Accurate Detection of Peer-to-Peer Botnet using Multi-Stream Fused Scheme

Abstract

[1] S. Northcutt, E. Skoudis, M. Sachs, J. Ullrich, T. Liston, E. Cole, E. Schultz, R. Dhamankar, A. Yoran, H. Schmidt, W. Pelgrin, and A. Paller, “Top Ten Cyber Security Menaces for 2008”, SANS Institute, SANS Press Room, 2008.

[2] J. Stewart, “Storm Worm DDOS Attack”, SecureWorks, Inc, Atlanta GA, 2007.

[3] J. Grizzard, V. Sharma, C. Nunnery, B. Kang and D. Dagon, “Peer-to-Peer Botnets: Overview and Case Study”, In HotBots ’07 conference, Usenix, 2007.

[4] S. Sarat and A. Terzis, “Measuring the Storm Worm Network”,Technical Report 01-10-2007, HiNRG Johns Hopkins University, 2007.

[5] T. Holz, M. Steiner, F. Dahl, E.W. Biersack and F. Freiling, “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm”, 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats, Usenix, San Francisco, 2008.

[6] A. Nummipuro, “Detecting P2P-Controlled Bots on the Host”, Seminar on Network Security, Espoo, Helsinki, 2007.

[7] M. STEGGINK and I. IDZIEJCZAK, “Detection of peer-to-peer botnets”, University of Amsterdam, Netherlands, 2007

[8] P. Porras, H. Saidi and V. Yegneswaran, “A Multi-perspective Analysis of the Storm (Peacomm)Worm”, Computer Science Laboratory, SRI International, CA, 2007.

[9] C. R. Davis, J. M. Fernandez, S. Neville, and J. McHugh, “Sybil attacks as a mitigation strategy against the storm botnet”, Proc. 3rd Int. Conf. on Malicious and Unwanted Software (Malware '08), Alexandria, VA (2008) pp. 32-40.

[10] B. Kang, E. Chan-Tin, C. Lee, J. Tyra, H. Kang, C. Nunnery,Z. Wadler, G. Sinclair, N. Hopper, D. Dagon and Y. Kim, “Towards complete node enumeration in a peer-to-peer botnet”, ACM Symposium on Information, Computer & Communication Security (ASIACCS 2009), 2009.

[11] Zhitang Li, Binbin Wang, Dong Li, Hao Chen, Feng Liu, ZhengBin Hu, “The Aggregation and Stability Analysis of Network Traffic for Structured-P2P-based Botnet Detection”,Journal of Networks, Vol.5, No.5, 2010,pp.517-526, May 2010.

[12] Hossein Rouhani Zeidanloo,Azizah Bt Abdul Manaf, “Botnet Detection by Monitoring Similar Communication Patterns”,(IJCSIS) International Journal of Computer Science and Information Security,Vol.7, No.3, 2010,pp.36-45.

[13] P. Maymounkov and D. Mazieres, “Kademlia: A peer-to-peer information system based on the XOR metric”, 1st International Workshop on Peer-to-Peer Systems (IPTPS'02), Springer, NY, 2002.

[14] Leland W E, Taqqu M S,Willinger W, et al. “On the self– similar nature of Ethernet traffic (extended version) ”.IEEE/ACM Trans on Networking, 1994,2(1) : 1- 15.
doi:10.1109/90.282603

[15] Beran J, Sherman R, Traqqu M S, et al. “Long range dependence in variable bit rate video traffic”.IEEE Trans on Communication,1995, 43 (2/3/4) : 1566- 1579.

[16] Garrett M W,Willinger W. Analysis, “modeling and generation of self-similar VBR video traffic”,Proc ACM Sigcomm’94, 1994:269-280.

[17] Paxson V, Floyd S. “Wide area traffic: the failure of poisson modeling”,Proc ACM Sigcomm’94, 1994: 257- 268.

[18] Addie R. “Fractal traffic: measurements, modeling and performance evaluation”,Proc of INFOCOM’95, Boston, MA, 1995: 977- 984.

[19] KIM J S, KAHNG B, KIM D, et al. “Self-similarity in fractal and non-fractal networks”. Journal of the Korean Physical Society, 2008,52: 350-356.
doi:10.3938/jkps.52.350

[20] T Karagiannis,M Molle,M Faloutsos. “Understanding the limitations of estimation methods for long-range dependence”.University of Califomia,Tech ReP:TRUCR-CS-2006-10245,2006.

[21] T Karagiannis,M Molle,M Faloutsos. “Long-range dependence:Ten years of Internet traffic modeling”.IEEE Intenet Computing,2004,8(5):57-64.
doi:10.1109/MIC.2004.46

[22] Hagiwara T, Doi H, Tode H, et al. “High-speed calculation method of the Hurst parameter based on real traffic”,LCN 2000: Proceedings 25th Annual IEEE Conference on Local Computer Networks,2000: 662- 669.
doi:10.1109/LCN.2000.891113

[23] R. E. KALMAN, “A New Approach to Linear Filtering and Prediction Problems”, Transaction of the ASME—Journal of Basic Engineering, pp. 35-45 (March 1960).

[24] G. Welch and G. Bishop, “An introduction to the Kalman filter,” Dept. Comp. Sci., Univ. North Carolina, Chapel Hill, TR95-041.

[25] A.G. Tartakovsky and V. Veeravalli, “Change-point detection in multichannel and distributed systems with applications”, Applications of Sequential Methodologies, Marcel Dekker, Inc., pp. 339–370, New York, 2004.

[26] A.G. Tartakovsky, “Asymptotic properties of CUSUM and Shiryaev’s procedures for detecting a change in a nonhomogeneous Gaussian process”, Mathematical Methods of Statistics, No. 4, pp. 389–404, 1995.

[27] A.G. Tartakovsky, B. Rozovskii and K. Shah, “A Nonparametric Multichart CUSUM Test for Rapid Intrusion Detection”, Proceedings of Joint Statistical Meetings, Minneapolis, MN, 2005.

[28] Subhabrata S, Spatscheck O, W ang D. Accurate, “scalable in-network identification of p2p traffic using application signatures”, Proceedings of the 13th International Conference on World Wide Web. New York: ACM Press, 2004:512-521.

[29] S Kasera, J Pinheiro, C Loader, M Karaul, A Hari, T LaPorta. “Fast and robust signaling overload control”. In Proceedings of Ninth International Conference on Network Protocols, Riverside, USA: IEEE, 2001. pp.323-331.
doi:10.1109/ICNP.2001.992913

[30] Jian Kang, Jun-Yao Zhang, “Detecting New P2P Botnet with Multi-chart CUSUM”, NSWCTC '09, pp. 688 – 691, April 2009.

[31] Kang Jian, Song Yuan-zhang, “Application KCFM to Detect New P2P Botnet Based on Multi-Observed Sequence”, Geomatics and Information Science of Wuhan University, vol.35(5), pp.520-523, May 2010.