W., 2006. Using an Ensemble of One-Class SVM Classifiers to Harden Payload-Based Anomaly Detection Systems. IEEE 6th Int. Conf. on Data Mining, p.488-498.
[23]Qiao, Y., Yang, Y., He, J., Liu, B., Zeng, Y., 2012. Detecting parasite P2P botnet in eMule-like networks through quasi-periodicity recognition. LNCS, 7259:127-139.
[24]Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., Felix, J., Hakimian, P., 2011. Detecting P2P Botnets Through Network Behavior Analysis and Machine Learning. IEEE 9th Annual Int. Conf. on Privacy, Security and Trust, p.174-180.
[25]Sheng, C., Hsu, W., Lee, M.L., 2006. Mining Dense Periodic Patterns in Time Series Data. Proc. 22nd Int. Conf. on Data Engineering, p.115.
[26]Starnberger, G., Kruegel, C., Kirda, E., 2008. Overbot: a Botnet Protocol Based on Kademlia. Proc. 4th Int. Conf. on Security and Privacy in Communication Networks, Article 13.
[27]Villamarin-Salomon, R., Brustoloni, J.C., 2009. Bayesian Bot Detection Based on DNS Traffic Similarity. Proc. ACM Symp. on Applied Computing, p.2035-2041.
[28]Vogt, R., Aycock, J., Jacobson, M.J.Jr, 2007. Army of Botnets. Network and Distributed System Security Symp., p.111-123.
[29]Wang, P., Aslam, B., Zou, C.C., 2010a. Peer-to-Peer Botnets. In: Handbook of Information and Communication Security. Springer, p.335-350.
[30]Wang, P., Sparks, S., Zou, C.C., 2010b. An advanced hybrid peer-to-peer botnet. IEEE Trans. Depend. Secur. Comput., 7(2):113-127.
[31]Yang, J., Wang, W., Yu, P.S., 2003. Mining asynchronous periodic patterns in time series data. IEEE Trans. Knowl. Data Eng., 15(3):613-628.
Open peer comments: Debate/Discuss/Question/Opinion
<1>