The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as P...The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer(P2P)networks.The P2P botnets leverage the privileges of the decentralized nature of P2P networks.Consequently,the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures.Some P2P botnets are smarter to be stealthy in their Commandand-Control mechanisms(C2)and elude the standard discovery mechanisms.Therefore,the other side of this cyberwar is the monitor.The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously.Some aspects pertain to the existing monitoring approaches,some pertain to the nature of P2P networks,and some to counter the botnets,i.e.,the anti-monitoring mechanisms.All these challenges should be considered in P2P botnet monitoring.To begin with,this paper provides an anatomy of P2P botnets.Thereafter,this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages.In addition,this paper groups the monitoring approaches into three groups:passive,active,and hybrid monitoring approaches.Furthermore,this paper also discusses the functional and non-functional requirements of advanced monitoring.In conclusion,this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.展开更多
In order to improve the accuracy of detecting the new P2P(peer-to-peer)botnet,a novel P2P botnet detection method based on the network behavior features and Dezert-Smarandache theory is proposed.It focuses on the netw...In order to improve the accuracy of detecting the new P2P(peer-to-peer)botnet,a novel P2P botnet detection method based on the network behavior features and Dezert-Smarandache theory is proposed.It focuses on the network behavior features,which are the essential abnormal features of the P2P botnet and do not change with the network topology,the network protocol or the network attack type launched by the P2P botnet.First,the network behavior features are accurately described by the local singularity and the information entropy theory.Then,two detection results are acquired by using the Kalman filter to detect the anomalies of the above two features.Finally,the above two detection results are fused with the Dezert-Smarandache theory to obtain the final detection results.The experimental results demonstrate that the proposed method can effectively detect the new P2P botnet and that it considerably outperforms other methods at a lower degree of false negative rate and false positive rate,and the false negative rate and the false positive rate can reach 0.09 and 0.12,respectively.展开更多
Towards the problems of existing detection methods,a novel real-time detection method(DMFIF) based on fractal and information fusion is proposed.It focuses on the intrinsic macroscopic characteristics of network,which...Towards the problems of existing detection methods,a novel real-time detection method(DMFIF) based on fractal and information fusion is proposed.It focuses on the intrinsic macroscopic characteristics of network,which reflect not the "unique" abnormalities of P2P botnets but the "common" abnormalities of them.It regards network traffic as the signal,and synthetically considers the macroscopic characteristics of network under different time scales with the fractal theory,including the self-similarity and the local singularity,which don't vary with the topology structures,the protocols and the attack types of P2P botnet.At first detect traffic abnormalities of the above characteristics with the nonparametric CUSUM algorithm,and achieve the final result by fusing the above detection results with the Dempster-Shafer evidence theory.Moreover,the side effect on detecting P2P botnet which web applications generated is considered.The experiments show that DMFIF can detect P2P botnet with a higher degree of precision.展开更多
Peer-to-Peer (P2P) botnet has emerged as one of the most serious threats to lnternet security. To effectively elimi- nate P2P botnet, a delayed SEIR model is proposed,which can portray the formation process of P2P b...Peer-to-Peer (P2P) botnet has emerged as one of the most serious threats to lnternet security. To effectively elimi- nate P2P botnet, a delayed SEIR model is proposed,which can portray the formation process of P2P botnet. Then, the local stability at equilibria is carefully analyzed by considering the eigenvalues' distributed ranges of characteristic equations. Both mathematical analysis and numerical simulations show that the dynamical features of the proposed model rely on the basic re- production number and time delay r. The results can help us to better understand the propagation behaviors of P2P botnet and design effective counter-botnet methods.展开更多
Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P ...Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.展开更多
基金This work was supported by the Ministry of Higher Education Malaysia’s Fundamental Research Grant Scheme under Grant FRGS/1/2021/ICT07/USM/03/1.
文摘The cyber-criminal compromises end-hosts(bots)to configure a network of bots(botnet).The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer(P2P)networks.The P2P botnets leverage the privileges of the decentralized nature of P2P networks.Consequently,the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures.Some P2P botnets are smarter to be stealthy in their Commandand-Control mechanisms(C2)and elude the standard discovery mechanisms.Therefore,the other side of this cyberwar is the monitor.The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously.Some aspects pertain to the existing monitoring approaches,some pertain to the nature of P2P networks,and some to counter the botnets,i.e.,the anti-monitoring mechanisms.All these challenges should be considered in P2P botnet monitoring.To begin with,this paper provides an anatomy of P2P botnets.Thereafter,this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages.In addition,this paper groups the monitoring approaches into three groups:passive,active,and hybrid monitoring approaches.Furthermore,this paper also discusses the functional and non-functional requirements of advanced monitoring.In conclusion,this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.
基金The National High Technology Research and Development Program of China(863 Program)(No.2011AA7031024G)the National Natural Science Foundation of China(No.61133011,61373053,61472161)
文摘In order to improve the accuracy of detecting the new P2P(peer-to-peer)botnet,a novel P2P botnet detection method based on the network behavior features and Dezert-Smarandache theory is proposed.It focuses on the network behavior features,which are the essential abnormal features of the P2P botnet and do not change with the network topology,the network protocol or the network attack type launched by the P2P botnet.First,the network behavior features are accurately described by the local singularity and the information entropy theory.Then,two detection results are acquired by using the Kalman filter to detect the anomalies of the above two features.Finally,the above two detection results are fused with the Dezert-Smarandache theory to obtain the final detection results.The experimental results demonstrate that the proposed method can effectively detect the new P2P botnet and that it considerably outperforms other methods at a lower degree of false negative rate and false positive rate,and the false negative rate and the false positive rate can reach 0.09 and 0.12,respectively.
基金supported by National High Technical Research and Development Program of China(863 Program)under Grant No.2011AA7031024GNational Natural Science Foundation of China under Grant No.90204014
文摘Towards the problems of existing detection methods,a novel real-time detection method(DMFIF) based on fractal and information fusion is proposed.It focuses on the intrinsic macroscopic characteristics of network,which reflect not the "unique" abnormalities of P2P botnets but the "common" abnormalities of them.It regards network traffic as the signal,and synthetically considers the macroscopic characteristics of network under different time scales with the fractal theory,including the self-similarity and the local singularity,which don't vary with the topology structures,the protocols and the attack types of P2P botnet.At first detect traffic abnormalities of the above characteristics with the nonparametric CUSUM algorithm,and achieve the final result by fusing the above detection results with the Dempster-Shafer evidence theory.Moreover,the side effect on detecting P2P botnet which web applications generated is considered.The experiments show that DMFIF can detect P2P botnet with a higher degree of precision.
基金National Natural Science Foundation of China(No.61379125)Program for Basic Research of Shanxi Province(No.2012011015-3)Higher School of Science and Technology Innovation Project of Shanxi Province(No.2013148)
文摘Peer-to-Peer (P2P) botnet has emerged as one of the most serious threats to lnternet security. To effectively elimi- nate P2P botnet, a delayed SEIR model is proposed,which can portray the formation process of P2P botnet. Then, the local stability at equilibria is carefully analyzed by considering the eigenvalues' distributed ranges of characteristic equations. Both mathematical analysis and numerical simulations show that the dynamical features of the proposed model rely on the basic re- production number and time delay r. The results can help us to better understand the propagation behaviors of P2P botnet and design effective counter-botnet methods.
基金Project (Nos.61170286 and 61202486) supported by the National Natural Science Foundation of China
文摘Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays.Current methods for detecting P2P botnets,such as similarity analysis of network behavior and machine-learning based classification,cannot handle the challenges brought about by different network scenarios and botnet variants.We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase.In this paper,we propose a novel detection model named detection by mining regional periodicity (DMRP),including capturing the event time series,mining the hidden periodicity of host behaviors,and evaluating the mined periodic patterns to identify P2P bot traffic.As our detection model is built based on the basic properties of P2P protocols,it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C.For hidden periodicity mining,we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem.The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.
