Improved Detection of P2P Botnets through Network Behavior Analysis

  • Shree Garg
  • Anil K. Sarje
  • Sateesh Kumar Peddoju
Part of the Communications in Computer and Information Science book series (CCIS, volume 420)


Botnets are becoming powerful threats on the Internet because they launch targeted attacks towards organizations and the individuals. P2P botnets are resilient and more difficult to detect due to their nature of using different distributed approaches and encryption techniques. Classification based techniques proposed in the literature to detect P2P botnets, report high overall accuracy of the classifier but fail to recognize individual classes at the similar rates. Identification of non-bot traffic is equally important as that of bot classes for the reliability of the classifier. This paper proposes a model to distinguish P2P botnet command and control network traffic from normal traffic at higher rate of both the classes using ensemble of decision trees classifier named Random Forests. Further to optimize the performance, this model also addresses the problem of imbalanced nature of dataset using techniques like downsampling and cost sensitive learning. Performance analysis has been done on the proposed model and evaluation results show that true positive rate for both botnet and legitimate classes are more than 0.99 whereas false positive rate is 0.008.


P2P botnets Random Forests Ensemble Imbalanced Problem Network flow Network Security Peer to Peer network 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Chen, L., Richard, R.B.: Timing analysis in P2P botnet traffic using probabilistic context-free grammars. In: CSIIRW 2013. ACM, Oak Ridge (2013)Google Scholar
  2. 2.
    Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Wei, L., Felix, J., Hakimian, P.: Detecting P2P botnets through network behavior analysis and machine learning. In: 2011 Ninth Annual International Conference on Privacy, Security and Trust (PST), pp. 174–180 (2012)Google Scholar
  3. 3.
    Hand, D., Mannila, H., Smyth, P.: Principles of Data Mining. MIT Press, Cambridge (2001)Google Scholar
  4. 4.
    Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Usilng Machine Learning Technliques to Identify Botnet Traffic. In: Proceedings 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974 (2006)Google Scholar
  5. 5.
    Guofei, G., Roberto, P., Junjie, Z., Wenke, L.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th Conference on Security Symposium. USENIX Association, San Jose (2008)Google Scholar
  6. 6.
    Fedynyshyn, G., Chuah, M.C., Tan, G.: Detection and classification of different botnet C&C channels. In: Calero, J.M.A., Yang, L.T., Mármol, F.G., García Villalba, L.J., Li, A.X., Wang, Y. (eds.) ATC 2011. LNCS, vol. 6906, pp. 228–242. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  7. 7.
    Junjie, Z., Perdisci, R., Wenke, L., Sarfraz, U., Xiapu, L.: Detecting stealthy P2P botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121–132 (2011)Google Scholar
  8. 8.
    Alaidaros, H., Mahmuddin, M., Mazari, A.A.: An Overview of Flow-based and Packet-based Intrusion Detection Performance in High Speed Networks. In: Proceedings of the International Arab Conference on Information Technology (2011)Google Scholar
  9. 9.
    François, J., Wang, S., State, R., Engel, T.: BotTrack: Tracking Botnets Using NetFlow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Lin, S.-C., Chen, P., Chang, C.-C.: A novel method of mining network flow to detect P2P botnets. In: Peer-to-Peer Networking and Applications, pp. 1–10 (2012)Google Scholar
  11. 11.
    Dietrich, C.J., Rossow, C., Pohlmann, N.: CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis. Comput. Netw. 57, 475–486 (2013)CrossRefGoogle Scholar
  12. 12.
    Huang, C.-Y.: Effective bot host detection based on network failure models. Computer Networks 57, 514–525 (2013)CrossRefGoogle Scholar
  13. 13.
    Garg, S., Singh, A.K., Sarje, A.K., Peddoju, S.K.: Behaviour Analysis of Machine Learning Algorithms for detecting P2P Botnets. In: International Conference on Advanced Computing Technologies (2013)Google Scholar
  14. 14.
    Breiman, L.: Random Forests. Machine Learning 45, 5–32 (2001)CrossRefzbMATHGoogle Scholar
  15. 15.
    Chao, C., Andy, L., Leo, B.: Using Random Forest to Learn Imbalanced Data. University of California, Berkeley (2004)Google Scholar
  16. 16.
    Galar, M., Ferna, X., Ndez, A., Barrenechea, E., Bustince, H., Herrera, F.: A Review on Ensembles for the Class Imbalance Problem: Bagging-, Boosting-, and Hybrid-Based Approaches. IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews 42, 463–484 (2012)CrossRefGoogle Scholar
  17. 17.
    Barthakur, P., Dahal, M., Ghose, M.K.: A Framework for P2P Botnet Detection Using SVM. In: Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 195–200 (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Shree Garg
    • 1
  • Anil K. Sarje
    • 1
  • Sateesh Kumar Peddoju
    • 1
  1. 1.Indian Institute of Technology RoorkeeRoorkeeIndia

Personalised recommendations