PeerClear: Peer-to-Peer Bot-net Detection

  • Amit Kumar
  • Nitesh Kumar
  • Anand HandaEmail author
  • Sandeep Kumar Shukla
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11527)


A bot-net is a network of infected hosts (bots) that works independently under the control of a Botmaster (Bot herder), which issues commands to bots using command and control (C&C) servers. Bot-net architectures have advanced over time, to evade detection and disruption. Traditionally, bot-nets used a centralized client-server architecture which had a single point of failure but with the advent of peer-to-peer technology, the problem of single point of failure seems to have been resolved. Gaining advantage of the decentralized nature of the P2P architecture, botmasters started using P2P based communication mechanism. P2P bot-nets are highly resilient against detection even after some bots are identified or taken down. P2P bot-nets provide central frameworks for different cyber-crimes which include DDoS (Distributed Denial of Service), email spam, phishing, password sniffing, etc. In this paper, we propose PeerClear, an approach for identifying P2P bot-nets using network traffic analysis. PeerClear uses a two-step process for identifying P2P bots. In the first step, the hosts involved in P2P traffic are detected and in the second step, the detected hosts are further analyzed to detect bot-nets. Our evaluation shows that our approach PeerClear outperformed several recent approaches and achieves a high detection rate of 99.85%. We also implement multiple new approaches reported in the literature and test on the same dataset to evaluate their relative performance.


Bot-net Dynamic analysis Machine learning Malware detection 



This work was partially funded by Science and Engineering Research Board, Government of India.


  1. 1.
  2. 2.
  3. 3.
    Tshark - Dump and Analyze Network Traffic, March 2018.
  4. 4.
    Vint Cerf: One Quarter of All Computers part of a Botnet (2018).
  5. 5.
    Alauthaman, M., Aslam, N., Zhang, L., Alasem, R., Hossain, M.A.: A P2P botnet detection scheme based on decision tree and adaptive multilayer neural networks. Neural Comput. Appl. 29(11), 991–1004 (2018)CrossRefGoogle Scholar
  6. 6.
    Beiknejad, H., Vahdat-Nejad, H., Moodi, H.: P2P botnet detection based on traffic behavior analysis and classification. Int. J. Comput. Inf. Technol. 6(1), 01–12 (2018)Google Scholar
  7. 7.
    Chen, T., Guestrin, C.: XGBoost: a scalable tree boosting system. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 785–794. ACM (2016)Google Scholar
  8. 8.
    Comodo: Latest malware attacks, May 2018.
  9. 9.
    Dhayal, H., Kumar, J.: Peer-to-Peer botnet detection based on bot behaviour. Int. J. Adv. Res. Comput. Sci. 8(3), 172–175 (2017)Google Scholar
  10. 10.
    Dillon, C.: Peer-to-Peer botnet detection using NetFlow. Master’s thesis, University of Amsterdam (2014)Google Scholar
  11. 11.
    Donges, N.: The Random Forest Algorithm (2018).
  12. 12.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (2008)Google Scholar
  13. 13.
    Kheir, N., Han, X., Wolley, C.: Behavioral fine-grained detection and classification of P2P bots. J. Comput. Virol. Hacking Tech. 11(4), 217–233 (2015)CrossRefGoogle Scholar
  14. 14.
    KimiNewt: Python wrapper for tshark, allowing python packet parsing using wireshark dissectors, June 2018.
  15. 15.
    Lelli, A.: Zeusbot/Spyeye P2P Updated, Fortifying the Botnet (2018).
  16. 16.
    Lontivero: A Resilient Peer-to-Peer Botnet Agent in.NET, April 2017.
  17. 17.
    Narang, P., Ray, S., Hota, C.: PeerShark: detecting peer-to-peer botnets by tracking conversations. In: IEEE Security and Privacy Workshops (2014)Google Scholar
  18. 18.
    Nunnery, C., Sinclair, G., Kang, B.B.: Tumbling down the rabbit hole: exploring the idiosyncrasies of botmaster systems in a multi-tier botnet infrastructure. In: Proceedings of the 3rd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (2010)Google Scholar
  19. 19.
    Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986)Google Scholar
  20. 20.
    Rodriguez-Gomez, R.A., Macia-Fernandez, G., García-Teodoroa, P., Steiner, M., Balzarotti, D.: Resource monitoring for detection of parasite P2P botnets. Comput. Netw. 70, 302–3011 (2014)CrossRefGoogle Scholar
  21. 21.
    Saiyod, S., Chanthakoummane, Y., Benjamas, N., Khamphakdee, N., Chaichawananit, J.: Improving intrusion detection on snort rules for botnet detection. Softw. Netw. 2018(1), 191–212 (2018)Google Scholar
  22. 22.
    Schollmeier, R.: A definition of peer-to-peer networking for the classification of peer-to-peer architectures and applications. In: First International Conference on Peer-to-Peer Computing (2002)Google Scholar
  23. 23.
    Singh, S.C.: High-tech and computer crimes: global challenges, global responses. In: Nirmal, B., Singh, R. (eds.) Contemporary Issues in International Law, pp. 413–437. Springer, Singapore (2018). Scholar
  24. 24.
    Yin, C.: Towards accurate node-based detection of P2P botnets. Sci. World J. 2014, 10 p. (2014)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Amit Kumar
    • 1
  • Nitesh Kumar
    • 1
  • Anand Handa
    • 1
    Email author
  • Sandeep Kumar Shukla
    • 1
  1. 1.C3I Center, Department of CSEIndian Institute of Technology, KanpurKanpurIndia

Personalised recommendations