What is a p2p botnet?

P2P botnet is collection of internet-connected devices which are be controlled remotely by a bot-master.

P2P botnet is dangerous because botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service (DDoS) attacks.

Detect Methods

1. single-stage methods

• Port-based method:

It based on the simple concept that many P2P applications have default ports on which they function. When these applications are run, they use these ports to communicate with outside. Administrators just need to observe the network traffic and check whether there are connection records using these ports. If a match is found, it may indicate a P2P activity.

However, Most P2P applications allow users to change the default port numbers by manually selecting whatever port(s) they like. Additionally, many newer P2P applications use random ports, thus making the ports unpredictable. Also there is a trend for P2P applications begin to mask their function ports within well-known application ports such as port 80. All these issues make port based analysis less effective.

• Signature-based method:

Signature-based P2P bot detection is based on inspecting each packet in the network traffic, entering or leaving the Internet gateway of the network, for the presence of special features such as port numbers, byte sequences in the payload, and blacklisted IP address. These special features are extracted from known botnet infections in the past and stored in a signature database.

While signature-based detection has a good detection rate and is easily deployed, it has two major limitations. First, it is deterministic and relies only on detecting known botnet infections and cannot detect unknown bots. Even known bots can evade signature detection by changing ports of communication or use packet payload encryption to hide the bot specific features. Second, an inspection of each packet results in performance degradation especially when the traffic consists of a large amount of benign data.

• Pattern-based method

The pattern-based approach based on traffic behavior patterns. Modern P2P networks and protocols select UDP as the carrying protocol. A unique traffic behavior to the UDP connection pattern exists with P2P applications. This can be used to process network traffic and find out which hosts are running P2P applications in a decentralized network structure. And all that needed is the network traffic records.

Most of the modern decentralized P2P applications adopt a similar network behavior. When they startup, they create one or several UDP sockets to listen, and then communicate with abundant outside addresses during their life by using these UDP ports to assist their interaction in the P2P world. Peers keep using one or several UDP ports to make connections to fulfill the control work. Identifying hosts and p2p applications by these behavior patterns.

This UDP session method also has two disadvantages: it can only be used to identify P2P applications that use a decentralized structure. Second, if the P2P application chooses TCP rather than UDP to perform its control function, the identification work will fail.

• Statistical-based method:

Statistical botnet detection is based on statistical modelings. here are many different ways of statistical detection. A reliable method is detecting periodic and synchronous behavior based on a K-means approximation.

Moreover, Botnet detection based on a statistical analysis of mail flow enhances the speed of email filtering while reducing network traffic and potentially minimizing the false positive rate. The shortcoming of this approach is that it does not filter out the content of the email but the email header.

The statistics-based method cannot detect untrained flows and suffer from a class imbalance problem.

However, one-stage methods are not accurate enough to classify p2p botnet traffic.

2. Two-stage method

P2P and P2P botnet traffic classification

A hybrid traffic classification distinguishes p2p traffic. First stage is using a pack-level signature-based classifier and a flow-level statistic-based classifier to distinguish p2p traffic and non-p2p traffic. Second is using a p2p botnet traffic classifier to distinguish p2p botnet traffic form p2p traffic.

Compared to other single-stage classifiers, the proposed classifier can decrease the final error rate and overcome the class imbalance problem. The flow accuracy of the two-stage method is over 97%, which is higher than one-stage methods.

However, the existing hybrid classification approaches need a lot of computation and time. The p2p botnet traffic classifier needs to be expanded to detect specific p2p botnet traffic generated by different malware. But it is still a better way to detect p2p botnet traffic.