Abstract
The ever-growing number of cyber attacks from botnets has made them one of the biggest threats on the Internet. Thus, it is crucial to study and analyze botnets, to take them down. For this, an extensive monitoring is a pre-requisite for preparing a botnet takedown, e.g., via a sinkholing attack. However, every new monitoring mechanism developed for botnets is usually tackled by the botmasters by introducing novel antimonitoring countermeasures. In this paper, we anticipate these countermeasures by proposing a set of lightweight techniques for detecting the presence of crawlers in P2P botnets, called BoobyTrap. For that, we exploit botnet-specific protocol and design constraints. We evaluate the performance of our BoobyTrap mechanism on two real-world botnets: Sality and ZeroAccess. Our results indicate that we can distinguish many crawlers from benign bots. In fact, we discovered close to 10 crawler nodes within our observation period in the Sality botnet and around 120 in the ZeroAccess botnet. In addition, we also describe the observable characteristics of the detected crawlers and suggest crawler improvements for enabling monitoring in the presence of the BoobyTrap mechanism.
| Original language | English |
|---|---|
| Title of host publication | 2016 IEEE International Conference on Communications, ICC 2016 |
| Publisher | IEEE |
| Publication date | 12 Jul 2016 |
| Article number | 7510885 |
| ISBN (Electronic) | 9781479966646 |
| DOIs | |
| Publication status | Published - 12 Jul 2016 |
| Externally published | Yes |
| Event | 2016 IEEE International Conference on Communications, ICC 2016 - Kuala Lumpur, Malaysia Duration: 22 May 2016 → 27 May 2016 |
Conference
| Conference | 2016 IEEE International Conference on Communications, ICC 2016 |
|---|---|
| Country/Territory | Malaysia |
| City | Kuala Lumpur |
| Period | 22/05/2016 → 27/05/2016 |
| Series | 2016 IEEE International Conference on Communications, ICC 2016 |
|---|
Bibliographical note
Publisher Copyright:© 2016 IEEE.