In this section, we review the related work for P2P botnet detection, as we propose AutoBot- Catcher, a P2P blockchain based botnet detection framework, in Chapter 6. In recent years, vast amounts of work has been devoted to P2P botnet detection. In general, botnet detection methodologies can be categorized into two groups: host-based and network-based approaches. Host-based approaches require the monitoring of all hosts, which is impractical for the IoT domain. Therefore, we focus on network-based approaches, which in turn can be classified into two groups, discussed in the following. Table 3.2 presents a summary of the main features of the approaches reviewed in this section and their comparison with AutoBotCatcher presented in Chapters 6.
Network traffic signature based approaches
Literature offers many work that classify hosts based on their network traffic behaviour. In gen- eral, these approaches exploit supervised/unsupervised machine learning techniques to identify whether hosts are benign or malicious [56, 143, 67, 110, 104, 144, 93, 88, 59]. In machine learn- ing based approaches, an algorithm is trained with the samples of network traffic, in order to detect malicious network traffic. For example, in [144], a statistical network traffic fingerprint- ing approach that is using unsupervised machine learning techniques to identify P2P activity and to group hosts participate in malicious P2P traffic is proposed. Entelecheia, proposed in [59], aims to detect in bots in their waiting stage by exploiting their social behaviour. Specifi- cally, Entelecheia uses network traffic signatures to create a graph of likely malicious flows and
CHAPTER 3. LITERATURE REVIEW 34
perform graph mining steps to to cluster and label botnet nodes. In [110], Saad et al. uses five different machine learning algorithm to extract features from the observed benign and botnet network traffic, and use that features for botnet detection. PeerSark, proposed in [93], is a port and protocol oblivious conversation-based approach to detect P2P botnet traffic. However, in a dynamic network, botmasters can randomize botnet traffic by changing communication frequency, packet sizes, etc. As such, network traffic signatures learned by machine learning approaches may not be robust enough to identify bots [139], which would eventually make such approaches ineffective.
Moreover, some of the proposed approaches, such as [56, 88], rely on deep packet inspec- tion techniques (DPI) to analyze network packet contents. Particularly, BotMiner proposed in [56], groups hosts that share similar communication patterns in performing malicious activities. More recently, BotDetector proposed in [88], leverages on DPI techniques to monitor informa- tion recorded on HTTP headers is proposed. However, these checks can be bypassed through encryption of C&C channels. Moreover, DPI based approaches are computationally expensive. Given that, we conclude that network traffic signature based approaches are not suitable for dynamic and evolving IoT environments.
Group and community behavior based approaches
Some works use group and community behaviour analysis for botnet detection [39, 139, 91, 149]. As an example, similarly to us, [39] exploits mutual contacts extracted from network traffic flow of hosts, in order to identify bots in a P2P network. [39] executes dye-pumping algorithm, where iteratively pumps dye to the nodes in the mutual contacts graph through a coefficient called dye-attraction to send more dye to the nodes that are more likely to be bots, and, algorithm picks the nodes with more dye than a threshold. Whereas [139] collects network flow records at the edge routers of a campus network, and performs group level behaviour analysis on network traffic flow with Support Vector Machine (SVM) to label P2P bot clusters. Botgrep [91] is a network graph structure based botnet detection method that uses data mining techniques for bot detection. The graph is structured according to the information on node pair communications as communication graph. Botgrep partitions the communication graph into smaller pieces as localized communication graphs. However, these approaches are able to detect only previously known bot types. Therefore, they are not suitable for IoT, where new botnets emerge frequently [75]. Differently, PeerHunter [149] exploits Louvain method to perform network flow level community behaviour analysis on mutual contacts graph, without relying on previously known bot types. Yet, PeerHunter performs static botnet detection on the collected network traffic flow data, which is inadequate for a dynamic and evolving IoT environment that requires dynamic botnet detection.
Blockchain-based botnet detection approach
Blockchain technology might be a solution to the problems faced by relevant works proposed in the literature. In fact, to enable multiple parties to collaborate for botnet detection, by designing AutoBotCatcher (Chapter 6) we chose to use blockchain rather than a centralized
CHAPTER 3. LITERA TURE REVIEW 35
Reviewed Decentralized Dynamic Working on Tailored for Multi-party Blockchain approaches architecture bot detection encrypted payload IoT collaboration based
[56] ✗ ✗ ✗ ✗ ✗ ✗ [143] ✗ ✗ ✓ ✗ ✗ ✗ [67] ✗ ✗ ✓ ✗ ✗ ✗ [110] ✗ ✗ ✗ ✗ ✗ ✗ [104] ✗ ✓ ✓ ✗ ✗ ✗ [144] ✗ ✗ ✓ ✗ ✗ ✗ [93] ✗ ✓ ✓ ✗ ✗ ✗ [88] ✓ ✓ ✓ ✓ ✗ ✗ [59] ✗ ✓ ✓ ✗ ✗ ✗ [39] ✗ ✓ ✓ ✗ ✗ ✗ [139] ✗ ✓ ✓ ✗ ✗ ✗ [91] ✗ ✗ ✓ ✗ ✗ ✗ [149] ✗ ✗ ✓ ✗ ✗ ✗ AutoBotCatcher ✓ ✓ ✓ ✓ ✓ ✓
CHAPTER 3. LITERATURE REVIEW 36
system given the benefits blockchain might bring. Thanks to its distributed consensus protocol
1
, blockchain platform does not require a central trusted party to validate the correct execu- tion of the collaborative process (aka botnet detection), and ensure transparency on collected snapshots of communities of IoT devices overcoming the possible lack of trust among parties involved in the botnet detection (see Section 2.2.2). Moreover, as a state transition machine, blockchain lets us model the whole botnet detection process as a set of shared application states (aka states of parties collaborating in the botnet detection). This allows AutoBotCatcher to perform dynamic and collaborative botnet detection on large number of IoT devices.