Amit Kumar
Venue Details
KD 101

Abstract: A Botnet is a network of infected hosts (bots) that works independently under the control of a Botmaster (Botherder), which issues commands to the bots using command and control (C&C) channels. Botnet architectures have advanced over time, to evade the detection and disruption. Traditionally botnets used the centralized client-server architecture which had a single point of failure, but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of P2P architecture botmasters started using P2P architecture. P2P Botnets are highly resilient against detection even after some bots are identified or taken down. P2P botnets provide a central framework for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this work, we present PeerClear a novel approach for detecting P2P botnets using network traffic tracing. We use a two-step process for identifying P2P bots. First, we identify all the hosts which are involved in the P2P activity and then from these identified P2P clients, detect hosts who are likely to be engaged in P2P bot activity. For P2P host detection, we leverage various properties seen in P2P hosts like failed connection attempts, non-DNS connection attempts, etc. For detecting stealthy P2P bots from P2P clients, we use various features distinctive to bots such as inter-arrival time of packets, duration of the conversation, etc. Our evaluation shows that PeerClear is able to achieve high detection rates of more than 99.6% and low false-positive rates of less than 0.28%.