TU Darmstadt / ULB / TUbiblio

BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets

Karuppayah, Shankar ; Vasilomanolakis, Emmanouil ; Haas, Steffen ; Fischer, Mathias ; Mühlhäuser, Max :
BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets.
IEEE ICC Communication and Information Systems Security Symposium IEEE
[ Konferenzveröffentlichung] , (2016)

Kurzbeschreibung (Abstract)

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Typ des Eintrags: Konferenzveröffentlichung ( nicht bekannt)
Erschienen: 2016
Autor(en): Karuppayah, Shankar ; Vasilomanolakis, Emmanouil ; Haas, Steffen ; Fischer, Mathias ; Mühlhäuser, Max
Titel: BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets
Sprache: Englisch
Kurzbeschreibung (Abstract):

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Buchtitel: IEEE ICC Communication and Information Systems Security Symposium
Verlag: IEEE
Freie Schlagworte: - SSI - Area Secure Smart Infrastructures;Secure Services;S1;Solutions;SPIN: Smart Protection in Infrastructures and Networks
Fachbereich(e)/-gebiet(e): LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche > SFB 1119: CROSSING – Kryptographiebasierte Sicherheitslösungen als Grundlage für Vertrauen in heutigen und zukünftigen IT-Systemen
20 Fachbereich Informatik > Telekooperation
Profilbereiche > Cybersicherheit (CYSEC)
LOEWE > LOEWE-Zentren
DFG-Sonderforschungsbereiche (inkl. Transregio) > Sonderforschungsbereiche
20 Fachbereich Informatik
Profilbereiche
LOEWE
DFG-Sonderforschungsbereiche (inkl. Transregio)
Veranstaltungsort: Kuala Lumpur, Malaysia
Hinterlegungsdatum: 31 Dez 2016 12:59
DOI: 10.1109/ICC.2016.7510885
Zusätzliche Informationen:

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

ID-Nummer: TUD-CS-2016-0035
Verwandte URLs:
Export:

Optionen (nur für Redakteure)

Eintrag anzeigen Eintrag anzeigen