Академический Документы
Профессиональный Документы
Культура Документы
National Hsinchu University of Education, 521 Nanda Rd., Hsinchu, Taiwan, ROC
Micrel Semiconductor Inc. 2180 Fortune Drive, San Jose, CA 95131, USA
1. Introduction
With the advance and development of information and
communication technologies (ICT), computer networks have
become an integral part of human life. Its applications range
from online news, online shopping and the use of Google
search to acquire information, online ATM and stock
trading. In the open network environments, there are always
some unscrupulous criminals or organizations trying to use
various methods to steal or destroy personal data in order to
obtain illegal benefits. Usually, the hackers will attempt to
infect a large number of computers lacking or without
protection using malicious software to form the so-called
botnets, and then achieve their purposes by the attacks of
zombie computers through the botnets. The methods that
often used for attacks include: Distributed Denial of Service
(DDoS), Spam, Click Fraud and Information Leakage.
The first botnet appeared in 1993 in the Internet Relay
Chat (IRC) networks, and became wide-spreading after
1999. In New Zealand, a 19-year-old hacker controlled 150
million computers through the Internet, which is the largest
known botnet; another Chinese hacker controlled 60,000
computers to attack a music website, causing the website out
of service even with its server being transferred to Taiwan or
the USA. The two events caused the loss of hundreds of
million dollars [1], and the two hackers were finally arrested.
Waledac [2] is one of the top 10 botnets in the USA,
139
International Journal of Communication Networks and Information Security (IJCNIS)
140
International Journal of Communication Networks and Information Security (IJCNIS)
141
International Journal of Communication Networks and Information Security (IJCNIS)
142
International Journal of Communication Networks and Information Security (IJCNIS)
3. Adaptive Mechanisms
Figure 11. Characteristics of eDonkey/eMules traffic
flows
143
International Journal of Communication Networks and Information Security (IJCNIS)
port number are in the PAT Table. If they are, the packet
is determined as a non-P2P packet; otherwise, it is treated
as a possible P2P packets.
144
International Journal of Communication Networks and Information Security (IJCNIS)
145
International Journal of Communication Networks and Information Security (IJCNIS)
146
International Journal of Communication Networks and Information Security (IJCNIS)
unknown botnet viruses, not only the data were used for
training the decision tree but also the system had to initiate
the isolation procedure to prevent the network from further
infection.
4. Simulation Experiment
A simulation experiment was conducted to evaluate the
proposed mechanism for identifying the traffic flows of P2P
botnets. The experimental environment was constructed
using two VMware virtual hosts (for the implementation of
P2P botnet programs) and four computers running different
P2P application programs. The network architecture for the
experimental environment and the role of each computer are
shown in Figure 20 and Table 2. This study used CurrPorts,
Wireshark, and Weka as the tools for monitoring the
network and data analysis. CurrPorts is a software program
to monitor the connection activities in each port, allowing
users to know the connection status on a computer;
Wireshark is a program to analyze network packets to show
the detail information; Weka is a data-mining and analysis
platform where users can implement their algorithms to
obtain the information from a large number of data using a
decision tree.
147
International Journal of Communication Networks and Information Security (IJCNIS)
Database
Server
9.4
Windows
Server
2008
148
International Journal of Communication Networks and Information Security (IJCNIS)
References
[1] Malware Report (2007). The economic impact of
viruses, spyware, adware, botnets, and other malicious
code, Computer Economics, 2007.
[2] G. Sinclair, C. Nunnery and B. B. Kang (2009). The
Waledac protocol: the how and why, Proceedings of
the 4th International Conference on Malicious and
Unwanted Software, Montreal, Quebec, Oct. 13-14,
2009.
[3] M. Fossi, D. Turner, E. Johnson, T. Mack, T. Adams,
J. Blackbird, S. Entwisle, B. Graveland, D. McKinney,
J. Mulcahy, and C. Wueest (2010). Symantec Global
Internet Security Threat Report: Trends for 2009,
Technical Report, Symantec Corportation, April 2010.
[4] C. Schiller, J. Binkley and D. Harley (2007). Botnets:
The killer web applications, Rockland, MA: Syngress
Publishing, Feb. 2007.
[5] Z. Zhu, G. Lu, Y. Chen, Z. J. Fu, P. Roberts, and K.
Han (2008). Botnet research survey, 32nd Annual
IEEE International Computer Software and
Applications Conference, Turku, Finland, July 2008.
[6] B. W. Liu (2009). An adaptive defense mechanism
against P2P botnets, Master thesis, Department of
Information Engineering, Chung Yuan Christian
University, Chungli, Taiwan.
[7] A. Karasaridis, B. Rexroad, and D. Hoeflin (2007).
Wide-scale botnet detection and characterization,
Proceeding of USENIX Conference (HotBots07),
Cambridge, Massachuset, April 10, 2007.
[8] J. Goebel, and T. Holz (2007). Rishi: Identify bot-
[9]
[10]
[11]
[12]
[13]
[14]