Abstract
Nowadays accurate P2P traffic classification has become increasingly significant for network management. In addition, it is important to distinguish P2P botnet traffic from normal P2P traffic in order to find P2P malware and to immediately detect P2P botnets. Several approaches including port-based, signature-based, pattern-based, and statistics-based methods have been proposed to classify P2P and P2P botnet traffic. However, a single method alone cannot accurately classify both P2P and P2P botnet traffic. In this paper, we propose a hybrid traffic classifier that is composed of two stages. The first stage consists of a P2P traffic classifier that works in two steps. In the first step, a signature-based classifier is combined with connection heuristics, and in the second step, a statistics-based classifier is compensated by pattern heuristics. The statistics-based classifier is built using REPTree, a decision tree algorithm. The second stage is comprised of a P2P botnet traffic classifier that distinguishes P2P botnet traffic from other P2P traffic. The verification analysis and experiments using real datasets reveal that the proposed scheme provides a low overhead and achieves a high flow and byte accuracy of 97.70 and 97.06 % to classify P2P and P2P botnet traffic.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Barthakur P, Dahal M, Ghose MK (2012) A framework for p2p botnet detection using svm. In: 2012 International conference on cyber-enabled distributed computing and knowledge discovery (CyberC), IEEE, pp 195–200
Bernaille L, Teixeira R, Salamatian K (2006) Early application identification. In: Proceedings of the 2006 ACM CoNEXT conference, ACM, p 6
Castiglione A, De Prisco R, De Santis A, Fiore U, Palmieri F (2014) A botnet-based command and control approach relying on swarm intelligence. J Netw Comput Appl 38:22–33
Chen Z, Yang B, Chen Y, Abraham A, Grosan C, Peng L (2009) Online hybrid traffic classifier for peer-to-peer systems based on network processors. Appl Soft Comput 9(2):685–694
Chiou TW, Tsai SC, Lin YB (2014) Network security management with traffic pattern clustering. Soft Comput 18(9):1757–1770
Dittrich D, Dietrich S (2008) P2p as botnet command and control: a deeper insight. In: 3rd International conference on malicious and unwanted software, 2008. MALWARE 2008. IEEE, pp 41–48
Elhalabi MJ, Manickam S, Melhim LB, Anbar M, Alhalabi H (2013) A review of peer-to-peer botnet detection techniques. J Comput Sci 10(1):169
Erman J, Mahanti A, Arlitt M, Cohen I, Williamson C (2007a) Offline/realtime traffic classification using semi-supervised learning. Perform Eval 64(9):1194–1213
Erman J, Mahanti A, Arlitt M, Williamson C (2007b) Identifying and discriminating between web and peer-to-peer traffic in the network core. In: Proceedings of the 16th international conference on World Wide Web, ACM, pp 883–892
Este A, Gringoli F, Salgarelli L (2009) On the stability of the information carried by traffic flow features at the packet level. ACM SIGCOMM Comput Commun Rev 39(3):13–18
Garg S, Singh AK, Sarje AK, Peddoju SK (2013) Behaviour analysis of machine learning algorithms for detecting p2p botnets. In: 2013 15th International conference on advanced computing technologies (ICACT), IEEE, pp 1–4
Gringoli F, Salgarelli L, Dusi M, Cascarano N, Risso F et al (2009) Gt: picking up the truth from the ground for internet traffic. ACM SIGCOMM Comput Commun Rev 39(5):12–18
Guntuku SC, Narang P, Hota C (2013) Real-time peer-to-peer botnet detection framework based on bayesian regularized neural network. arXiv preprint arXiv:13077464
He H, Che C, Ma F, Luo X, Wang J (2008) Improve flow accuracy and byte accuracy in network traffic classification. In: Advanced intelligent computing theories and applications. With aspects of artificial intelligence, 4th ICIC-2008, vol 5227. Springer, Heidelberg, pp 449–458
He J, Yang Y, Wang X, Zeng Y, Tang C (2014) Peersorter: classifying generic p2p traffic in real-time. In: 2014 IEEE 17th International conference on computational science and engineering (CSE), IEEE, pp 605–613
Jiang H, Shao X (2012) Detecting p2p botnets by discovering flow dependency in C&C traffic. Peer-to-Peer Netw Appl 7(4):320–331
Jpcap (2007) Jpcap introduction. https://github.com/jpcap/jpcap
Jun L, Shunyi Z, Shidong L, Ye X (2007) P2p traffic identification technique. In: 2007 International conference on computational intelligence and security, IEEE, pp 37–41
Karagiannis T, Broido A, Faloutsos M, et al (2004) Transport layer identification of p2p traffic. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, ACM, pp 121–134
Keralapura R, Nucci A, Chuah CN (2010) A novel self-learning architecture for p2p traffic classification in high speed networks. Comput Netw 54(7):1055–1068
Kheir N, Wolley C (2013) Botsuer: suing stealthy p2p bots in network traffic through netflow analysis. In: Cryptology and network security, vol 8257, Springer, pp 162–178
Li H, Hu G, Yuan J, Lai H (2012) P2p botnet detection based on irregular phased similarity. In: Proceedings of the 2012 second international conference on instrumentation. Computer, communication and control, IEEE Computer Society, Measurement, pp 79–82
Li J, Zhang S, Lu Y, Yan J (2009) Hybrid internet traffic classification technique. J Electron (China) 26(1):101–112
Lu CN, Huang CY, Lin YD, Lai YC (2012) Session level flow classification by packet size distribution and session grouping. Comput Netw 56(1):260–272
Maly RJ, Mischke J, Kurtansky P, Stiller B (2003) Comparison of centralized (client–server) and decentralized (peer-to-peer) networking. Semester thesis, ETH Zurich, Zurich, Switzerland, pp 1–12
Narudin FA, Feizollah A, Anuar NB, Gani A (2014) Evaluation of machine learning classifiers for mobile malware detection. Soft Comput 1–15. doi:10.1007/s00500-014-1511-6
Palmieri F, Fiore U (2009) A nonlinear, recurrence-based approach to traffic classification. Comput Netw 53(6):761–773
Powers DM (2011) Evaluation: from precision, recall and f-measure to roc, informedness, markedness and correlation. J Mach Learn Technol 2(1):37–63
Saad S, Traore I, Ghorbani A, Sayed B, Zhao D, Lu W, Felix J, Hakimian P (2011a) Detecting p2p botnets through network behavior analysis and machine learning. In: 2011 Ninth annual international conference on privacy, security and trust (PST), IEEE, pp 174–180
Saad S, Traore I, Ghorbani A, Sayed B, Zhao D, Lu W, Felix J, Hakimian P (2011b) Detecting p2p botnets through network behavior analysis and machine learning. In: 2011 Ninth annual international conference on privacy, security and trust (PST), IEEE, pp 174–180
Silva SS, Silva RM, Pinto RC, Salles RM (2013) Botnets:a survey. Comput Netw 57(2):378–403
Singh K, Guntuku SC, Thakur A, Hota C (2014) Big data analytics framework for peer-to-peer botnet detection using random forests. Inf Sci 278:488–497
Soysal M, Schmidt EG (2010) Machine learning algorithms for accurate flow-based network traffic classification: evaluation and comparison. Perform Eval 67(6):451–467
Szabó G, Orincsay D, Malomsoky S, Szabó I (2008) On the validation of traffic classification algorithms. In: Passive and active network measurement, vol 4979, Springer, pp 72–81
Tran H, Hitchens M, Varadharajan V, Watters P (2005) A trust based access control framework for p2p file-sharing systems. In: HICSS’05. Proceedings of the 38th Annual Hawaii international conference on system sciences, 2005. IEEE, 302c pp
Tyagi AK, Aghila G (2011) A wide scale survey on botnet. Int J Comput Appl 34(9):9–22
Valdés L, Montesinos S, Ariza A, Allende SM, Joya G (2015) Peer selection in p2p wireless mesh networks: comparison of different strategies. Soft Comput. doi:10.1007/s00500-014-1572-6
Vania J, Meniya A, Jethva H (2013) A review on botnet and detection technique. Int J Comput Trends Technol 4(1):23–29
Wang B, Li Z, Tu H, Ma J (2009) Measuring peer-to-peer botnets using control flow stability. In: International conference on availability, reliability and security, 2009. ARES’09. IEEE, pp 663–669
Wang R, Tang K (2012) Minimax classifier for uncertain costs. arXiv:1205.0406
Weka (2012) Weka introduction. http://www.cs.waikato.ac.nz/ml/weka/
Xusheng Z (2008) A p2p traffic classification method based on svm. In: International symposium on computer science and computational technology, 2008. ISCSCT’08. IEEE, vol 2, pp 53–57
Ye W (2012) Two step hybrid p2p traffic classification. Master’s thesis, Dankook University, Korea
Ye W, Cho K (2013) Two-step p2p traffic classification with connection heuristics. In: 2013 Seventh international conference on innovative mobile and internet services in ubiquitous computing (IMIS), IEEE, pp 135–141
Ye W, Cho K (2014a) Hybrid p2p traffic classification with heuristic rules and machine learning. Soft Comput 18(9):1815–1827
Ye W, Cho K (2014b) P2p traffic classification using advanced heuristic rules and analysis of decision tree algorithms. J Korea Soc Comput Inf 19(3):45–54
Zeng Y, Shin KG (2013) On detection of storm botnets, pp 1–7
Zhang H, Lu G, Qassrawi MT, Zhang Y, Yu X (2012) Feature selection for optimizing traffic classification. Comput Commun 35(12):1457–1471
Zhang J, Perdisci R, Lee W, Luo X, Sarfraz U (2014) Building a scalable system for stealthy p2p-botnet detection. IEEE Trans Inf Forensics Secur 9(1):27–38
Zhao D, Traore I, Ghorbani A, Sayed B, Saad S, Lu W (2012) Peer to peer botnet detection based on flow intervals. In: Information security and privacy research, 28th IFIP TC 11 SEC conference-2012, vol 376. Springer, Crete, pp 87–102
Acknowledgments
The present research was conducted by the research fund of Dankook University in 2015.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
This research was supported by the research fund of Dankook University in 2015.
Additional information
Communicated by V. Loia.
Rights and permissions
About this article
Cite this article
Ye, W., Cho, K. P2P and P2P botnet traffic classification in two stages. Soft Comput 21, 1315–1326 (2017). https://doi.org/10.1007/s00500-015-1863-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-015-1863-6