TU Darmstadt / ULB / TUbiblio

BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets

Karuppayah, Shankar ; Vasilomanolakis, Emmanouil ; Haas, Steffen ; Fischer, Mathias ; Mühlhäuser, Max (2016):
BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets.
In: 2016 IEEE International Conference on Communications,
IEEE, IEEE International Conference on Communications (ICC 2016), Kuala Lumpur, Malaysia, 22.-27.05.2016, ISBN 978-1-4799-6664-6,
DOI: 10.1109/ICC.2016.7510885,
[Conference or Workshop Item]

Abstract

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Item Type: Conference or Workshop Item
Erschienen: 2016
Creators: Karuppayah, Shankar ; Vasilomanolakis, Emmanouil ; Haas, Steffen ; Fischer, Mathias ; Mühlhäuser, Max
Title: BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets
Language: English
Abstract:

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Title of Book: 2016 IEEE International Conference on Communications
Publisher: IEEE
ISBN: 978-1-4799-6664-6
Uncontrolled Keywords: - SSI - Area Secure Smart Infrastructures;Secure Services;S1;Solutions;SPIN: Smart Protection in Infrastructures and Networks
Divisions: 20 Department of Computer Science
20 Department of Computer Science > Telecooperation
DFG-Collaborative Research Centres (incl. Transregio)
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres
Profile Areas
Profile Areas > Cybersecurity (CYSEC)
LOEWE
LOEWE > LOEWE-Zentren
LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
Event Title: IEEE International Conference on Communications (ICC 2016)
Event Location: Kuala Lumpur, Malaysia
Event Dates: 22.-27.05.2016
Date Deposited: 31 Dec 2016 12:59
DOI: 10.1109/ICC.2016.7510885
Additional Information:

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Identification Number: TUD-CS-2016-0035
Corresponding Links:
Export:
Suche nach Titel in: TUfind oder in Google
Send an inquiry Send an inquiry

Options (only for editors)
Show editorial Details Show editorial Details