Study On P2P Botnet Real-time Detection Based On Network Traffic

Botnet is a malicious network of many compromised computers that are controlled by an attacker.It has become one of the major threats to the health of the Internet.Using botnet as a platform,attackers can readily perform various large-scale malicious activities,such as launching DDoS(distributed denial-of-service)attacks,sending spam,stealing sensitive data,etc.Early botnet mainly built command and control channel based on IRC(internet relay chat)protocol or HTTP protocol.There are obvious limitations in these centralized architectures such as single-point-of-failure.With the development of P2P(peer-to-peer)technology,botnet started shifting towards the decentralized architecture.Botnet based on P2P protocol brings more serious threats and becomes harder to detect,since its flexibility,robustness and stealthiness are greatly enhanced.In this thesis,we propose a step by step study on P2P botnet real-time detection based on network traffic from three aspects,i.e.,P2P traffic identification and classification,P2P botnet detection,and targeted traffic sampling.The identification and classification of P2P traffic provides a basis to the detection of P2P botnet,while the targeted traffic sampling further improves the real-time ability of P2P botnet detection approaches and allows them to operate on high-speed networks.The main work and contributions of this thesis are as follows:1)Two P2P traffic identification and classification approaches based on aggregation flow are proposed.There are lots of similar flows with same basic properties in the traffic generated by P2P applications.These similar flows are strong indicators of the presence of P2P traffic since they are related to significant control activities in P2P network.We define these similar flows as aggregation flow.Based on this behavior characteristic,we propose two P2P traffic identification and classification approaches.The first approach counts the appearance times of the aggregation flows in the traffic,and then designs a score function to classify P2P traffic.The second approach takes the appearance times of the aggregation flows as a statistical feature,and then classifies P2P traffic in real-time with the help of SVM(support vector machine).Both of the two approaches rely only on several basic properties of flows,and do not need any complicated statistical features.Furthermore,they are unaffected by traffic encryption.The experimental results demonstrate that both of them can classify P2P traffic at fine-grained level with high accuracy and fast speed.2)A real-time P2P botnet detection approach based on behavior pattern matching named PeerSorter is proposed.P2P botnet is also a kind of P2P network.Thus,it also generates aggregation flows as other benign P2P networks doing.Based on this presump-tion,PeerSorter builds profiles of network behavior pattern for different P2P botnets.In detection phase,behavior pattern of unknown traffic is extracted and compared to pre-build pattern profiles.A match function is designed to estimate the matching degree be-tween them.At last,a detection result is made according to the matching degree.Due to the universality of aggregation flow characteristic in P2P networks,PeerSorter is able to detect traffic of not only different P2P botnets,but also various benign P2P applications.The experimental results demonstrate that PeerSorter can accurately detect a variety of P2P botnets and benign P2P applications in real-time.3)A real-time P2P botnet detection approach based on re-connection characteristic named PeerDigger is proposed.Compared to benign P2P host,P2P bot prefers to con-tact the same external hosts that have been contacted before.We define this behavior characteristic of P2P bot as re-connection characteristic.PeerDigger first identifies all P2P hosts in monitored network based on the characteristic of aggregation flow,and then further distinguishes P2P bots from benign P2P hosts based on the aforementioned re-connection characteristic.In contrast to existing contemporary approaches,PeerDigger is able to detect P2P bots even if their malicious activities are non-observable or there is only one single bot of a botnet within a network perimeter.The experimental results demonstrate that PeerDigger can detect P2P bots with high accuracy in real-time.4)An adaptive traffic sampling approach for P2P botnet detection named T-Sampling is proposed.Current traffic volume typical of high-speed networks are challenging for the P2P botnet detection systems based on network traffic.T-Sampling is able to effective-ly reduce the volume of traffic that P2P botnet detectors need to process while keeping their detection accuracy,thus allowing them to operate on high-speed and high-volume networks.T-Sampling first identifies a small number of potential P2P bots in high-speed networks as soon as possible,and then samples as many P2P botnet-related packets as possible with a given target sampling rate.The experimental results demonstrate that T-Sampling can greatly increase the proportion of P2P botnet-related packets in the sampled traffic while keeping the accuracy of P2P botnet detector at a high level.