Friends of an enemy

Identifying local members of peer-to-peer botnets using mutual contacts

Baris Coskun, Sven Dietrich, Nasir Memon

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    In this work we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is based on an analysis of connections made by the hosts in the network. It turns out that if bots select their peers randomly and independently (i.e. unstructured topology), any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify potential members of an unstructured P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data, including data obtained from both observing and crawling the Nugache botnet.

    Original languageEnglish (US)
    Title of host publicationProceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010
    Pages131-140
    Number of pages10
    DOIs
    StatePublished - 2010
    Event26th Annual Computer Security Applications Conference, ACSAC 2010 - Austin, TX, United States
    Duration: Dec 6 2010Dec 10 2010

    Other

    Other26th Annual Computer Security Applications Conference, ACSAC 2010
    CountryUnited States
    CityAustin, TX
    Period12/6/1012/10/10

    Fingerprint

    Topology
    Botnet

    Keywords

    • IDS
    • network security
    • P2P botnet

    ASJC Scopus subject areas

    • Computer Networks and Communications
    • Software
    • Safety, Risk, Reliability and Quality

    Cite this

    Coskun, B., Dietrich, S., & Memon, N. (2010). Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010 (pp. 131-140) https://doi.org/10.1145/1920261.1920283

    Friends of an enemy : Identifying local members of peer-to-peer botnets using mutual contacts. / Coskun, Baris; Dietrich, Sven; Memon, Nasir.

    Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010. 2010. p. 131-140.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Coskun, B, Dietrich, S & Memon, N 2010, Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. in Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010. pp. 131-140, 26th Annual Computer Security Applications Conference, ACSAC 2010, Austin, TX, United States, 12/6/10. https://doi.org/10.1145/1920261.1920283
    Coskun B, Dietrich S, Memon N. Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010. 2010. p. 131-140 https://doi.org/10.1145/1920261.1920283
    Coskun, Baris ; Dietrich, Sven ; Memon, Nasir. / Friends of an enemy : Identifying local members of peer-to-peer botnets using mutual contacts. Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010. 2010. pp. 131-140
    @inproceedings{51dce4cac15c4c6992dbf702213e56b0,
    title = "Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts",
    abstract = "In this work we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is based on an analysis of connections made by the hosts in the network. It turns out that if bots select their peers randomly and independently (i.e. unstructured topology), any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify potential members of an unstructured P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data, including data obtained from both observing and crawling the Nugache botnet.",
    keywords = "IDS, network security, P2P botnet",
    author = "Baris Coskun and Sven Dietrich and Nasir Memon",
    year = "2010",
    doi = "10.1145/1920261.1920283",
    language = "English (US)",
    isbn = "9781450301336",
    pages = "131--140",
    booktitle = "Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010",

    }

    TY - GEN

    T1 - Friends of an enemy

    T2 - Identifying local members of peer-to-peer botnets using mutual contacts

    AU - Coskun, Baris

    AU - Dietrich, Sven

    AU - Memon, Nasir

    PY - 2010

    Y1 - 2010

    N2 - In this work we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is based on an analysis of connections made by the hosts in the network. It turns out that if bots select their peers randomly and independently (i.e. unstructured topology), any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify potential members of an unstructured P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data, including data obtained from both observing and crawling the Nugache botnet.

    AB - In this work we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is based on an analysis of connections made by the hosts in the network. It turns out that if bots select their peers randomly and independently (i.e. unstructured topology), any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify potential members of an unstructured P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data, including data obtained from both observing and crawling the Nugache botnet.

    KW - IDS

    KW - network security

    KW - P2P botnet

    UR - http://www.scopus.com/inward/record.url?scp=78751473146&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=78751473146&partnerID=8YFLogxK

    U2 - 10.1145/1920261.1920283

    DO - 10.1145/1920261.1920283

    M3 - Conference contribution

    SN - 9781450301336

    SP - 131

    EP - 140

    BT - Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010

    ER -