P2P and P2P botnet traffic classification in two stages

Abstract

Nowadays accurate P2P traffic classification has become increasingly significant for network management. In addition, it is important to distinguish P2P botnet traffic from normal P2P traffic in order to find P2P malware and to immediately detect P2P botnets. Several approaches including port-based, signature-based, pattern-based, and statistics-based methods have been proposed to classify P2P and P2P botnet traffic. However, a single method alone cannot accurately classify both P2P and P2P botnet traffic. In this paper, we propose a hybrid traffic classifier that is composed of two stages. The first stage consists of a P2P traffic classifier that works in two steps. In the first step, a signature-based classifier is combined with connection heuristics, and in the second step, a statistics-based classifier is compensated by pattern heuristics. The statistics-based classifier is built using REPTree, a decision tree algorithm. The second stage is comprised of a P2P botnet traffic classifier that distinguishes P2P botnet traffic from other P2P traffic. The verification analysis and experiments using real datasets reveal that the proposed scheme provides a low overhead and achieves a high flow and byte accuracy of 97.70 and 97.06 % to classify P2P and P2P botnet traffic.