ABSTRACT
The ever-growing number of cyber attacks originating from botnets has made them one of the biggest threat to the Internet ecosystem. Especially P2P-based botnets like ZeroAccess and Sality require special attention as they have been proven to be very resilient against takedown attempts. To identify weaknesses and to prepare takedowns more carefully it is thus a necessity to monitor them by crawling and deploying sensor nodes. This in turn provokes botmasters to come up with monitoring countermeasures to protect their assets. Most existing anti-monitoring countermeasures focus mainly on the detection of crawlers and not on the detection of sensors deployed in a botnet. In this paper, we propose two sensor detection mechanisms called SensorRanker and SensorBuster. We evaluate these mechanisms in two real world botnets, Sality and ZeroAccess. Our results indicate that SensorRanker and SensorBuster are able to detect up to 17 sensors deployed in Sality and four within ZeroAccess.
- Dennis Andriesse, Christian Rossow, and Herbert Bos. 2015. Reliable Recon in Adversarial Peer-to-Peer Botnets. In ACM SIGCOMM Internet Measurement Conference (IMC). Google ScholarDigital Library
- Dennis Andriesse, Christian Rossow, Brett Stone-Gross, Daniel Plohmann, and Herbert Bos. 2013. Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus. In International Conference on Malicious and Unwanted Software: "The Americas".Google ScholarCross Ref
- Leon Böck, Shankar Karuppayah, Tim Grube, Max Mühlhäuser, and Mathias Fischer. 2015. Hide And Seek: Detecting Sensors In P2P Botnets. In IEEE Conference on Communications and Network Security. 731--732.Google ScholarCross Ref
- Department of Justice. 2014. U.S. Leads Multi-National Action Against "Gameover Zeus" Botnet and "Cryptolocker" Ransomware, Charges Botnet Administrator. (2014).Google Scholar
- N Falliere. 2011. Sality: Story of a Peer-to-Peer Viral Network. Technical Report. Symantec.Google Scholar
- Steffen Haas, Shankar Karuppayah, Selvakumar Manickam, Max Mühlhäuser, and Mathias Fischer. 2016. On the Resilience of P2P-based Botnet Graphs. In IEEE Conference on Communications and Network Security (CNS).Google ScholarCross Ref
- A Hagberg, P Swart, and DS Chult. 2008. Exploring network structure, dynamics, and function using NetworkX. SciPy (2008).Google Scholar
- BBH Kang, E Chan-Tin, and CP Lee. 2009. Towards complete node enumeration in a peer-to-peer botnet. Proceedings of International Symposium on Information, Computer, and Communications Security (ASIACCS) (2009). Google ScholarDigital Library
- Shankar Karuppayah, Mathias Fischer, Christian Rossow, and Max Mühlhäuser. 2014. On Advanced Monitoring in Resilient and Unstructured P2P Botnets. In IEEE International Conference on Communications (ICC).Google ScholarCross Ref
- Shankar Karuppayah, Stefanie Roos, Christian Rossow, Max Mühlhäuser, and Mathias Fischer. 2015. ZeusMilker: Circumventing the P2P Zeus Neighbor List Restriction Mechanism. In IEEE International Conference on Distributed Computing Systems (ICDCS).Google Scholar
- Shankar Karuppayah, Emmanouil Vasilomanolakis, Steffen Haas, Max Mühlhäuser, and Mathias Fischer. 2016. BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets. In IEEE International Conference on Communications (ICC).Google ScholarCross Ref
- Alan Neville and Ross Gibb. 2013. ZeroAccess Indepth. Symantec Security Response (2013).Google Scholar
- Lawrence Page, Sergey Brin, Rajeev Motwani, and Terry Winograd. 1999. The PageRank Citation Ranking: Bringing Order to the Web. Technical Report.Google Scholar
- F. Pedregosa, G. Varoquaux, A. Gramfort, V. Michel, B. Thirion, O. Grisel, M. Blondel, P. Prettenhofer, R. Weiss, V. Dubourg, J. Vanderplas, A. Passos, D. Cournapeau, M. Brucher, M. Perrot, and E. Duchesnay. 2011. Scikit-learn: Machine Learning in Python. Journal of Machine Learning Research 12 (2011). Google ScholarDigital Library
- Christian Rossow, Dennis Andriesse, Tillmann Werner, Brett Stone-gross, Daniel Plohmann, Christian J Dietrich, Herbert Bos, and Dell Secureworks. 2013. P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets. In IEEE Symposium on Security & Privacy. Google ScholarDigital Library
- Brett Stone-gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna. 2009. Your Botnet is My Botnet: Analysis of a Botnet Takeover. In ACM CCS. ACM. Google ScholarDigital Library
- Daniel Stutzbach, Reza Rejaie, and Subhabrata Sen. 2005. Characterizing Unstructured Overlay Topologies in Modern P2P File-Sharing Systems. ACM SIGCOMM Internet Measurement Conference (IMC) (2005). Google ScholarDigital Library
- Symantec. 2013. Grappling with the ZeroAccess Botnet. (2013). http://www.symantec.com/connect/blogs/grappling-zeroaccess-botnetGoogle Scholar
- Robert Tarjan. 1972. Depth-First Search and Linear Graph Algorithms. SIAM J. Comput. 1, 2 (1972).Google ScholarDigital Library
- J Wyke. 2012. The ZeroAccess Botnet-Mining and Fraud for Massive Financial Gain. Sophos Technical Paper (2012).Google Scholar
Index Terms
- SensorBuster: On Identifying Sensor Nodes in P2P Botnets
Recommendations
Detecting New P2P Botnet with Multi-chart CUSUM
NSWCTC '09: Proceedings of the 2009 International Conference on Networks Security, Wireless Communications and Trusted Computing - Volume 01Botnets have been recognized as one of the most important threats to the Internet security. They are engaged in DDOS attacks, email spamming and other malicious activities likewise. Traditional botnets usually organized themselves in a hierarchy ...
Application Entropy Theory to Detect New Peer-to-Peer Botnet with Multi-chart CUSUM
ISECS '09: Proceedings of the 2009 Second International Symposium on Electronic Commerce and Security - Volume 01Botnets have been recognized as one of the most important threats to the security of the Internet. They engage in Distributed Denial of Service (DDOS) attacks, email spamming and other malicious activities likewise. As evolving new features such as ...
A Survey of Defense against P2P Botnets
DASC '14: Proceedings of the 2014 IEEE 12th International Conference on Dependable, Autonomic and Secure ComputingBotnet, a network of computers that are compromised and controlled by the attacker, is one of the most significant and serious threats to the Internet. Researchers have done plenty of research and made significant progress. As the extensive use and ...
Comments