Hades: A Hadoopbased Framework for Detection of PeertoPeer Botnets

Abstract

This paper presents Hades, a Hadoop-based framework for detection of P2P botnets in an enterprise-level network, which is distributed and scalable by design. The contri- butions of this work are two-fold: Firstly, our work uses the Hadoop-ecosystem to adopt a ‘host-aggregation based’ approach which aggregates behavioral metrics for each Peer- to-Peer (P2P) host seen in network communications, and uses them to distinguish between benign P2P hosts and hosts infected by P2P botnets. Secondly, we propose a distributed data-collection architecture which can monitor inside-to-inside LAN traffic, as opposed to relying solely on the NetFlow information available at a backbone router which cannot see the LAN communications happening in the network.