Abstract:
The distributed and decentralized nature of peer-to-peer (P2P) networks has offered a lucrative alternative to
bot-masters to build botnets. P2P botnets are not prone to any single point of failure and have been proven to be
highly resilient against takedown attempts. Moreover, smarter bots are stealthy in their communication patterns and
elude the standard discovery techniques which look for anomalous network or communication behavior. In this
paper, we present a methodology to detect P2P botnet traffic and differentiate it from benign P2P traffic in a network.
Our approach neither assumes the availability of any ‘seed’ information of bots nor relies on deep packet inspection. It
aims to detect the stealthy behavior of P2P botnets. That is, we aim to detect P2P botnets when they lie dormant (to
evade detection by intrusion detection systems) or while they perform malicious activities (spamming, password
stealing, etc.) in a manner which is not observable to a network administrator.
Our approach PeerShark combines the benefits of flow-based and conversation-based approaches with a two-tier
architecture, and addresses the limitations of these approaches. By extracting statistical features from the network
traces of P2P applications and botnets, we build supervised machine learning models which can accurately
differentiate between benign P2P applications and P2P botnets. PeerShark could also detect unknown P2P botnet
traffic with high accuracy.