Abstract—Botnets are responsible for most of the security threats in the Internet. Botnet attacks often leverage on their coordinated structures among bots spread over a vast geographical area. In this paper, we propose CluSiBotHealer, a novel framework for detection of Peer-to-Peer (P2P) botnets through data mining technique. P2P botnets are more resilient structure of botnets (re)designed to overcome single point of failure of centralized botnets. Our proposed system is based on clustering of C&C flows within a monitored network for suspected bots. Leveraging on similarity of packet structures and flow structures of frequently exchanged C&C flows within a P2P botnet, our proposed system initially uses clustering of flows and then Jaccard similarity coefficient on sample sets derived from clusters for accurate detection of bots. Ours is a very effective and novel framework which can be used for proactive detection of P2P bots within a monitored network. We empirically validated our model on traces collected from three different P2P botnets namely Nugache, Waledac and P2P Zeus.
Index Terms—Bot, botnet, clustering, peer-to-peer.
Pijush Barthakur is with the Department of Computer Applications, Sikkim Manipal Institute of Technology, Sikkim, India (e-mail: pijush.barthakur@gmail.com).
Manoj Dahal is with the Novell IDC, Bagmane Tech Park, C V Ramannagar, Bangalore, India (e-mail: mdahal@novell.com).
Mrinal Kanti Ghose is with the Department of Computer Science and Engineering, Sikkim Manipal Institute of Technology, Sikkim, India (e-mail: mkghose2000@yahoo.com).
[PDF]
Cite:Pijush Barthakur, Manoj Dahal, and Mrinal Kanti Ghose, "CluSiBotHealer: Botnet Detection through Similarity Analysis of Clusters," Journal of Advances in Computer Networks vol. 3, no. 1, pp. 49-55, 2015.