Identifying Peer-to-peer Botnets Through Periodicity Behavior Analysis

Botnets have become one of the major threats to network security.They are networks of machines that are infected by viruses and remotely controlled by botmasters.Botnets are often used to initiate various malicious activities such as sending spam,performing Distributed Denial of Service(DDOS)attacks,click fraud,password cracking,and key logging.Most of the early botnets were centralized botnets.The communication protocols they use are mainly IRC and HTTP.These centralized botnets have the problem of single point of failure and are easily identified and shielded.With the development of technology,botmasters applied P2P technology to botnets and established distributed botnets,namely P2P botnets.P2P botnets have more concealment,robustness,and harmfulness due to their distributed nature.Therefore,it is very important to identify bots in the network as soon as possible to reduce their threat to the network security.In this paper,we propose a new system that can identify P2P bots.It first identifies P2P-related traffic from network traffic based on the characteristics of P2P traffic,which include both network traffic generated by legitimate P2P applications and network traffic generated by P2P network.Then,differentiate the P2P botnet traffic from the traffic generated by legitimate P2P application network by analyzing their activity ratio,packet size,and periodic communication behavior.Thus,the traffic generated by the P2P botnet is identified,and the host that generates P2P traffic in the monitored network is further identified as a bot.At the experimental stage,this method is evaluated using real world traffic datasets and other public accessible botnet datasets.These data sets used for experiments contain both a single non-P2P traffic dataset,a legitimate P2P traffic dataset,a P2P botnet dataset,and a mixed dataset containing both legitimate data and P2P botnet data.Experiments show that this method can identify all the bots in the monitored network with extremely low false positive.Moreover,it can identify P2P bots even if the malicious P2P application and benign P2P application coexist within the same host or there is only one bot in the monitored network.