PeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
1 like997 views
This document describes PeerShark, a system for detecting peer-to-peer botnets by tracking conversations on a network. It analyzes network traffic to identify conversations between IP addresses and aggregates them to detect long, stealthy botnet conversations despite variations in protocols and ports. PeerShark extracts features from conversations like duration, packet count, volume, and inter-arrival times. It then classifies conversations as benign peer-to-peer applications or malicious botnets using machine learning. When tested on real peer-to-peer application and botnet traffic, PeerShark achieved over 95% accuracy on average at detecting botnets.
PeerShark - Detecting Peer-to-Peer Botnets by Tracking Conversations
- 1. DETECTING PEER-TO-PEER BOTNETS BY TRACKING CONVERSATIONS Pratik Narang1, Subhajit Ray1, Chittaranjan Hota1 and Venkat Venkatakrishnan2 1BITS Pilani, Hyderabad campus, India 2University of Illinois at Chicago
- 2. Introduction • What’s a bot ? • What’s a botnet ? • What’s a Peer-to-Peer based botnet ?
- 5. P2P: Uses and Misuses
- 6. Previous work • Intial work with signature-based approaches • Evaded by bots using encryption • Recent work – analysis of network behavior • Most of it uses 5-tuple ‘flow-based’ approach <Source IP, Dest. IP, Source port, Dest. Port, Protocol> • Great success in Internet traffic classification • Doesn’t suit the needs of P2P traffic
- 7. Identifying P2P traffic • Modern P2P apps and bots randomize ports, operate on TCP as well as UDP • P2P traffic has bi-directional nature • E.g.- BitTorrent- seeders and leechers • Thus, traditional flow-based approaches may give a false view of network communication • Notion of a conversation more suited to P2P • Who is talking to whom ? • Irrespective of protocol, port, etc.
- 8. P2P apps v/s P2P bots Applications: • A human user-‘bursty’ traffic • High volume of data transfers seen • Small inter-arrival time of packets seen in apps Botnets: • Automated/scripted commands • Low in volume, high in duration • Large inter-arrival time of packets seen in stealthy bots
- 9. PeerShark: Overview Conversation Creation Module Conversation Aggregation Module Classification Module Packet Filtering Module FLOWGAP initial FLOWGAP Packets useful for our system Packets discarded by our system (Corrupted or missing headers) Conversations classified as benign Conversations classified as malicious
- 10. Approach • Parse network traces, discard corrupted packets • Create ‘conversations’, identified by the tuple <IP1,IP2> and an initial FLOWGAP parameter • Aggregate conversations again – this time with a higher FLOWGAP parameter • To be decided by Network Admin based on understanding of the network • Useful for detecting slow and stealthy bots
- 11. Approach • For each tuple, extract 4 features : – The duration of the conversation – The number of packets exchanged in the conversation – The volume of the conversation (no. of bytes) – The Median value of the inter-arrival time of packets in the conversation • Hunt for long-lived, stealthy conversations • Categorize P2P apps & bots with the features above, using supervised machine learning approaches
- 12. Dataset P2P app name Used for? Type of data/Size of data eMule P2P file sharing application pcap file/19 GB uTorrent P2P file sharing application pcap file/33 GB P2P botnet name What it does? Type of data/Size of data Storm Email Spam pcap file/ 4.8 GB Waledac Email spam, password stealing pcap file/ 1.1 GB
- 14. Results BayesNet J48 Adaboost with REP tree TP FP ROC TP FP ROC TP FP ROC eMule 0.929 0.012 0.996 0.964 0.012 0.987 0.93 0.021 0.993 Storm 0.988 0.009 0.999 0.986 0.003 0.996 0.979 0.004 0.999 Waledac 0.989 0.01 0.999 0.988 0.005 0.995 0.97 0.009 0.998 uTorrent 0.947 0.019 0.996 0.965 0.012 0.989 0.943 0.025 0.994 Avg. 0.96325 0.0125 0.9975 0.97575 0.008 0.99175 0.9555 0.01475 0.996 90% 91% 92% 93% 94% 95% 96% 97% 98% 99% 100% BayesNet J48 Adaboost with REP tree OverallAccuracy(%)
- 15. Code publicly available for review & feedback: https://github.com/pratiknarang/peershark
- 16. Back-up
- 17. Limitations & Possible evasions of PeerShark • Only built for 2 apps and 2 bots. Any new app/bot will also get (mis)classified into one of these classes. • If more than one P2P application (benign or malicious) is running between two peers, PeerShark will not be able to correctly classify it. • Smarter bots which engage in occasional file-sharing with bot-peers (and thus mimic benign behavior) can evade PeerShark.