An effective node-removal method against P2P botnets

Abstract

Nowadays, there is no effective solution to take down P2P botnets. In this paper, we have proposed a probabilistic node-removal method for P2P botnets forming random network, which reduces the resilience of the C&C channel of P2P botnets more effectively compared to other previous methods. We have introduced a new approach for selecting the critical nodes. In our method, based on collecting the receiving times of commands in some bots, the command entry points are identified, and then the critical nodes are determined. Our approach can be used for cases in which the botmaster inject the commands into the botnet from more than one point. If the topology of botnets is unknown, our method can be applied to the reconstructed topology. In this paper, a new metric is defined for accurately measuring the power of the botnet after removing the critical nodes. This metric is compatible with several entry points of the commands. We have validated our method through simulations. The obtained results indicate that we can effectively isolate significantly more nodes from the origin compared to the other node-removal methods. In the best results, we have managed to isolate the first node of a botnet with 500 peers by removing only 8% of the bots. In the same botnet, 22% of the bots are isolated by only 75 removals, while the best other methods isolate 1% of the bots by 466 removals. Moreover, in two cases of P2P botnet with multiple command entry points, our method has isolated around 14 and 22 times more nodes compare to the best method among the others.