@inproceedings{51dce4cac15c4c6992dbf702213e56b0,
title = "Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts",
abstract = "In this work we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is based on an analysis of connections made by the hosts in the network. It turns out that if bots select their peers randomly and independently (i.e. unstructured topology), any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify potential members of an unstructured P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data, including data obtained from both observing and crawling the Nugache botnet.",
keywords = "IDS, P2P botnet, network security",
author = "Baris Coskun and Sven Dietrich and Nasir Memon",
note = "Copyright: Copyright 2011 Elsevier B.V., All rights reserved.",
year = "2010",
doi = "10.1145/1920261.1920283",
language = "English (US)",
isbn = "9781450301336",
series = "Proceedings - Annual Computer Security Applications Conference, ACSAC",
publisher = "IEEE Computer Society",
pages = "131--140",
booktitle = "Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010",
}