TU Darmstadt / ULB / TUbiblio

BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets

Karuppayah, Shankar and Vasilomanolakis, Emmanouil and Haas, Steffen and Fischer, Mathias and Mühlhäuser, Max (2016):
BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets.
In: IEEE ICC Communication and Information Systems Security Symposium, IEEE, Kuala Lumpur, Malaysia, ISBN 978-1-4799-6664-6,
DOI: 10.1109/ICC.2016.7510885, [Conference or Workshop Item]

Abstract

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Item Type: Conference or Workshop Item
Erschienen: 2016
Creators: Karuppayah, Shankar and Vasilomanolakis, Emmanouil and Haas, Steffen and Fischer, Mathias and Mühlhäuser, Max
Title: BoobyTrap: On Autonomously Detecting and Characterizing Crawlers in P2P Botnets
Language: English
Abstract:

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Title of Book: IEEE ICC Communication and Information Systems Security Symposium
Publisher: IEEE
ISBN: 978-1-4799-6664-6
Uncontrolled Keywords: - SSI - Area Secure Smart Infrastructures;Secure Services;S1;Solutions;SPIN: Smart Protection in Infrastructures and Networks
Divisions: LOEWE > LOEWE-Zentren > CASED – Center for Advanced Security Research Darmstadt
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres > CRC 1119: CROSSING – Cryptography-Based Security Solutions: Enabling Trust in New and Next Generation Computing Environments
20 Department of Computer Science > Telecooperation
Profile Areas > Cybersecurity (CYSEC)
LOEWE > LOEWE-Zentren
DFG-Collaborative Research Centres (incl. Transregio) > Collaborative Research Centres
20 Department of Computer Science
Profile Areas
LOEWE
DFG-Collaborative Research Centres (incl. Transregio)
Event Location: Kuala Lumpur, Malaysia
Date Deposited: 31 Dec 2016 12:59
DOI: 10.1109/ICC.2016.7510885
Additional Information:

The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.

Identification Number: TUD-CS-2016-0035
Related URLs:
Export:

Optionen (nur für Redakteure)

View Item View Item