Soft Computing

, Volume 21, Issue 5, pp 1315–1326 | Cite as

P2P and P2P botnet traffic classification in two stages

Methodologies and Application


Nowadays accurate P2P traffic classification has become increasingly significant for network management. In addition, it is important to distinguish P2P botnet traffic from normal P2P traffic in order to find P2P malware and to immediately detect P2P botnets. Several approaches including port-based, signature-based, pattern-based, and statistics-based methods have been proposed to classify P2P and P2P botnet traffic. However, a single method alone cannot accurately classify both P2P and P2P botnet traffic. In this paper, we propose a hybrid traffic classifier that is composed of two stages. The first stage consists of a P2P traffic classifier that works in two steps. In the first step, a signature-based classifier is combined with connection heuristics, and in the second step, a statistics-based classifier is compensated by pattern heuristics. The statistics-based classifier is built using REPTree, a decision tree algorithm. The second stage is comprised of a P2P botnet traffic classifier that distinguishes P2P botnet traffic from other P2P traffic. The verification analysis and experiments using real datasets reveal that the proposed scheme provides a low overhead and achieves a high flow and byte accuracy of 97.70 and 97.06 % to classify P2P and P2P botnet traffic.


P2P traffic P2P botnet traffic Two-stage classification Heuristic rules Machine learning Class imbalance problem 


  1. Barthakur P, Dahal M, Ghose MK (2012) A framework for p2p botnet detection using svm. In: 2012 International conference on cyber-enabled distributed computing and knowledge discovery (CyberC), IEEE, pp 195–200Google Scholar
  2. Bernaille L, Teixeira R, Salamatian K (2006) Early application identification. In: Proceedings of the 2006 ACM CoNEXT conference, ACM, p 6Google Scholar
  3. Castiglione A, De Prisco R, De Santis A, Fiore U, Palmieri F (2014) A botnet-based command and control approach relying on swarm intelligence. J Netw Comput Appl 38:22–33CrossRefGoogle Scholar
  4. Chen Z, Yang B, Chen Y, Abraham A, Grosan C, Peng L (2009) Online hybrid traffic classifier for peer-to-peer systems based on network processors. Appl Soft Comput 9(2):685–694CrossRefGoogle Scholar
  5. Chiou TW, Tsai SC, Lin YB (2014) Network security management with traffic pattern clustering. Soft Comput 18(9):1757–1770CrossRefGoogle Scholar
  6. Dittrich D, Dietrich S (2008) P2p as botnet command and control: a deeper insight. In: 3rd International conference on malicious and unwanted software, 2008. MALWARE 2008. IEEE, pp 41–48Google Scholar
  7. Elhalabi MJ, Manickam S, Melhim LB, Anbar M, Alhalabi H (2013) A review of peer-to-peer botnet detection techniques. J Comput Sci 10(1):169CrossRefGoogle Scholar
  8. Erman J, Mahanti A, Arlitt M, Cohen I, Williamson C (2007a) Offline/realtime traffic classification using semi-supervised learning. Perform Eval 64(9):1194–1213CrossRefGoogle Scholar
  9. Erman J, Mahanti A, Arlitt M, Williamson C (2007b) Identifying and discriminating between web and peer-to-peer traffic in the network core. In: Proceedings of the 16th international conference on World Wide Web, ACM, pp 883–892Google Scholar
  10. Este A, Gringoli F, Salgarelli L (2009) On the stability of the information carried by traffic flow features at the packet level. ACM SIGCOMM Comput Commun Rev 39(3):13–18CrossRefMATHGoogle Scholar
  11. Garg S, Singh AK, Sarje AK, Peddoju SK (2013) Behaviour analysis of machine learning algorithms for detecting p2p botnets. In: 2013 15th International conference on advanced computing technologies (ICACT), IEEE, pp 1–4Google Scholar
  12. Gringoli F, Salgarelli L, Dusi M, Cascarano N, Risso F et al (2009) Gt: picking up the truth from the ground for internet traffic. ACM SIGCOMM Comput Commun Rev 39(5):12–18CrossRefGoogle Scholar
  13. Guntuku SC, Narang P, Hota C (2013) Real-time peer-to-peer botnet detection framework based on bayesian regularized neural network. arXiv preprint arXiv:13077464Google Scholar
  14. He H, Che C, Ma F, Luo X, Wang J (2008) Improve flow accuracy and byte accuracy in network traffic classification. In: Advanced intelligent computing theories and applications. With aspects of artificial intelligence, 4th ICIC-2008, vol 5227. Springer, Heidelberg, pp 449–458Google Scholar
  15. He J, Yang Y, Wang X, Zeng Y, Tang C (2014) Peersorter: classifying generic p2p traffic in real-time. In: 2014 IEEE 17th International conference on computational science and engineering (CSE), IEEE, pp 605–613Google Scholar
  16. Jiang H, Shao X (2012) Detecting p2p botnets by discovering flow dependency in C&C traffic. Peer-to-Peer Netw Appl 7(4):320–331CrossRefGoogle Scholar
  17. Jpcap (2007) Jpcap introduction.
  18. Jun L, Shunyi Z, Shidong L, Ye X (2007) P2p traffic identification technique. In: 2007 International conference on computational intelligence and security, IEEE, pp 37–41Google Scholar
  19. Karagiannis T, Broido A, Faloutsos M, et al (2004) Transport layer identification of p2p traffic. In: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, ACM, pp 121–134Google Scholar
  20. Keralapura R, Nucci A, Chuah CN (2010) A novel self-learning architecture for p2p traffic classification in high speed networks. Comput Netw 54(7):1055–1068CrossRefMATHGoogle Scholar
  21. Kheir N, Wolley C (2013) Botsuer: suing stealthy p2p bots in network traffic through netflow analysis. In: Cryptology and network security, vol 8257, Springer, pp 162–178Google Scholar
  22. Li H, Hu G, Yuan J, Lai H (2012) P2p botnet detection based on irregular phased similarity. In: Proceedings of the 2012 second international conference on instrumentation. Computer, communication and control, IEEE Computer Society, Measurement, pp 79–82Google Scholar
  23. Li J, Zhang S, Lu Y, Yan J (2009) Hybrid internet traffic classification technique. J Electron (China) 26(1):101–112CrossRefGoogle Scholar
  24. Lu CN, Huang CY, Lin YD, Lai YC (2012) Session level flow classification by packet size distribution and session grouping. Comput Netw 56(1):260–272CrossRefGoogle Scholar
  25. Maly RJ, Mischke J, Kurtansky P, Stiller B (2003) Comparison of centralized (client–server) and decentralized (peer-to-peer) networking. Semester thesis, ETH Zurich, Zurich, Switzerland, pp 1–12Google Scholar
  26. Narudin FA, Feizollah A, Anuar NB, Gani A (2014) Evaluation of machine learning classifiers for mobile malware detection. Soft Comput 1–15. doi:10.1007/s00500-014-1511-6
  27. Palmieri F, Fiore U (2009) A nonlinear, recurrence-based approach to traffic classification. Comput Netw 53(6):761–773CrossRefMATHGoogle Scholar
  28. Powers DM (2011) Evaluation: from precision, recall and f-measure to roc, informedness, markedness and correlation. J Mach Learn Technol 2(1):37–63MathSciNetGoogle Scholar
  29. Saad S, Traore I, Ghorbani A, Sayed B, Zhao D, Lu W, Felix J, Hakimian P (2011a) Detecting p2p botnets through network behavior analysis and machine learning. In: 2011 Ninth annual international conference on privacy, security and trust (PST), IEEE, pp 174–180Google Scholar
  30. Saad S, Traore I, Ghorbani A, Sayed B, Zhao D, Lu W, Felix J, Hakimian P (2011b) Detecting p2p botnets through network behavior analysis and machine learning. In: 2011 Ninth annual international conference on privacy, security and trust (PST), IEEE, pp 174–180Google Scholar
  31. Silva SS, Silva RM, Pinto RC, Salles RM (2013) Botnets:a survey. Comput Netw 57(2):378–403CrossRefGoogle Scholar
  32. Singh K, Guntuku SC, Thakur A, Hota C (2014) Big data analytics framework for peer-to-peer botnet detection using random forests. Inf Sci 278:488–497CrossRefGoogle Scholar
  33. Soysal M, Schmidt EG (2010) Machine learning algorithms for accurate flow-based network traffic classification: evaluation and comparison. Perform Eval 67(6):451–467CrossRefGoogle Scholar
  34. Szabó G, Orincsay D, Malomsoky S, Szabó I (2008) On the validation of traffic classification algorithms. In: Passive and active network measurement, vol 4979, Springer, pp 72–81Google Scholar
  35. Tran H, Hitchens M, Varadharajan V, Watters P (2005) A trust based access control framework for p2p file-sharing systems. In: HICSS’05. Proceedings of the 38th Annual Hawaii international conference on system sciences, 2005. IEEE, 302c ppGoogle Scholar
  36. Tyagi AK, Aghila G (2011) A wide scale survey on botnet. Int J Comput Appl 34(9):9–22Google Scholar
  37. Valdés L, Montesinos S, Ariza A, Allende SM, Joya G (2015) Peer selection in p2p wireless mesh networks: comparison of different strategies. Soft Comput. doi:10.1007/s00500-014-1572-6
  38. Vania J, Meniya A, Jethva H (2013) A review on botnet and detection technique. Int J Comput Trends Technol 4(1):23–29Google Scholar
  39. Wang B, Li Z, Tu H, Ma J (2009) Measuring peer-to-peer botnets using control flow stability. In: International conference on availability, reliability and security, 2009. ARES’09. IEEE, pp 663–669Google Scholar
  40. Wang R, Tang K (2012) Minimax classifier for uncertain costs. arXiv:1205.0406
  41. Weka (2012) Weka introduction.
  42. Xusheng Z (2008) A p2p traffic classification method based on svm. In: International symposium on computer science and computational technology, 2008. ISCSCT’08. IEEE, vol 2, pp 53–57Google Scholar
  43. Ye W (2012) Two step hybrid p2p traffic classification. Master’s thesis, Dankook University, KoreaGoogle Scholar
  44. Ye W, Cho K (2013) Two-step p2p traffic classification with connection heuristics. In: 2013 Seventh international conference on innovative mobile and internet services in ubiquitous computing (IMIS), IEEE, pp 135–141Google Scholar
  45. Ye W, Cho K (2014a) Hybrid p2p traffic classification with heuristic rules and machine learning. Soft Comput 18(9):1815–1827CrossRefGoogle Scholar
  46. Ye W, Cho K (2014b) P2p traffic classification using advanced heuristic rules and analysis of decision tree algorithms. J Korea Soc Comput Inf 19(3):45–54CrossRefGoogle Scholar
  47. Zeng Y, Shin KG (2013) On detection of storm botnets, pp 1–7Google Scholar
  48. Zhang H, Lu G, Qassrawi MT, Zhang Y, Yu X (2012) Feature selection for optimizing traffic classification. Comput Commun 35(12):1457–1471Google Scholar
  49. Zhang J, Perdisci R, Lee W, Luo X, Sarfraz U (2014) Building a scalable system for stealthy p2p-botnet detection. IEEE Trans Inf Forensics Secur 9(1):27–38CrossRefGoogle Scholar
  50. Zhao D, Traore I, Ghorbani A, Sayed B, Saad S, Lu W (2012) Peer to peer botnet detection based on flow intervals. In: Information security and privacy research, 28th IFIP TC 11 SEC conference-2012, vol 376. Springer, Crete, pp 87–102Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  1. 1.Department of Software ScienceDankook UniversityYongin-siKorea

Personalised recommendations