| Among all the security threats in the cyberworld, botnet is one which is highlydestructive and ever-increasingly populated such that an attacker can remotely controla large set of compromised computers to launch group or individual attacks againsttargeted or non-targeted system. In recent years, the operation model of botnet controlhas evolved from the centralized IRC or HTTP botnets to the decentralized P2P botnet.The change inflicted degradation in the ability to detect the existence of botnet. Thenew P2P botnet adopting P2P communication model allows an attacker the capabilityto deliver attack command from any node in a P2P botnet. Hence, the existing botnetdetection or defense mechanisms based on the centralized operation model are noteffective in deterring the threats resulted from P2P botnet.In this paper, we analysis the strengths and weaknesses of existing botnetdetection and provide reference solutions to our study. Subsequently, this papercompares commonly P2P software and P2P bots Peacomm and analysis the differencesof network packets between commonly P2P software and P2P zombies. We devised a2-stage adaptive detection and defense mechanism for P2P botnet. Processes utilizingP2P communication model are identified according to their network behavior. Then,they are subjected to be monitored for all activities on host computers. When any ofthe designated anomaly behaviors is detected, defense mechanism, such as theactivation of a firewall rule to block the traffic or from the correspondingcommunication port is employed. The proposed mechanism can perform the intendeddefense whether or not the bot malware is a known one, a variation or a previouslyunknown one. A prototype system has been implemented and the effectiveness of theproposed scheme is verified. |
PDF Full Text Request