Monitoring Peer-to-Peer Botnets: Requirements, Challenges, and Future Works

Abstract

The cyber-criminal compromises end-hosts (bots) to configure a network of bots (botnet). The cyber-criminals are also looking for an evolved architecture that makes their techniques more resilient and stealthier such as Peer-to-Peer (P2P) networks. The P2P botnets leverage the privileges of the decentralized nature of P2P networks. Consequently, the P2P botnets exploit the resilience of this architecture to be arduous against take-down procedures. Some P2P botnets are smarter to be stealthy in their Command-and-Control mechanisms (C2) and elude the standard discovery mechanisms. Therefore, the other side of this cyberwar is the monitor. The P2P botnet monitoring is an exacting mission because the monitoring must care about many aspects simultaneously. Some aspects pertain to the existing monitoring approaches, some pertain to the nature of P2P networks, and some to counter the botnets, i.e., the anti-monitoring mechanisms. All these challenges should be considered in P2P botnet monitoring. To begin with, this paper provides an anatomy of P2P botnets. Thereafter, this paper exhaustively reviews the existing monitoring approaches of P2P botnets and thoroughly discusses each to reveal its advantages and disadvantages. In addition, this paper groups the monitoring approaches into three groups: passive, active, and hybrid monitoring approaches. Furthermore, this paper also discusses the functional and non-functional requirements of advanced monitoring. In conclusion, this paper ends by epitomizing the challenges of various aspects and gives future avenues for better monitoring of P2P botnets.