Abstract
The distributed and decentralized nature of peer-to-peer (P2P) networks has offered a lucrative alternative to bot-masters to build botnets. P2P botnets are not prone to any single point of failure and have been proven to be highly resilient against takedown attempts. Moreover, smarter bots are stealthy in their communication patterns and elude the standard discovery techniques which look for anomalous network or communication behavior. In this paper, we present a methodology to detect P2P botnet traffic and differentiate it from benign P2P traffic in a network. Our approach neither assumes the availability of any ‘seed’ information of bots nor relies on deep packet inspection. It aims to detect the stealthy behavior of P2P botnets. That is, we aim to detect P2P botnets when they lie dormant (to evade detection by intrusion detection systems) or while they perform malicious activities (spamming, password stealing, etc.) in a manner which is not observable to a network administrator. Our approach PeerSharkPeerShark combines the benefits of flow-based and conversation-based approaches with a two-tier architecture, and addresses the limitations of these approaches. By extracting statistical features from the network traces of P2P applications and botnets, we build supervised machine learning models which can accurately differentiate between benign P2P applications and P2P botnets. PeerSharkPeerShark could also detect unknown P2P botnet traffic with high accuracy.
Highlights
The past decade has seen the immense rise of the peerto-peer (P2P) computing paradigm
4 Design choices and implementation details we present the implementation aspects and design choices of PeerShark in detail: 4.1 Data This work uses data of benign P2P applications and P2P botnets obtained from two different sources
The training as well as test splits contain more than 90% benign data. Such class imbalance makes the task of detecting P2P botnets more challenging, this ratio is representative of the real-world scenario where majority of traffic flowing in a network is benign
Summary
The past decade has seen the immense rise of the peerto-peer (P2P) computing paradigm. Peer-to-peer overlay networks are distributed systems consisting of interconnected nodes which self-organize into network topologies They are built with specific purposes of sharing resources such as content, CPU cycles, the P2P paradigm has been plagued with issues of privacy, security, and piracy to name a few [3,4,5]. The massive Citadel botnet (a variant of the Zeus (or ‘Gameover’) P2P botnet) is believed to have stolen more than US $500 million from bank accounts over 18 months It was reported in the past year that the 88% of the botnet has been taken down by the combined efforts of Microsoft and several security agencies and authorities of more than 80 countries [11].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
