§2.1 Field of the Invention
The present invention concerns network security. More specifically, the present invention concerns finding members of a peer-to-peer botnet.
§2.2 Background Information
A botnet is a network of compromised hosts (“bots”) under the control of a “botmaster”. Botnets have become a major security threat in recent years. Botnets are used to perform various malicious activities such as spamming, phishing, stealing sensitive information, conducting distributed denial of service (“DDoS”) attacks, scanning to find more hosts to compromise, etc. Bots performing such malicious activity occasionally “go over the radar” and get detected by intrusion, anomaly and/or behavior detection systems present within a network. In fact, network administrators routinely discover bots which are then immediately quarantined or removed. Unfortunately, however, the known detection systems don't provide efficient solutions for detecting bots of the same type which haven't been exposed because they might not have committed any malicious activity.
One approach to find dormant bots is to characterize the Command and Control (“C&C”) channel from the discovered bot's recent traffic and identify hosts that exhibit similar C&C traffic characteristics. For example, in botnets with a centralized C&C architecture, in which all bots receive commands from a few central control servers, the source of the C&C messages may be used to characterize the corresponding C&C channel and reveal potential dormant bots. (See, e.g., A. Karasaridis, B. Rexroad, and D. Hoeflin, “Wide-scale botnet detection and characterization,” HotBots '07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, (2007), incorporated herein by reference.)
Unfortunately, however, characterizing the C&C channel is generally not a trivial task for botnets that utilize a peer-to-peer (“P2P”) architecture without a central server. For example, this kind of source analysis does not work well for P2P botnets because the botmaster in the P2P botnet may use any node to inject C&C messages. To receive and distribute C&C messages, each P2P bot communicates with a small subset of the botnet (i.e., peer list) and maintains its own peer list independently. (See, e.g., the articles: J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon, “Peer-to-Peer Botnets: Overview and Case Study,” HotBots '07: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, (2007); T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and Mitigation of Peer-To-Peer-Based Botnets: A Case Study on Storm Worm,” LEET '08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, (2008); and S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich, “Analysis of the Storm and Nugache Trojans: P2P is Here,” Login: The USENIX Magazine, Volume 32-6 (December 2007), all incorporated herein by reference.) Hence, no obvious common source of C&C messages is observed. Consequently, the discovered bot is not linked with the dormant bots. Furthermore, features based on packet sizes and timings, such as packets per flow, bytes per flow, flows per hour, etc. may not be useful in characterizing a C&C channel, since botmasters may easily randomize such features thereby obtaining different feature values for each bot. (See, e.g., the articles: E. Stinson and J. C. Mitchell, “Towards Systematic Evaluation of the Evadability of Bot/Botnet Detection Methods,” WOOT '08: Proceedings of the 2nd conference on USENIX Workshop on Offensive Technologies, (2008), incorporated herein by reference.)
Further, characterizing packet contents in botnets such as Nugache, Storm, Waledac and Conficker having advanced encryption mechanisms such as described in, for example, the articles: J. B. Grizzard, V. Sharma, C. Nunnery, B. B. Kang, and D. Dagon, “Peer-to-Peer Botnets: Overview and Case Study,” HotBots '07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (2007); T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling, “Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm,” LEET '08: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (2008); P. Porras, H. Saidi, and V. Yegneswaran, “Conficker C P2P Protocol and Implementation,” http://mtc.sri.com/Conficker/P2P/ (September 2009); G. Sinclair, C. Nunnery, and B.-H. Kang, “The Waledac Protocol: The How and Why. In Malicious and Unwanted Software (MALWARE),” 4th International Conference, pp 69-77, (October 2009); and S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich, “Analysis of the Storm And Nugache Trojans: P2P is Here,” Login: The USENIX Magazine, Volume 32-6 (December 2007) (all incorporated herein by reference.), is not feasible.
In view of the foregoing, it would be useful to provide a scheme, such as identifying local P2P bots of a network before they exhibit any overt behavior, and for even identifying P2P bots which may not exhibit any behavior in common with all other P2P bots.