Behavioural Correlation for Detecting P2P Bots

TL;DR

This paper introduces a correlation-based algorithm to detect P2P bots by analyzing their activities over time, addressing the challenge of identifying decentralized malicious bots.

Contribution

The paper proposes a novel activity correlation method specifically designed for detecting P2P bots, which are harder to identify than traditional IRC bots.

Findings

Correlation of activities effectively detects P2P bots

The method distinguishes malicious P2P activity from normal behavior

Detection accuracy improves with activity analysis over time

Abstract

In the past few years, IRC bots, malicious programs which are remotely controlled by the attacker through IRC servers, have become a major threat to the Internet and users. These bots can be used in different malicious ways such as issuing distributed denial of services attacks to shutdown other networks and services, keystrokes logging, spamming, traffic sniffing cause serious disruption on networks and users. New bots use peer to peer (P2P) protocols start to appear as the upcoming threat to Internet security due to the fact that P2P bots do not have a centralized point to shutdown or traceback, thus making the detection of P2P bots is a real challenge. In response to these threats, we present an algorithm to detect an individual P2P bot running on a system by correlating its activities. Our evaluation shows that correlating different activities generated by P2P bots within a specified time period can detect these kind of bots.