Skip to main content
SpringerLink
Log in

A novel method of mining network flow to detect P2P botnets

  • Published:
Peer-to-Peer Networking and Applications Aims and scope Submit manuscript

Abstract

Botnets are a serious threat to cyber-security. As a consequence, botnet detection has become an important research topic in network protection and cyber-crime prevention. P2P botnets are one of the most malicious zombie networks, as their architecture imitates P2P software. Characteristics of P2P botnets include (1) the use of multiple controllers to avoid single-point failure; (2) the use of encryption to evade misuse detection technologies; and (3) the capacity to evade anomaly detection, usually by initiating numerous sessions without consuming substantial bandwidth. To overcome these difficulties, we propose a novel data mining method. First, we identify the differences between P2P botnet behavior and normal network behavior. Then, we use these differences to tune the data-mining parameters to cluster and distinguish normal Internet behavior from that lurking P2P botnets. This method can identify a P2P botnet without breaking the encryption. Furthermore, the detection system can be deployed without altering the existing network architecture, and it can detect the existence of botnets in a complex traffic mix before they attack. The experimental results reveal that the method is effective in recognizing the existence of botnets. Accordingly, the results of this study will be of value to information security academics and practitioners.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Al-Hammadi J, Aickelin U, Greensmith J (2008) DCA for bot detection. IEEE Congress on Evolutionary Computation

  2. Jiang H, Shao X (2012) Detecting P2P botnets by discovering flow dependency in C&C traffic. Peer-to-Peer Networking and Applications 1–12

  3. Kumar K, Spafford E (1994) An application of pattern matching in intrusion detection. Tech. Rep, Purdue University

  4. Grizzard JB, Sharma V, Nunnery C, Kang BB (2007) Peer-to-peer botnets: Overview and case study. First Workshop on Hot Topics in Understanding Botnets (HotBots '07)

  5. Langin C, Zhou H, Rahimi S, Gupta B, Zargham M, Sayeh MR (2009) A self-organizing map and its modeling for discovering malignant network traffic. IEEE Computational Intelligence in Cyber Security (CICS '09)

  6. Wang Z, Wang J, Huang W, Xia C (2010) The detection of IRC botnet based on abnormal behavior. 2010 Second International Conference on Multimedia and Information Technology (MMIT)

  7. Schiller CA (2007) Botnets the killer web app ([Online-Ausg.]). Syngress Publishing, Rockland

    Google Scholar 

  8. Al-Duwairi B, Manimaran G (2009) JUST-Google: A search engine-based defense against botnet-based DDoS attacks. IEEE International Conference on Communications (ICC '09)

  9. Zhu Z, Lu G, Chen Y, Fu ZJ, Roberts P, Han K (2008) Botnet research survey. 32nd Annual IEEE International Computer Software and Applications (COMPSAC '08)

  10. Dittrich D, Dietrich S (2008) P2P as botnet command and control: A deeper insight. 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008)

  11. Stock B, Göbel J, Engelberth M, Freiling FC, Holz T (2009) Walowdac - Analysis of a peer-to-peer botnet. 2009 European Conference on Computer Network Defense (EC2ND)

  12. WIKI, http://www.wikipedia.com/botnet/ Retrieved on Sep. 10, 2012

  13. Damballa, The command structure of the operation Aurora botnet: history, patterns, and findings. Operation Aurora— the command structure. http://www.damballa.com/research/aurora/2010

  14. Nazario J, Holz T (2008) As the net churns: Fast-flux botnet observations. 3rd International Conference on Malicious and Unwanted Software (MALWARE 2008)

  15. Livadas C, Walsh, R, Lapsley, D, Strayer, WT (2006) Using Machine Learning Techniques to Identify Botnet Traffic. Proceedings 2006 31st IEEE Conference on Local Computer Networks (WoNS'2006) 967–974

  16. Lu W, Tavallaee M, Ghorbani AA (2009) Automatic discovery of botnet communities on large-scale communication networks. Proceedings of the 4th International Symposium on Information, Computer, and Communications Security (ASIACCS '09)

  17. Chen CM, Ou YH, Tsai YC (2010) Web botnet detection based on flow information, 2010 International Computer Symposium (ICS)

  18. Binkley JR, Singh S (2006) An algorithm for anomaly-based botnet detection. Steps to Reducing Unwanted Traffic on the Internet (SRUTI’06), San Jose, CA

  19. Strayer WT, Walsh R, Livadas C, Lapsley D (2006) Detecting botnets with tight command and control. IEEE LCN Workshop on Network Security (WoNS'2006)

  20. Masud MM, Al-khateeb T, Khan L, Thuraisingham B, Hamlen KW (2008) Flow-based identification of botnet traffic by mining multiple log files. International Conference on Distributed Framework and Applications (DFmA 2008)

  21. Kang J, Zhang JY, Li Q, Li Z (2009) Detecting new P2P botnet with multi-chart CUSUM. International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC '09)

  22. Al-Duwairi B, Al-Ebbini L (2010) BotDigger: A fuzzy inference system for botnet detection. Fifth International Conference on Internet Monitoring and Protection (ICIMP)

  23. Zeidanloo HR, Hosseinpour F, Borazjani PN (2010) Botnet detection based on common network behaviors by utilizing artificial immune system (AIS). 2nd International Conference on Software Technology and Engineering (ICSTE)

  24. Shahrestani A, Feily M, Ahmad R, Ramadass S (2009) Architecture for applying data mining and visualization on network flow for botnet traffic detection. International Conference on Computer Technology and Development (ICCTD '09)

  25. Choi H, Lee H, Lee H, Kim H (2007) Botnet detection by monitoring group activities in DNS traffic. 7th IEEE International Conference on Computer and Information Technology (CIT 2007)

  26. Masud MM, Gao J, Khan L, Han J, Thuraisingham B (2008). Peer to peer botnet detection for cyber-security: A data mining approach. Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead (CSIIRW '08)

  27. Zeidanloo HR, Manaf AB, Vahdani P, Tabatabaei F, Zamani M (2010) Botnet detection based on traffic monitoring. 2010 International Conference on Networking and Information Technology (ICNIT)

  28. Hu J, Li Z, Yao D, Yu J (2009) Measuring botnet size by using URL and collaborative mailservers. Fifth International Conference on Networking and Services (ICNS '09)

  29. Ma X, Guan X, Tao J, Zheng Q, Guo Y, Liu L, Zhao S (2010) A novel IRC botnet detection method based on packet size sequence. 2010 IEEE International Conference on Communications (ICC)

  30. Rajab MA, Zarfoss J, Monrose F, Terzis A (2007) My botnet is bigger than yours (maybe, better than yours): Why size estimates remain challenging. Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets (HotBots'07)

  31. Bensoussan A, Kantarcioglu M, Hoe SR (2010) A game-theoretical approach for finding optimal strategies in a botnet defense model. Proceedings of the First international conference on Decision and game theory for security (GameSec'10)

  32. Stinson E, Mitchell JC (2008) Towards systematic evaluation of the evadability of bot/botnet detection methods. Proceedings of the 2nd conference on USENIX Workshop on offensive technologies (WOOT'08)

  33. WEKA, http://www.cs.waikato.ac.nz/ml/weka/ Retrived on Sep. 10, 2012

  34. Shirley B, Mano CD (2008) Sub-botnet coordination using tokens in a switched network. IEEE Global Telecommunications Conference (IEEE GLOBECOM 2008)

  35. Ji SG, Im CT, Kim MJ, Jeong HC (2008) Botnet detection and response architecture for offering secure Internet services. International Conference on Security Technology (SECTECH '08)

  36. Cremonini M, Riccardi M (2009) The Dorothy Project: An open botnet analysis framework for automatic tracking and activity visualization. European Conference on Computer Network Defense (EC2ND)

  37. Tanner BK, Warner G, Stern H, Olechowski S (2010) Koobface: The evolution of the social botnet. 2010 eCrime Researchers Summit (eCrime)

Download references

Author information

Authors and Affiliations

  1. Department of Information Management, College of Management, Tatung University, No.40, Sec. 3, Jhongshan N. Rd., Taipei, 104, Taiwan, Republic of China

    Shu-Chiung Lin & Patrick S. Chen

  2. Chunghwa Telecom Co, Taipei, Republic of China

    Chia-Ching Chang

Authors
  1. Shu-Chiung Lin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick S. Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chia-Ching Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shu-Chiung Lin.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lin, SC., Chen, P.S. & Chang, CC. A novel method of mining network flow to detect P2P botnets. Peer-to-Peer Netw. Appl. 7, 645–654 (2014). https://doi.org/10.1007/s12083-012-0195-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s12083-012-0195-x

Keywords

Search

Navigation