Inproceedings
The Case for a Collaborative Universal Peer-to-Peer Botnet Investigation Framework
Contribution Summary
The proposed framework is designed to be modular and expandable, allowing for the convenient plug-in of characteristics and communication signatures of any particular P2P botnet. It consists of four core components: network signatures, client emulator, investigation controllers, and evidence storage. The network signatures store the communication commands and parameters of the botnet, while the client emulator connects to the botnet using the provided signatures. The investigation controllers manipulate the parameters of the emulator to execute different investigation types, such as botnet enumeration, node classification, and botmaster eavesdropping. The evidence storage module collects and stores the collected evidence. The framework aims to eliminate duplicated efforts and facilitate the investigation of any known botnet and adaptation to new networks.
Keywords: Peer-to-Peer Botnets; Collaborative Investigation Framework; Botnet Mitigation; Computer Forensics; Investigation Framework; P2P Network Analysis; Botnet Detection; Cybersecurity
Abstract
Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders.
BibTeX
@inproceedings{scanlon2014botnetframework,
title={The Case for a Collaborative Universal Peer-to-Peer Botnet Investigation Framework},
author={Scanlon, Mark and Kechadi, M-Tahar},
booktitle={Proceedings of the 9th International Conference on Cyber Warfare and Security (ICCWS 2014)},
pages="287-293",
month=03,
year=2014,
address={Purdue University, West Lafayette, Indiana, USA},
publisher={Academic Conferences Limited},
abstract="Peer-to-Peer (P2P) botnets are becoming widely used as a low-overhead, efficient, self-maintaining, distributed alternative to the traditional client/server model across a broad range of cyberattacks. These cyberattacks can take the form of distributed denial of service attacks, authentication cracking, spamming, cyberwarfare or malware distribution targeting on financial systems. These attacks can also cross over into the physical world attacking critical infrastructure causing its disruption or destruction (power, communications, water, etc.). P2P technology lends itself well to being exploited for such malicious purposes due to the minimal setup, running and maintenance costs involved in executing a globally orchestrated attack, alongside the perceived additional layer of anonymity. In the ever-evolving space of botnet technology, reducing the time lag between discovering a newly developed or updated botnet system and gaining the ability to mitigate against it is paramount. Often, numerous investigative bodies duplicate their efforts in creating bespoke tools to combat particular threats. This paper outlines a framework capable of fast tracking the investigative process through collaboration between key stakeholders."
}