Detecting P2P bots by mining the regional periodicity

被引:17
作者
Qiao, Yong [1 ]
Yang, Yue-xiang [1 ,2 ]
He, Jie [1 ]
Tang, Chuan [2 ]
Zeng, Ying-zhi [2 ]
机构
[1] Natl Univ Def Technol, Coll Comp, Changsha 410073, Hunan, Peoples R China
[2] Natl Univ Def Technol, Informat Ctr, Changsha 410073, Hunan, Peoples R China
来源
JOURNAL OF ZHEJIANG UNIVERSITY-SCIENCE C-COMPUTERS & ELECTRONICS | 2013年 / 14卷 / 09期
基金
中国国家自然科学基金;
关键词
P2P botnet detection; Regional periodicity; Apriori; Autocorrelation function; Evaluation function; PATTERNS;
D O I
10.1631/jzus.C1300053
中图分类号
TP [自动化技术、计算机技术];
学科分类号
080201 [机械制造及其自动化];
摘要
Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays. Current methods for detecting P2P botnets, such as similarity analysis of network behavior and machine-learning based classification, cannot handle the challenges brought about by different network scenarios and botnet variants. We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase. In this paper, we propose a novel detection model named detection by mining regional periodicity (DMRP), including capturing the event time series, mining the hidden periodicity of host behaviors, and evaluating the mined periodic patterns to identify P2P bot traffic. As our detection model is built based on the basic properties of P2P protocols, it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C. For hidden periodicity mining, we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem. The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.
引用
收藏
页码:682 / 700
页数:19
相关论文
共 31 条
[1]
[Anonymous], P 2010 ACM SIGKDD C
[2]
[Anonymous], 20 INT C VER LARG DA
[3]
[Anonymous], 2008, BOTMINER CLUSTERING
[4]
Athanasopoulos E, 2008, LECT NOTES COMPUT SC, V5222, P146, DOI 10.1007/978-3-540-85886-7_10
[5]
Bartlett G., 2011, IEEE INFOCOM 2011 - IEEE Conference on Computer Communications. Workshops, P804, DOI 10.1109/INFCOMW.2011.5928922
[6]
Berberidis C, 2002, FRONT ARTIF INTEL AP, V77, P370
[7]
Bracewell R.N., 1986, FOURIER TRANSFORM IT, V2nd
[8]
Cohen L, 1992, SPIE, V1770, P378, DOI [10.1117/12.130944, DOI 10.1117/12.130944]]
[9]
Fisher D., 2007, STORM NUGACHE LEAD D
[10]
Grizzard J., 2007, Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, P1