Botyacc: Unified P2P Botnet Detection Using Behavioural Analysis and Graph Analysis

  • Shishir Nagaraja
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8713)


The detection and isolation of peer-to-peer botnets is an ongoing problem. We propose a novel technique for detecting P2P botnets. Detection is based on unifying behavioural analysis with structured graph analysis. First, our inference technique exploits a fundamental property of botnet design. Modern botnets use peer-to-peer communication topologies which are fundamental to botnet resilience. Second, our technique extends conventional graph-based detection by incorporating behavioural analysis into structured graph analysis, thus unifying graph-theoretic detection with behavioural detection under a single algorithmic framework. We carried out evaluation over real-world P2P botnet traffic and show that the resulting algorithm can localise the majority of bots with low false-positive rate.


Traffic analysis botnet detection behavioural analysis graph theory 


  1. 1.
    Botlab: A real-time botnet monitoring platform,
  2. 2.
    The Cooperative Association for Internet Data Analysis,
  3. 3.
    Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  4. 4.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: ACM Conference on Computer and Communications Security, pp. 375–388. ACM, New York (2007)Google Scholar
  5. 5.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In: Proc. of the USENIX Security Symposium (2008)Google Scholar
  6. 6.
    Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-Bot (NAB): Improving Service Availability in the Face of Botnet Attacks. In: NSDI 2009, Boston, MA (April 2009)Google Scholar
  7. 7.
    Iliofotou, M., Faloutsos, M., Mitzenmacher, M.: Exploiting dynamicity in graph-based traffic analysis: Techniques and applications. In: ACM CoNext (2009)Google Scholar
  8. 8.
    Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Varghese, G., Kim, H.: Graption: Automated detection of P2P applications using traffic dispersion graphs (TDGs). UC Riverside Technical Report, CS-2008-06080 (2008)Google Scholar
  9. 9.
  10. 10.
    Jelasity, M., Bilicki, V.: Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats, LEET (2009)Google Scholar
  11. 11.
    Jelasity, M., Billicki, V.: Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2009)Google Scholar
  12. 12.
    John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using botlab. In: NSDI 2009: Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, pp. 291–306. USENIX Association, Berkeley (2009)Google Scholar
  13. 13.
    Kaashoek, M., Karger, D.: Koorde: A simple degree-optimal distributed hash table. In: Kaashoek, M.F., Stoica, I. (eds.) IPTPS 2003. LNCS, vol. 2735, pp. 98–107. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Maymounkov, P., Mazières, D.: Kademlia: A peer-to-peer information system based on the xor metric. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 53–65. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  15. 15.
    Nagaraja, S., Mittal, P., Hong, C.-Y., Caesar, M., Borisov, N.: BotGrep: Finding P2P bots with structured graph analysis. In: USENIX Security Symposium, pp. 95–110 (2010)Google Scholar
  16. 16.
    Paxson, V., Christodorescu, M., Javed, M., Rao, J., Sailer, R., Schales, D., Stoecklin, M.P., Thomas, K., Venema, W., Weaver, N.: Practical comprehensive bounds on surreptitious communication over dns. In: Proceedings of the 22Nd USENIX Conference on Security (2013)Google Scholar
  17. 17.
    Perdisci, R., Lee, W., Feamster, N.: Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In: Proc. of the USENIX Symposium on Networked Systems Design & Implementation (2010)Google Scholar
  18. 18.
    Stinson, E., Mitchell, J.C.: Characterizing bots’ remote control behavior. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection. Advances in Information Security, vol. 36, pp. 45–64. Springer (2008)Google Scholar
  19. 19.
    Stoica, I., Morris, R., Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: A scalable peer-to-peer lookup service for Internet applications. In: Proceedings of ACM SIGCOMM (August 2001)Google Scholar
  20. 20.
    Zhao, Q., Xu, J., Liu, Z.: Design of a novel statistics counter architecture with optimal space and time efficiency. In: ACM SIGMETRICS (June 2006)Google Scholar
  21. 21.
    Zhao, Y., Xie, Y., Yu, F., Ke, Q., Yu, Y., Chen, Y., Gillum, E.: Botgraph: Large scale spamming botnet detection. In: NSDI (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Shishir Nagaraja
    • 1
  1. 1.School of Computer ScienceUniversity of BirminghamUK

Personalised recommendations