Computer Science Department Seminar

11:30AM-12:30PM, Wednesday, April 28, 2010

Prof. Nasir Memon, Polytechnic Institute of New York University

Title: Friends of an Enemy: Detecting P2P Botnets


Botnets, which are networks of compromised hosts (bots) under the control of a botmaster, have become a major threat for todays networks. Botmasters use botnets to perform various malicious activities such as spamming, phishing, stealing sensitive information, conducting distributed denial of service (DDoS) attacks, scanning to find more hosts to compromise, etc. Bots, which perform such malicious activities, often go over the radar and get detected by Intrusion/Anomaly Detection Systems. In fact, network administrators regularly discover bots, which expose themselves by sending spam emails or performing a scan, etc.

In this talk we show that once a single peer-to-peer (P2P) bot is detected in a network, it may be possible to efficiently identify other members of the same botnet in the same network even before they exhibit any overtly malicious behavior. Detection is done based on an analysis of the connections made by the hosts in the network. It turns out, due to reasons very similar to the Birthday Paradox, that even if bots select their peers randomly and independently, any given pair of P2P bots in a network communicate with at least one mutual peer outside the network with a surprisingly high probability. This, along with the low probability of any other host communicating with this mutual peer, allows us to link local nodes within a P2P botnet together. We propose a simple method to identify members of a P2P botnet in a network starting from a known peer. We formulate the problem as a graph problem and mathematically analyze a solution using an iterative algorithm. The proposed scheme is simple and requires only flow records captured at network borders. We analyze the efficacy of the proposed scheme using real botnet data obtained from both observing and crawling the Nugache botnet. We also evaluate the worst case performance of the proposed scheme with artificial botnet traffic generated by a generic P2P botnet model.


Nasir Memon is a Professor in the Computer Science Department at Polytechnic Institute of New York University (NYU-Poly). He is the director of the Information Systems and Internet Security (ISIS, lab at NYU-Poly. His research interests include Data Compression, Computer and Network Security, Digital Forensics, and Multimedia Data Security. Prof. Memon is the co-founder of Digital Assembly ( and Vivic Networks (, two early stage start-ups in NYU-Poly's BEST incubator.

For more information about this colloquium, please contact Habib M. Ammari at