The aggregation and stability analysis of network traffic for structured-P2P-based botnet detection

Abstract

Nowadays, botnets use peer-to-peer (P2P) networks for command and control (C&C) infrastructure. In contrast to traditional centralized-organized botnets, there is no central point of failure for structed-P2P-based botnets, which makes the botnets more concealable and robust and consequently degrades the botnet detection efficiency. In this work, an efficient structured-P2P-based botnet detection strategy through the aggregation and stability analysis of network traffic is proposed. Considering that the flows related to the structured-P2P-based bot exhibit stability on statistical meaning due to the impartial position in botnet and performing pre-programmed control activities automatically, we develop a stability detection subsystem to differentiate regular clients from bots. However, there may exist a large quantity of flows in supervised network, which makes botnet detection rather inefficient. Thus, a small flow-aggregation extraction subsystem is further developed to exclude a majority of flows unlikely for C&C communication of structured-P2P-based bots ahead of stability detection. Extensive experimental results show the proposed approach is very efficient and can detect structured-P2P-based botnet with low false positive ratio. © 2010 ACADEMY PUBLISHER.