Detecting P2P Botnets Using a Multi-phased Flow Model

Author

Noh, Sang-Kyun ; Oh, Joo-Hyung ; Lee, Jae-Seo ; Noh, Bong-Nam ; Jeong, Hyun-Cheol

Author_Institution

Appl. Security Technol. Team, Korea Inf. Security Agency, Seoul

fYear

2009

fDate

1-7 Feb. 2009

Firstpage

247

Lastpage

253

Abstract

In this paper, we propose a useful method for modeling multi-phased flows of P2P botnet traffic. Botnets are becoming more sophisticated and more dangerous each day and attackers use the P2P protocol to avoid centralized botnet topologies. We focus on the feature that a peer bot generates multiple traffic to communicate with large number of remote peers. In this case, phased botnet flows have similar patterns, which occur at irregular intervals. We compress duplicated flows via flow grouping and construct a transition model of the clustered flows using a probability-based matrix. A flow state is decided by features consisting of; protocol, port, and traffic. Our model involves transition information about the state values. Finally, we use the likelihood ratio for detection. In the experimental evaluation, we show the efficiency of our proposed system with the SpamThru, Storm, and Nugache botnets.

Keywords

peer-to-peer computing; security of data; P2P botnet traffic; digital society; intrusion detection; multi-phased flows; probability-based matrix; Information security; Intrusion detection; National security; Network servers; Peer to peer computing; Protocols; Storms; Telecommunication traffic; Topology; Traffic control; botnet; digital society; intrusion detection; multi-phased flow; peer-to-peer;

fLanguage

English

Publisher

ieee

Conference_Titel

Digital Society, 2009. ICDS '09. Third International Conference on

Conference_Location

Cancun

Print_ISBN

978-1-4244-3550-6

Electronic_ISBN

978-0-7695-3526-5

Type

conf

DOI

10.1109/ICDS.2009.37

Filename

4782883