عنوان

On Using Graph Structures in Network Communications for Peer-To-Peer Botnet Detection

شماره

TLpq2499861309

زبان متن نوشتاري يا گفتاري و مانند آن

انگلیسی

عنوان اصلي

On Using Graph Structures in Network Communications for Peer-To-Peer Botnet Detection

نام عام مواد

[Thesis]

نام نخستين پديدآور

Joshi, Harshvardhan P.

نام ساير پديدآوران

Stallmann, Matthias

نام ناشر، پخش کننده و غيره

North Carolina State University

تاریخ نشرو بخش و غیره

2020

نام خاص و کميت اثر

116

جزئيات پايان نامه و نوع درجه آن

Ph.D.

کسي که مدرک را اعطا کرده

North Carolina State University

امتياز متن

2020

متن يادداشت

Botnets are used for malicious purposes, such as spam and denial of service, with huge economic costs to the society. Decentralized command & control structures of peer-to-peer (P2P) botnets make them more resilient to disruptions. However, these P2P overlay structures appear in communication graphs that are built from network flow meta-data, and can be detected using community detection techniques from graph theory. This is a promising approach for P2P botnet detection because it can work independent of device hardware and software, and is resilient to obfuscations employed by the botnets. In this thesis we formulate and address several research questions relating to the problem of P2P botnet community detection in network communication graphs, in a real-world context. First, we investigate whether P2P botnet community structures can be detected with only partial communication graph, since traffic from an entire P2P botnet is unlikely to be available in the real-world. We analyze the effectiveness of general purpose community detection algorithms from graph theory in detecting P2P botnet communities, with various levels of partial information availability. The results show that the approach can work with only about half of the nodes reporting their communication information, with only small increase in detection errors. Second, we ask how to improve the efficiency of P2P botnet community detection, given that previously proposed community-based botnet detection algorithms are too slow for real-time deployment. We propose GADFly, an algorithm that reduces computation time by using the inherent structure in communication graph to reduce the problem size, while focusing on suspicious P2P communities of interest to improve the precision. Our experiments show that GADFly is 1.5 to 10 times faster than the popular general purpose Louvain algorithm, with comparable recall and improved precision.  Third, we ask how to improve the precision of P2P botnet community detection to a level that is practically useful. In our proposed algorithm BotCLAM, we combine insights into the structure of communication graphs and differing definitions of community to improve the precision of P2P botnet community detection. We show that the precision with BotCLAM is 2 to 10 times higher than Louvain and about 50% higher than the GADFly algorithm, with comparable or better recall. Fourth, we investigate whether the P2P botnet community can be identified from the detected communities by simply using the communities' graph structural characteristics. We identify P2P botnet command & control traffic characteristics that influence the communication graph structure, and the metrics to measure these structural properties. We propose a tunable approach

موضوع مستند نشده

Computer engineering

موضوع مستند نشده

Computer science

موضوع مستند نشده

Information technology

مستند نام اشخاص تاييد نشده

Joshi, Harshvardhan P.

مستند نام اشخاص تاييد نشده

Stallmann, Matthias

نام الکترونيکي

فرمت انتشار

p

نوع ماده

[Thesis]

کد کاربرگه

276903

سطح دسترسي

a

تكميل شده

Y