Entelecheia: Detecting P2P botnets in their waiting stage

Detecting botnets is a critical need for securing one´s network and the Internet at large. Despite significant efforts, the problem of botnet detection is still unresolved, especially, when one wants to detect: (a) decentralized or peer-to-peer botnets, (b) botnets that are in a non-active period known as the “Waiting” stage, and (c) polymorphic bots that evade signature detection. We propose a graph-based approach called Entelecheia that is aimed at addressing all three challenges above. The inspiration for our work started with the following question: Can we detect botnets by examining long-lived and low-intensity flows? Despite their intuitive appeal, right out of the box solutions produce too many false positives. To make it effective, we propose a graph-based solution that focuses on the “social” behavior of the botnet. Specifically, we introduce: (a) the concept of Superflow, to create a graph of likely malicious flows, and (b) two synergistic graph-mining steps to cluster and label botnet nodes. We conduct extensive experiments using real botnet traces injected into real traffic traces. Our approach, Entelecheia, produces a median F1 score of 91.8% across various experiments and is robust to various setups and parameter values. Entelecheia can be seen as a first step towards a new and more effective way of detecting botnets.