Please wait a minute...
FITEE
Front. Inform. Technol. Electron. Eng.  2013, Vol. 14 Issue (9): 682-700    DOI: 10.1631/jzus.C1300053
    
Detecting P2P bots by mining the regional periodicity
Yong Qiao, Yue-xiang Yang, Jie He, Chuan Tang, Ying-zhi Zeng
College of Computer, National University of Defense Technology, Changsha 410073, China; Information Center, National University of Defense Technology, Changsha 410073, China
Detecting P2P bots by mining the regional periodicity
Yong Qiao, Yue-xiang Yang, Jie He, Chuan Tang, Ying-zhi Zeng
College of Computer, National University of Defense Technology, Changsha 410073, China; Information Center, National University of Defense Technology, Changsha 410073, China
 全文: PDF 
摘要: Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays. Current methods for detecting P2P botnets, such as similarity analysis of network behavior and machine-learning based classification, cannot handle the challenges brought about by different network scenarios and botnet variants. We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase. In this paper, we propose a novel detection model named detection by mining regional periodicity (DMRP), including capturing the event time series, mining the hidden periodicity of host behaviors, and evaluating the mined periodic patterns to identify P2P bot traffic. As our detection model is built based on the basic properties of P2P protocols, it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C. For hidden periodicity mining, we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem. The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.
关键词: P2P botnet detectionRegional periodicityAprioriAutocorrelation functionEvaluation function    
Abstract: Peer-to-peer (P2P) botnets outperform the traditional Internet relay chat (IRC) botnets in evading detection and they have become a prevailing type of threat to the Internet nowadays. Current methods for detecting P2P botnets, such as similarity analysis of network behavior and machine-learning based classification, cannot handle the challenges brought about by different network scenarios and botnet variants. We noticed that one important but neglected characteristic of P2P bots is that they periodically send requests to update their peer lists or receive commands from botmasters in the command-and-control (C&C) phase. In this paper, we propose a novel detection model named detection by mining regional periodicity (DMRP), including capturing the event time series, mining the hidden periodicity of host behaviors, and evaluating the mined periodic patterns to identify P2P bot traffic. As our detection model is built based on the basic properties of P2P protocols, it is difficult for P2P bots to avoid being detected as long as P2P protocols are employed in their C&C. For hidden periodicity mining, we introduce the so-called regional periodic pattern mining in a time series and present our algorithms to solve the mining problem. The experimental evaluation on public datasets demonstrates that the algorithms are promising for efficient P2P bot detection in the C&C phase.
Key words: P2P botnet detection    Regional periodicity    Apriori    Autocorrelation function    Evaluation function
收稿日期: 2013-02-25 出版日期: 2013-09-05
CLC:  TP393.08  
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章  
Yong Qiao
Yue-xiang Yang
Jie He
Chuan Tang
Ying-zhi Zeng

引用本文:

Yong Qiao, Yue-xiang Yang, Jie He, Chuan Tang, Ying-zhi Zeng. Detecting P2P bots by mining the regional periodicity. Front. Inform. Technol. Electron. Eng., 2013, 14(9): 682-700.

链接本文:

http://www.zjujournals.com/xueshu/fitee/CN/10.1631/jzus.C1300053        http://www.zjujournals.com/xueshu/fitee/CN/Y2013/V14/I9/682

[1] Bo Zhu, Li-jun Xie, Guang-hua Song, Yao Zheng. An efficient projection defocus algorithm based on multi-scale convolution kernel templates[J]. Front. Inform. Technol. Electron. Eng., 2013, 14(12): 930-940.
[2] Jian-wen Jiang, Wei-jun Yang, Chao-jie Zhang, Xiao-jun Jin, Zhong-he Jin. Effect of chip rate on the ranging accuracy in a regenerative pseudo-noise ranging system[J]. Front. Inform. Technol. Electron. Eng., 2011, 12(2): 132-139.