Browse > Article
http://dx.doi.org/10.13089/JKIISC.2015.25.4.807

Scalable P2P Botnet Detection with Threshold Setting in Hadoop Framework  

Huseynov, Khalid (Korea Advanced Institute of Science and Technology (KAIST))
Yoo, Paul D. (Bournemouth University)
Kim, Kwangjo (Korea Advanced Institute of Science and Technology (KAIST))
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.25, no.4, 2015 , pp. 807-816 More about this Journal
Abstract
During the last decade most of coordinated security breaches are performed by the means of botnets, which is a large overlay network of compromised computers being controlled by remote botmaster. Due to high volumes of traffic to be analyzed, the challenge is posed by managing tradeoff between system scalability and accuracy. We propose a novel Hadoop-based P2P botnet detection method solving the problem of scalability and having high accuracy. Moreover, our approach is characterized not to require labeled data and applicable to encrypted traffic as well.
Keywords
botnets; scalability; Hadoop; unsupervised detection;
Citations & Related Records
연도 인용수 순위
  • Reference
1 P. Maymounkov and D. Mazieres, "Kademlia: A peer-to-peer information system based on the xor metric," In Peer-to-Peer Systems, pp. 53-65, Springer Berlin Heidelberg, Jan. 2002.
2 M. Ripeanu, "Peer-to-peer architectu- re case study: Gnutella network," In Peer-to-Peer Computing Proceedings. First International Conference on, pp. 99-100, IEEE, Aug. 2001.
3 G. Keizer, "Top botnets control 1 M hijacked computers," Apr. 2008. www.computerworld.com/article/2536378/security0/top-botnets-control-1m-hijacked-computers.html
4 C. Miller, "The Rustock Botnet Spams Again," 2008.
5 B. Stone-Gross, M. Cova, B. Gilbert, R. Kemmerer, C. Kruegel, and G. Vigna, "Analysis of a botnet takeover," Security and Privacy, IEEE, vol. 9, no. 1, pp. 64-72, 2011.
6 D.I. Jang, M. Kim, H.C. Jung, and B.N. Noh, "Analysis of HTTP2P botnet: case study waledac," In Communications (MICC), IEEE 9th Malaysia International Conference on, pp. 409-412, IEEE, Dec. 2009.
7 S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich, "Analysis of the Storm and Nugache Trojans: P2P is here," USENIX; login, vol. 32, no. 6, pp. 18-27, 2007.
8 B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, ... and G. Vigna, "Your botnet is my botnet: analysis of a botnet takeover," In Proceedings of the 16th ACM conference on Computer and communications security, pp. 635-647, ACM, Nov. 2009.
9 C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C.J. Dietrich, and H. Bos, "Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets," In Security and Privacy (SP), IEEE Symposium on, pp. 97-111, IEEE, May 2013 .
10 J. Goebel and T. Holz, "Rishi: Identify bot contaminated hosts by irc nickname evaluation," In Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pp. 8-8, April 2007.
11 M. Roesch, "Snort: Lightweight Intrusion Detection for Networks," In LISA, vol. 99, no. 1, pp. 229-238, Nov. 1999.
12 Y. Xie, F. Yu, K. Achan, R. Panigrahy, G. Hulten, and I. Osipkov, "Spamming botnets: signatures and characteristics." In ACM SIGCOMM Computer Communication Review, vol. 38, no. 4, pp. 171-182, ACM, Aug. 2008.
13 B. Rahbarinia, R. Perdisci, A. Lanzi, and K. Li. "Peerrush: Mining for unwanted p2p traffic," Journal of Information Security and Applications, vol. 19 no. 3, pp. 194-208, 2014.   DOI
14 E. Stinson and J.C. Mitchell, "Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods," USENIX Workshop on Offensive Technologies (WOOT), vol. 8, pp. 1-9, 2008.
15 G. Gu, P.A. Porras, V. Yegneswaran, M.W. Fong, and W. Lee, "BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation," In Usenix Security, vol. 7, pp. 1-16, Aug. 2007.
16 G. Gu, R. Perdisci, J. Zhang, and W. Lee, "BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection." In USENIX Security Symposium, vol. 5, no. 2, pp. 139-154, July 2008.
17 J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz, "Building a scalable system for stealthy p2p-botnet detection." Information Forensics and Security, IEEE Transactions on, vol. 9, no. 1, pp. 27-38, 2014.   DOI
18 S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, ... and P. Hakimian, "Detecting P2P botnets through network behavior analysis and machine learning," In Privacy, Security and Trust (PST), Ninth Annual International Conference on, pp. 174-180, IEEE, July 2011.
19 J. Dean and S. Ghemawat, "MapReduce: simplified data processing on large clusters," Communications of the ACM, vol. 51, no. 1, pp. 107-113, 2008.   DOI
20 V. Paxson, "Bro: a system for detecting network intruders in real-time," Computer networks, vol. 31, no. 23, pp. 2435-2463, 1999.   DOI
21 M.A. Jamshed, J. Lee, S. Moon, I. Yun, D. Kim, S. Lee, ... and K. Park, "Kargus: a highly-scalable software-based intrusion detection system." In Proceedings of the 2012 ACM conference on Computer and communications security, pp. 317-328, ACM, Oct. 2012.
22 J. Francois, S. Wang, W. Bronzi, R. State, and T. Engel, "Botcloud: Detecting botnets using mapreduce." In Information Forensics and Security (WIFS), IEEE International Workshop on, pp. 1-6, IEEE, Nov. 2011.
23 B. Wang, Z. Li, H. Tu, & J. Ma, "Measuring peer-to-peer botnets using control flow stability," In Availability, Reliability and Security, ARES'09, International Conference on, pp. 663-669, IEEE, March 2009.
24 D. Zhao, I. Traore, A. Ghorbani, B. Sayed, S. Saad, and W. Lu, "Peer to peer botnet detection based on flow intervals," In Information Security and Privacy Research, pp. 87-102, Springer Berlin Heidelberg, 2012.
25 Y. Zhao, Y. Xie, F. Yu, Q. Ke, Y. Yu, Y. Chen, and E. Gillum, "BotGraph: Large Scale Spamming Botnet Detection." In NSDI, vol. 9, pp. 321-334, April 2009.
26 K. Singh, S.C. Guntuku, A. Thakur, and C. Hota, "Big data analytics framework for peer-to-peer botnet detection using random forests," Information Sciences, vol. 278, pp. 488-497, 2014.   DOI
27 K. Shvachko, H. Kuang, S. Radia, and R. Chansler, "The hadoop distributed file system," In Mass Storage Systems and Technologies (MSST), IEEE 26th Symposium on, pp. 1-10, IEEE, May 2010.
28 Y. Lee and Y. Lee. "Toward scalable internet traffic measurement and analysis with hadoop," ACM SIGCOMM Computer Communication Review, vol. 43, no. 1, pp. 5-13, 2013.
29 D. Stutzbach and R. Rejaie, "Understanding churn in peer-to-peer networks." In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, pp. 189-202, ACM, Oct. 2006.
30 H.S. Wu, N.F. Huang, and G.H. Lin, "Identifying the use of data/voice/video-based p2p traffic by dns-query behavior," In Communications, ICC'09. IEEE International Conference on. pp. 1-5, IEEE, June 2009.
31 LBNL Enterprise Trace Repository, November 2014. www.icir.org/enterprise-tracing
32 D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani, and D. Garant, "Botnet detection based on traffic behavior analysis and flow intervals," Computers and Security, vol. 39, pp. 2-16, 2013.   DOI
33 French Chapter of Honeynet, November, Nov. 2014.www.honeynet.org/chapters/france
34 G. Szabo, D. Orincsay, S. Malomsoky, and I. Szabo, "On the validation of traffic classification algorithms," In Passive and Active Network Measurement, pp. 72-81. Springer Berlin Heidelberg, 2008.