Advanced Monitoring in P2P Botnets (eBook)

​Dr. Shankar Karuppayah is a senior lecturer at the National Advanced IPv6 Centre, Universiti Sains Malaysia. Previously, he was attached to the Center for Advanced Security Research Darmstadt (CASED) / TU Darmstadt, Germany (2012-2016) where he also obtained his PhD. His research interests encompass cyber security topics, specifically botnet monitoring. He has published numerous botnet-related research works in respected journals and high-ranked conferences over the past five years. In addition to being regularly invited to give talks on cybersecurity topics, he is also a reviewer for several security-related journals and conferences.

Foreword 7
Preface 9
Acknowledgements 11
Contents 12
Acronyms 15
1 Introduction 16
1.1 Botnet Architectures 16
1.1.1 Centralized Botnets 17
1.1.2 Decentralized Botnets 17
1.1.3 P2P Botnets 18
1.2 P2P Botnet Monitoring 19
1.3 Outline 19
References 20
2 Requirements and State of the Art 21
2.1 Requirements of a Botnet Monitoring Mechanism 21
2.1.1 Functional Requirements 21
2.1.2 Non-functional Requirements 22
2.2 Formal Model for P2P Botnets 23
2.3 Related Work on Botnet Monitoring 25
2.3.1 Honeypots 25
2.3.2 Crawlers 26
2.3.3 Sensor Nodes 29
2.4 Challenges in Botnet Monitoring 31
2.4.1 The Dynamic Nature of P2P Botnets 31
2.4.2 Noise from Unknown Third Party Monitoring Activities 32
2.4.3 Anti-monitoring Mechanisms 33
2.5 Summary 37
References 39
3 The Anatomy of P2P Botnets 41
3.1 Dissecting GameOver Zeus 41
3.1.1 Bootstrapping Process 42
3.1.2 Membership Maintenance Mechanism 42
3.1.3 Blacklisting Mechanism 45
3.2 Dissecting Sality 45
3.2.1 Bootstrapping Process 46
3.2.2 Membership Management Mechanism 46
3.3 Dissecting ZeroAccess 49
3.3.1 Bootstrapping Process 50
3.3.2 Membership Management Mechanism 51
3.4 Summary 54
References 55
4 Crawling Botnets 56
4.1 Circumventing Anti-crawling Mechanisms 56
4.1.1 Restricted NL Reply Mechanism of GameOver Zeus 57
4.1.2 Less Invasive Crawling Algorithm (LICA) 62
4.2 Advanced Anti-crawling Countermeasures 64
4.2.1 Enhancing GameOver Zeus' NL Restriction Mechanism 65
4.2.2 BoobyTrap: Detecting Persistent Crawlers 66
4.3 Evaluation 70
4.3.1 Evaluation of ZeusMilker 70
4.3.2 Evaluation of the Less Invasive Crawling Algorithm (LICA) 77
4.3.3 Evaluation of the BoobyTrap Mechanism 83
4.4 Summary 88
References 90
5 Deployment of Sensor Nodes in Botnets 91
5.1 Detecting Sensor Nodes in Botnets 92
5.1.1 Introduction 92
5.1.2 Local Clustering Coefficient (LCC) 94
5.1.3 SensorRanker 95
5.1.4 SensorBuster 97
5.2 Circumventing Sensor Detection Mechanisms 98
5.2.1 Circumventing LCC 99
5.2.2 Evading SensorRanker 99
5.2.3 Evading SensorBuster 100
5.3 Evaluation 101
5.3.1 Datasets 101
5.3.2 Experimental Setup 102
5.3.3 Research Questions and Expectations 105
5.3.4 Results 106
5.4 Summary 112
References 113
6 Conclusion and Outlook 115
6.1 Conclusion 115
6.2 Outlook 117
7 Erratum to: Advanced Monitoring in P2P Botnets 118
Erratum to:& #6