[li-infosec] April 28: Friends of an Enemy: Detecting P2P Botnets
Ray Mcclure
***
April 28: Friends of an Enemy: Detecting P2P Botnets - Spring 2010 Colloquium Series
Speaker:
Prof. Nasir Memon, Polytechnic Institute of New
York University
11:30 am to 12:30 pm
200 Adams Hall
Abstract:
Botnets,
which are networks of compromised hosts (bots) under the control of a
botmaster, have become a major threat for today’s networks. Botmasters use
botnets to perform various malicious activities such as spamming, phishing,
stealing sensitive information, conducting distributed denial of service (DDoS)
attacks, scanning to find more hosts to compromise, etc. Bots, which perform
such malicious activities, often go over the radar and get detected by
Intrusion/Anomaly Detection Systems. In fact, network administrators regularly
discover bots, which expose themselves by sending spam emails or performing a
scan, etc.
In this talk we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is done based on an analysis of the connections made by the hosts in the network. It turns out, due to reasons very similar to the Birthday Paradox, that even if bots select their peers randomly and independently, any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify members of a P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data obtained from both observing and crawling the Nugache botnet. We also evaluate the worst case performance of the proposed scheme with artificial botnet traffic generated by a generic P2P botnet model.
Biography:
Nasir
Memon is a Professor in the Computer Science Department at Polytechnic
Institute of New York University (NYU-Poly). He is the director of the
Information Systems and Internet Security (ISIS, isis.poly.edu) lab at
NYU-Poly. His research interests include Data Compression, Computer and Network
Security, Digital Forensics, and Multimedia Data Security. Prof. Memon is the
co-founder of Digital Assembly (www.digital-assembly.com) and Vivic Networks (www.vivic.com), two early stage
start-ups in NYU-Poly's BEST incubator.
For more information about this colloquium, please contact Habib M. Ammari at csc...@hofstra.edu
***