KR20110112100A - Method for detecting peer-to-peer botnets - Google Patents

Abstract

The present invention comprises the steps of: analyzing the traffic on the network to collect mutual peer-to-peer connection information of each host existing on the network; Using the collected information, configuring each host for information on the entire P2P network formed by being interconnected on a peer-to-peer basis; Estimating a radius of the PTP network, a ratio of hosts operating simultaneously as a client and a server in the PTP network, and an average spreading rate of the hosts using the information about the PTP network; And if the at least one of the estimated network radius, the ratio of concurrent hosts, and the average spreading speed of the hosts exceeds a specific threshold, the P2P network detects a P2P botnet. Provide a method.

Description

P2P botnet detection method {METHOD FOR DETECTING PEER-TO-PEER BOTNETS}

The present invention relates to a method for detecting a P2P botnet using a peer-to-peer network as a base communication system for command transmission and control to a bot.

A set of computers that are networked and interact with each other to perform a distributed task is called a botnet. They are mainly used for illegal activities such as sending spam mails, Distributed Denial of Service (DDoS) attacks, and the leakage of personal information.

Botnets that use P2P networks as the underlying communication system for command delivery and control to bots are called P2P botnets. P2P botnets differ from traditional C & C botnets in that they do not have a central server to control each bot. Hosts infected by bots connect with each other, and attackers become peers, broadcasting commands to botnets. Several studies have been published using the number of failed connection attempts, known ports, and packet payload signatures to detect peer-to-peer botnets. They only use information found in certain botnet applications, so they can only detect known P2P bot attacks. Therefore, it is difficult to detect when an attacker produces a variant. In addition, such information cannot be distinguished from the phenomena caused by normal worms, scans, and normal P2P applications.

P2P botnets do not use a central server, making it difficult to disable the entire botnet. Therefore, in order to detect and respond to the entire botnet in a timely manner, it is necessary to develop a technology that can identify the proliferation path of the entire P2P botnet and respond early. In addition, since P2P bots are expected to have many variants, like existing worms and viruses, it is necessary to develop technology to detect these variants.

P2P botnet detection method according to an embodiment of the present invention for realizing the above object, the process of collecting traffic peer-to-peer connection information of each host existing on the network by analyzing the traffic on the network; Using the collected information, configuring each host for information on the entire P2P network formed by being interconnected on a peer-to-peer basis; Estimating a radius of the PTP network, a ratio of hosts operating simultaneously as a client and a server in the PTP network, and an average spreading rate of the hosts using the information about the PTP network; And if the at least one of the estimated network radius, the proportion of concurrent hosts, and the average spreading speed of the hosts exceeds each particular threshold, the peer-to-peer network includes determining a peer-to-peer botnet.

The P2P botnet detection method according to at least one embodiment of the present invention configured as described above detects a P2P botnet using fundamental properties of P2P botnet traffic such as large network radius, high concurrent host ratio, and high host average spread rate. Therefore, the spread path of the P2P botnet can be identified and responded to early.

In addition, the P2P botnet detection method according to at least one embodiment of the present invention configured as described above may detect unknown P2P botnets such as variants.

In addition, the P2P botnet detection method according to at least one embodiment of the present invention configured as described above is able to detect and remove most botnets by tracking the spread path of the P2P bot.

1 is a connection graph according to an embodiment of the present invention.
2 is a structural diagram of data constituting a connection graph according to an embodiment of the present invention.
3 is a pseudocode illustrating a method of constructing a connection graph according to an embodiment of the present invention.
4 is a table defining notation included in equations used in determining whether a P2P botnet.

An embodiment to which the present invention as described above is applied will be described in detail with reference to the accompanying drawings.

1 shows a connection graph according to an embodiment of the present invention.

The present invention detects P2P botnets using the fundamental properties of P2P botnet traffic such as large network radius, multiple client / server concurrent host, and fast spread rate.

First, terms used in connection with an embodiment of the present invention are defined. The host that initiated the connection is called the parent host and the host that accepts the connection is called the child host. Child hosts are allocated one level higher than their parent host. For example, when the level of a host first infected or detected by a P2P bot is set to 0, the level of the child host allowing connection to this host is one level higher. A parent host connecting to a host that has already been assigned a level will have a lower level. In this way, you can measure the host level by tracking the incoming and outgoing connections from all ports on each host.

You can create a graph by tracking the connection direction for each port, which is defined as a connection graph. After assigning levels to each host, the network radius can be estimated. Where the network radius is the difference between the maximum and minimum levels in the network. The time it takes for a parent host to successfully establish a connection to a child host from the time of parent host creation is defined as the individual host spreading speed. The average of all individual host diffusion rates at the same level is defined as the level average diffusion rate. The average spread rate of a connection is defined as the average spread rate of all hosts from the minimum level to the maximum level.

This will be described in detail with reference to FIG. 1. 1 is an example of a connection graph tracking all connections using port 4075. In FIG. 1 the level of the original infected host is left at zero. The level of the host connected by this host is one level higher, and the level of the host is increased by one level according to the next connection order. If a connection to a host with level 0 occurs, the level of the host attempting to connect is -1. In FIG. 1, the network radius is estimated as 4, which is the difference between the maximum level 4 and the minimum level 0. FIG. Assuming an initial infection time of 0, the host spread rate of Host (1,0) is 10, Host (2,0) is 10, and Host (3,0) is 18. Therefore, the average spreading velocity Vlv (1) of level 1 is 10, level 2 is 14.75, and the like. Therefore, the average diffusion rate of the connection graph of FIG. 1 is 16.53.

In general, P2P traffic has a large network radius, and a large proportion of hosts that simultaneously operate as clients and servers. P2P botnet traffic not only has the properties of P2P traffic presented above, but also has a characteristic that the rate of spreading to the next level is considerably faster than general P2P traffic. In other words, P2P bots are automatically spread by the bot propagation program, so they spread faster than general P2P application execution hosts which are spread by user's request. In view of this, the present invention constructs a network connection for each port in the form of a connection graph, and then detects a P2P bot using a large network radius, a client / server concurrent host ratio, and an average spread rate property.

2 is a structural diagram of data constituting a connection graph according to an embodiment of the present invention.

The connection graph (PortEntry) for a specific port includes the server port number (serverport), the host information connected to the port (HostTable), the minimum / maximum level (min / maxlevel) of the corresponding connection graph, and the number of client / server concurrent hosts (serventsnum). , Connection level attributes such as edge level information (EdgeLevelEntry) and mean diffusion velocity information.

Host information (HostTable) includes the information of each host (HostEntry) connected by port, and information of each host is the IP address (ip), level, list and number of child hosts connected to the host. (Incoming sourcelist and sourcenum), the list and number of parent hosts allowed to connect to the host (Outgoing targetlist and targetnum), and the time allowed to connect to the host.

3 is pseudo code for creating / updating a connection graph.

The packet is analyzed to determine a client requesting a connection, a server providing a connection, and a current time when the connection is established (110).

If there is already a connection graph for the server port of the packet, update the connection graph by adding only the connection information that has occurred. If there is no connection graph for the port, a connection graph is generated and connection information is added (120).

When adding the connection information, if both the host A as a client and the host B as the server are not in the connection graph (210), the information of each of the host A and the Host Entry is added to the host information HostTable. First, the IP address (ip), level, Incoming sourcelist and sourcenum that the host is connected to, Outgoing targetlist and targetnum, and the number of parent hosts allowed to connect to that host. Add information such as the time the connection is allowed to the host. The level of the host A, which is a client, is set to 0, and the level of the host, which is a server, is set to 1. Since the hosts are newly created, the times of hosts A and B are both set to the time when the connection is allowed.

Since host A is a client and host B is a server, add B to A's Outgoing target list and update targetnum, the number of hosts in targetlist. Similarly, add A to B's incoming sourcelist and update the number of sourcenum. Then, add connection graph attribute values such as min / maxlevel, serventsnum, EdgeLevelEntry, and meandiffusionvelocity.

When adding connection information, if only host B, which is a server, is in the connection graph (220), the host A information, which is a client, is added. Host A, the client, is assigned a level one level lower than host B, the server, and the time of host A is set to the time when the connection is allowed. It also updates the outgoing and incoming information of hosts A and B, and also updates the connection graph properties such as min / maxlevel and serventsum.

When adding connection information, if only host A, the client, is in the connection graph (230), the server adds host B information. Host B, which is a server, is assigned a level one level higher than host A, which is a client, and the time of host B is set to the time when the connection is allowed. It also updates the outgoing and incoming information of hosts A and B, and also updates the connection graph properties such as min / maxlevel and serventsum.

By using the connection information generated as described above, the connection graph is updated and P2P bot traffic is identified. If all of the following conditions are met for a particular port, it is determined to be a host operating as a P2P bot.

1) The network radius, the difference between the maximum and minimum levels, exceeds a certain threshold. However, when calculating the maximum and minimum levels of the network, ignore levels with a very small number of hosts. In other words, the number of hosts per level must exceed a certain threshold.

2) The percentage of hosts running simultaneously as a server and a client exceeds a certain threshold.

3) The average diffusion rate should be below a certain threshold. However, the average spreading rate can be recalculated except for hosts with spreading rates outside the standard deviation range.

Each of the above thresholds can be determined through experimentation in the network to be detected.

4 is a table defining notation included in equations used in determining whether a P2P botnet is used.

After completing the connection graph for a specific port (after configuring a network connection for each port) by the method described above, it is determined whether the network is a P2P botnet. The connection graph G is a P2P botnet if the following three conditions are met.

Equation 1 shows that the network radius of the connection graph G exceeds the radius threshold ω. When calculating the maximum / minimum level of the network, the number of hosts at the maximum level must exceed the edge level threshold α. The maximum level is obtained only when the number of hosts in E (G), the last level of the connection graph G, exceeds the edge level threshold. The maximum level is set as follows. E (G) represents the last level of the connection graph G.

If N (E (G))> α, M (G) = E (G)

Else M (G) = E (G) -1

Equation 2 indicates that the client / server concurrent host ratio on a particular port exceeds the client / server threshold.

From here,

Equation 3 shows that the average diffusion rate of the connection graph host is faster than the diffusion rate threshold ρ. The average speed Vlv (i) of the level represents the average of the spreading speeds of the other hosts except for the host having a spreading speed deviation threshold σ that exceeds the spreading speed deviation threshold σ among all the hosts constituting the level i.

Further, according to an embodiment of the present invention, the above-described method can be implemented as a code that can be read by a processor on a medium on which the program is recorded. Examples of processor-readable media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage, and the like, and may be implemented in the form of a carrier wave (for example, transmission over the Internet). Include.

The above-described P2P botnet detection method is not limited to the configuration and method of the above-described embodiments, the embodiments may be a combination of all or a part of the embodiments selectively so that various modifications can be made It may be configured.

In the above, preferred embodiments of the present invention have been described with reference to the accompanying drawings.

Here, the terms and words used in the present specification and claims should not be construed as limited to ordinary or dictionary meanings, but should be construed as meaning and concept consistent with the technical idea of the present invention.

Therefore, the embodiments described in the specification and the drawings shown in the drawings are only the most preferred embodiment of the present invention, and do not represent all of the technical idea of the present invention, which can be replaced at the time of the present application It should be understood that there may be various equivalents and variations.

100: packet analysis process
200: connection information addition process

Claims (9)

Analyzing traffic on a network to collect mutual peer-to-peer connection information of respective hosts existing on the network;
Using the collected information, configuring each host for information on the entire P2P network formed by being interconnected on a peer-to-peer basis;
Estimating a radius of the PTP network, a ratio of hosts operating simultaneously as a client and a server in the PTP network, and an average spreading rate of the hosts using the information about the PTP network; And
If the one or more of the estimated network radius, the ratio of concurrent hosts, and the average spreading speed of the hosts exceeds each particular threshold, the P2P network detects a P2P botnet; Way. The method of claim 1,
In the collecting process, PIPPI botnet detection method for analyzing the packet in the traffic to collect information about the server port number, the client host requesting the connection, the server host providing the connection and the time the connection is established. The method of claim 2,
The information about the peer-to-peer network may be configured by generating and updating a connection graph based on each server port using information on a server port number collected by analyzing the packet, a client host, a server host, and a time when a connection is established. Peopi botnet detection method, characterized in that. The method of claim 3, wherein
The process of configuring the above connection graph form
By using the server port number determined by analyzing the packet, the client host, the server host and the time the connection is established,
(1) generating a connection graph when there is no connection graph for the corresponding port; And
(2) Compare the client host and server host with the hosts in the connection graph.
(a) If neither the client host nor the server host is in the connection graph, add the information of the hosts (a) and (b) and the property values of the connection graph to the connection graph.
(b) If only the server host is in the connection graph, add the information of the client host and update the attribute value of the connection graph.
(c) If only the client host is in the connection graph, P2P botnet detection method comprising the step of updating the connection graph to add the information of the server host and update the attribute value of the connection graph. The method of claim 4, wherein
The updating process of the above connection graph
(a) If neither the client host nor the server host is in the connection graph, the client host level is set to 0, the server host level is set to 1, and the connection time of each host is set to the time allowed for the connection. and,
(b) If only the server host is in the connection graph, set the client host's level to one level lower than the server host's level, and set the client host's connection time to the time allowed for the connection.
(c) If only the client host is in the connection graph, P2P botnet characterized in that the level of the server host is set one level higher than the level of the client host, and the connection time of the server host is set to the time allowed for the connection Detection method. The method of claim 5, wherein
In the above estimation process, using the completed connection graph for a specific port, the network radius is estimated by the difference between the maximum level and the minimum level in the network, and the ratio of the client host concurrent hosts to the total number of concurrent hosts And the average diffusion rate is estimated as an average of level average diffusion rates from the minimum level to the maximum level. The method of claim 6,
The maximum level is P2P botnet detection method, characterized in that the number of hosts of the level exceeds the edge level threshold. The method according to claim 6,
The level average spreading speed is a peer-to-peer botnet detection method, characterized in that the average of the spreading speed of the other hosts except the host having a spreading speed exceeding the spreading speed deviation threshold among all the host. A computer-readable recording medium having recorded thereon a program for executing the method of detecting a P2P botnet according to any one of claims 1 to 8.

Images