Ichnaea: Effective P2P botnet detection approach based on analysis of network flows

Recently peer to peer botnets have become one of the formidable threats to the Internet. Therefore P2P botnets are considered as a serious challenges to botnet detection researches. In recent years many methods are proposed to detect P2P botnets based on similarity or failures analysis of flow network, however, none of these methods alone are not sufficient to detect new P2P botnets. In this paper a new method is proposed which uses a combination of flow similarity analysis, flow failures analysis and high degree of outgoing connections analysis, to detect P2P botnets. In this research, the end of each time period, network traffic is received as input and for each TCP, UDP and DNS flows, a feature vector is extracted. Then by clustering of this feature vectors, hosts with suspicious group activities are identified, and we also identify hosts with suspicious failures of network flows and suspicious high degree of outgoing connections. Finally, the negative reputation of hosts is calculated based on histories of group activities, failures and high degree of outgoing connections. Then, hosts with high negative reputation are reported as bot-infected hosts. Results of experiments for distinguish different P2P botnets show that the proposed method is able to detect this botnets with low false positive rate.