ML Approaches to P2P Botnet Detection

BITS Pilani
Hyderabad Campus
ML Approaches to P2P Botnet
Detection
by
Vansh Khurana
Mentors: Dr. Chittaranjan Hota, Pratik Narang and Team

CS C441 / CS F441 Second Semester 2013-14 BITS Pilani, Hyderabad Campus
• Introduction to P2P
• Analyzing available Dataset
• Deep Dive into P2P Botnets
• Classification Algorithms
• System Design
• Prelim Results with Extensive Feature Set
• Curse of Dimensionality
• Ensemble Classifier
• Future Work
Today’s Agenda

• P2P Networks
• Botnets
• Malicious Activities
Introduction

• Decentralized and distributed network architecture
• Peers act as both suppliers and consumers of resources
• Better resource utilization
• No Central Coordination
• Applications:
• Instant Messaging Systems: Skype
• Digital currency: Bitcoin
• Wireless community networks: Netsukuku
• Foreign Currency Exchange Market Place: CurrencyFair
• Content Delivery: Torrent Applications
• File sharing: Gnutella, DC++
• And many more….
P2P Networks

• A network of compromised machines (bots) controlled by a
bot master
• Typical Formation: Spam Example
• A botnet operator sends out viruses or worms, infecting ordinary users'
computers, whose payload is a malicious application—the bot.
• The bot on the infected PC logs into a particular C&C server.
• A spammer purchases the services of the botnet from the operator.
• The spammer provides the spam messages to the operator, who instructs the
compromised machines via the control panel on the web server, causing them
to send out spam messages
• Should We care? -Absolutely!
• Privacy Invasion – Hacked Accounts, Weak Passwords, Credential reuse, social
engineering attacks
• Financial Theft- 10 days of Torpig data valued at $83K to $8.3M (2009)
Botnets

• Responsible for (non-exhaustive list):
• Large-scale network probing (i.e., scanning activities)
• Launching Distributed Denial of Service (DDoS) attacks
• Sending large-scale unsolicited emails (SPAM)
• Click-fraud campaign
• Information theft
• Spyware
• Adware
Shift from a for-fun activity towards a profit-oriented business
Malicious Activities

• Introduction to P2P
• Analyzing available Dataset
• Deep Dive into P2P Botnets
• Classification Algorithms
• System Design
• Prelim Results with Extensive Feature Set
• Curse of Dimensionality
• Ensemble Classifier
• Future Work

• Obtained from University of Georgia: Babak Rahbirinia et al.
• Benign Applications: Emule, Frostwire, uTorrent, Vuze
• ~ 130 gigs of Raw log files
• Malicious Botnet data:
• Storm, ~9 gigs
• Waledac, ~ 1 gig
• Zeus, ~ 100 mb
• Nugache ~100 mb
• Data for Botnets contain only C&C messages
• We build training models to represent real world behaviour –
~80:20
More on Botnets next!
Analyzing available Dataset

• P2P Botnets: Lifecycle
• Botnets of Interest
• Storm
• Waledac
• Zeus
• Nugache
Deep Dive into P2P Botnets

• Initial infection- Exploit known vulnerability, grant additional capabilities
to the attacker on the target system
• Secondary injection- leverage newly acquired access to execute additional
scripts or programs which then fetch a malicious binary from a known
location
• Connection: bot attempts to establish a connection to the command and
control server through a variety of methods
• Malicious command and control – Doing the damage
• Update and maintenance -bots are commanded to update their binaries,
typically to defend against new attacks or to improve their functionality.
P2P Botnets: Lifecycle

• Email Spam Botnet (2007)
• Extent of Damage: 1 million to 50 million computer
systems
• Methodology
• Observed to be defending itself, and attacking computer systems that
scanned for Storm virus-infected computer systems online.
• DDoS counter-attacks, to maintain its own internal integrity
• Fools the antivirus on local system: Actual processes do nothing
• Mostly uses UDP as underlying transport layer protocol
Storm

• Email Spam Botnet (2010)
• Extent: ~70k to 90K
• Infection method:
• Email
• Fake Websites
• Bundled with other threats ,such as Trojan.Peacomm, W32.Downadup,
and Trojan.Bredolab
• Typically sends log file every 30 minutes
• Mostly Operates over TCP
• More here:
http://www.symantec.com/security_response/write
up.jsp?docid=2008-122308-1429-99
Waledac

• Often used to steal banking information by man-in-the-
browser keystroke logging and form grabbing, web page
injection (2007)
• Spread mainly through drive-by downloads and phishing
schemes
• Extent: 3.6 million in US alone- Operates very stealthily
• Uses both TCP/ UDP protocols // flow concept fails
Zeus

• One of the first sophisticated p2p botnets (2006)
• Created by Jason Michael Milmont, when he was 16!
• TCP port 8 bot, listens on port 8
• Didn’t Use: log files don’t represent theoretical
information
More here:
http://www.symantec.com/security_response/writeup.jsp?
docid=2006-043016-0900-99&tabid=2
Nugache

BITS Pilani
Hyderabad Campus
DEMO 1: Botnet Data Analysis

• Decision Trees:
• Based on Information Gain
• Fast, ignores irrelevant features
• But can overfit. We use REP Trees and set maximum depth to avoid this
• K- Nearest Neighbour:
• Inherently simple, doesn’t overfit
• Artificial Neural Networks:
• large number of features can be well handled
• Heuristically set hidden layers:
(No. of Features + No. of Class Labels) / 2
• SVM:
• perform extremely complex kernel-based data transformations, and then find an
optimal boundary between the possible outputs based on these transformations.
• pairwise classification approach (one-versus-one)
Classification Algorithms

• Salient Features
• Background
• Modules
System Design

• No reliance on Encryption and Deep Packet
Inspection
• Intuitive and Simplistic Model to solve a complex
problem
• Model Bot Behaviour accurately
• Explored Feature Set extensively (~75 Features)
• Explored Non Network based features
• Compression Ratio
• Signal Processing Approach to model network behaviour
• More on this later…
• Most importantly: Achieved Good Results
Salient Features

• Shannon’s Source Coding Theorem
• The expected length L of an encoding of X with
associated probability function p(x) is given by:
• Bot data expected to be more uniform, hence should give
more compression
Background

• Discrete Fourier Transform:
• Converts a finite list of equally spaced samples of a function into the list
of coefficients of a finite combination of complex sinusoids, ordered by
their frequencies
• Time domain to frequency domain to extract hidden patterns in botnet communication
• The network communication between a pair of nodes is
treated as a `signal'.
• Given a time sequence X = X(0);X(1) : : :X(w), its Discrete
Fourier Transform (DFT) is given as-
• The first few DFT coefficients contain most of the energy
Background

Modules

• Dataset Description
• Used Extensive Feature Set
Prelim results (ACM DEBS)

Prelim Results (ACM DEBS)
Overall Precision and Recall

BITS Pilani
Hyderabad Campus
DEMO 2:
System Design & Prelim Results

• Principal Component Analysis
• Feature Selection Algorithms
Curse of Dimensionality

• Statistical procedure that uses orthogonal transformation to
convert a set of observations of possibly correlated variables
into a set of values of linearly uncorrelated variables
called principal components
• Converted 76 Features to 28 features retaining 95% Variance
• Classifier Accuracy:
• J-48: 97%
• REP Tree: 94.17%
• SVM: 80.61%
• K-NN: 93.29%
• Bayesian Networks: 94.65%
Principal Component
Analysis

• Best First Search Based Feature Selection
• Also explored random forest based importance evaluation
• Selected Features are:
• Flow duration, MEDIAN_INTERARRIVAL_TIME,
AVG_PAYLOAD_SIZE,AVG_PAYLOAD_SIZE_SENDING, AVG_PAYLOAD_SIZE_RECVING,
PRIME_WAVE_MAGNITUDE_PAYLOAD, PRIME_WAVE_MAGNITUDE_IAT,
BYTES_SENT_PER_SEC, BYTES_RECVD_PER_SEC, DFT_Payload(1st
and 2nd
co-efficient),
DFT_IAT(1st
and 2nd
Coefficient), Compression
• Classifier Accuracy:
• J-48: 99.7%
• REP Tree: 99.58%
• SVM: 84%
• KNN: 99.5%
• ANN: 92%
Feature Selection

BITS Pilani
Hyderabad Campus
DEMO 3:
PCA and Feature Selection

• Construct a set of classifiers from the training data
• Predict class label of previously unseen records by
aggregating predictions made by multiple classifiers
Ensemble Classifier

• Ensemble methods work better with ‘unstable
classifiers’
• Classifiers that are sensitive to minor perturbations
in the training set
• Examples:
– Decision trees
– Rule-based
– Artificial neural networks
Ensemble Classifier

• One way to force a learning algorithm to construct multiple
hypotheses is to run the algorithm several times and provide
it with somewhat different data in each run. This idea is used
in the following methods:
• Majority Voting
• Bagging
• Randomness Injection
• Feature-Selection Ensembles
• Error-Correcting Output Coding.
Ensemble Classifier

Why Majority Voting works?
• Suppose there are 25
base classifiers
– Each classifier has
error rate, ε = 0.35
– Assume errors made
by classifiers are
uncorrelated
– Probability that the
ensemble classifier makes
a wrong prediction:
∑=
−
=−





=≥
25
13
25
06.0)1(
25
)13(
i
ii
i
XP εε

Bagging
• Employs simplest way of combining predictions that
belong to the same type.
• Combining can be realized with voting or averaging
• Each model receives equal weight
• “Idealized” version of bagging:
– Sample several training sets of size n (instead of just
having one training set of size n)
– Build a classifier for each training set
– Combine the classifier’s predictions
• This improves performance in almost all cases if
learning scheme is unstable (i.e. decision trees)

Bagging classifiers
Classifier generation
Let n be the size of the training set.
For each of t iterations:
Sample n instances with replacement from the
training set.
Apply the learning algorithm to the sample.
Store the resulting classifier.
classification
For each of the t classifiers:
Predict class of instance using classifier.
Return class that was predicted most often.

Why does bagging work?
• Bagging reduces variance by voting/
averaging, thus reducing the overall expected
error
– In the case of classification there are pathological
situations where the overall error might increase
– Usually, the more classifiers the better

Stacking
• Uses meta learner instead of voting to
combine predictions of base learners
– Predictions of base learners (level-0 models) are
used as input for meta learner (level-1 model)
• Base learners usually different learning
schemes
• Hard to analyze theoretically: “black magic”

• Genetic Search and Greedy Classification (June)
• Suggested Improvements and Proposals:
• Clustering to scale up
• Binning to compute Compression Ratio
• Smoothening DFT Curve
• Explore parson’s coding theory
• Repo link (Stay Tuned!)
• https://github.com/vansh21k/P2P-Botnet-Detection-Project
Future Work

[1] H. Hang, X. Wei, M. Faloutsos, and T. Eliassi-Rad. Entelecheia: Detecting p2p botnets in their waiting
stage. In IFIP Networking Conference, 2013, pages 1{9, 2013.
[2] J. Kang and J.-Y. Zhang. Application entropy theory to detect new peer-to-peer botnet with multi-chart
cusum. In Electronic Commerce and Security, 2009.
[3] C. Kanich, N. Weaver, D. McCoy, T. Halvorson,C. Kreibich, K. Levchenko, V. Paxson, G. M. Voelker,
and S. Savage. Show me the money: Characterizing spam-advertised revenue. In USENIX Security
Symposium, pages 15
[4] B. Rahbarinia, R. Perdisci, A. Lanzi, and K. Li. Peerrush: Mining for unwanted p2p trac. In
Detection of Intrusions and Malware, and Vulnerability Assessment, pages 62{82. Springer, 2013.
[5] C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C. J. Dietrich, and H. Bos. Sok:
P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In Security and Privacy (SP),
2013 IEEE Symposium on, pages 97{111. IEEE, 2013.
[6] S. Saad, I. Traore, A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, and P. Hakimian. Detecting p2p
botnets through network behavior analysis and machine learning. In Privacy, Security and Trust
(PST), 2011 Ninth Annual International Conference on, pages 174{180. IEEE, 2011.
[7] R. Schoof and R. Koning. Detecting peer-to-peer
botnets. University of Amsterdam, 2007. Technical
report.
[8] F. Tegeler, X. Fu, G. Vigna, and C. Kruegel. Botnder: Finding bots in network trac without
deep packet inspection. In Proceedings of the 8th
international conference on Emerging networking
experiments and technologies, pages 349{360. ACM, 2012.
[9] T.-F. Yen and M. K. Reiter. Are your hosts trading or plotting? telling p2p le-sharing and bots apart. In
Distributed Computing Systems (ICDCS), 2010 IEEE 30th International Conference on, pages 241{252.
IEEE, 2010.
References

[10] X. Yu, X. Dong, G. Yu, Y. Qin, D. Yue, and Y. Zhao. Online botnet detection based on incremental discrete
fourier transform. Journal of Networks, 5(5), 2010.
[11] J. Zhang, R. Perdisci, W. Lee, X. Luo, and U. Sarfraz. Building a scalable system for stealthy p2p-botnet
detection. Information Forensics and Security, IEEE Transactions on, 9(1):27{38, 2014.
[12] J. Zhang, R. Perdisci, W. Lee, U. Sarfraz, and X. Luo. Detecting stealthy p2p botnets using statistical trac
ngerprints. In Dependable Systems & Networks (DSN), 2011 IEEE/IFIP 41st International Conference on, pages
21{132. IEEE, 2011.
[13] S. Zhang. Conversation-based p2p botnet detection with decision fusion. Master's thesis, Fredericton:
University of New Brunswick, 2013.
References

ML Approaches to P2P Botnet Detection

Recommended

Recommended

More Related Content

Similar to ML Approaches to P2P Botnet Detection

Similar to ML Approaches to P2P Botnet Detection (20)

Recently uploaded

Recently uploaded (20)

ML Approaches to P2P Botnet Detection