A closer look at the HTTP and P2P based botnets from a detector’s perspective

Abstract

Botnets are one of the main aggressive threats against cybersecurity. To evade the detection systems, recent botnets use the most common communication protocols on the Internet to hide themselves in the legitimate users traffic. From this perspective, most recent botnets are HTTP based and/or Peer-to-Peer (P2P) systems. In this work, we investigate whether such structural differences have any impact on the performance of the botnet detection systems. To this end, we studied the differences of three machine learning techniques (Decision Tree, Genetic Programming and Bayesian Networks). The investigated approaches have been previously shown effective for HTTP based botnets. We also analyze the detection models in detail to highlight any behavioural differences between these two types of botnets. In our analysis, we employed four HTTP based publicly available botnet data sets (namely Citadel, Zeus, Conficker and Virut) and four P2P based publicly available botnet data sets (namely ISOT, NSIS, ZeroAccess and Kelihos).