PeerHunter: Detecting Peer-to-Peer Botnets through Community Behavior Analysis

TL;DR

PeerHunter is a novel community behavior analysis method that effectively detects P2P botnets by clustering hosts based on mutual contacts and analyzing community behaviors, achieving high detection accuracy.

Contribution

The paper introduces PeerHunter, a new approach combining community detection and behavior analysis to identify P2P botnets, addressing challenges not handled by prior methods.

Findings

High detection rate of P2P botnets

Low false positive rate in detection

Effective on real and simulated network data

Abstract

Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the infrastructure that responsible for various of cyber-crimes. Though a few existing work claimed to detect traditional botnets effectively, the problem of detecting P2P botnets involves more challenges. In this paper, we present PeerHunter, a community behavior analysis based method, which is capable of detecting botnets that communicate via a P2P structure. PeerHunter starts from a P2P hosts detection component. Then, it uses mutual contacts as the main feature to cluster bots into communities. Finally, it uses community behavior analysis to detect potential botnet communities and further identify bot candidates. Through extensive experiments with real and simulated network traces, PeerHunter can achieve very high detection rate and low false positives.