PeerDigger: Digging Stealthy P2P Hosts through Traffic Analysis in Real-Time

Abstract

P2P technology has been widely applied in many areas due to its excellent properties. Some botnets also shift towards the decentralized architectures, since they provide a better resiliency against detection and takedown efforts. Besides, modern P2P bots tend to run on compromised hosts in a stealthy way, which renders most existing approaches ineffective. In addition, few approaches address the problem of real-time detection. However, it is important to detect bots as soon as possible in order to minimize their harm. In this paper, we propose Peer Digger, a novel real-time system capable of detecting stealthy P2P bots. Peer Digger first detects all P2P hosts base on several basic properties of flow records, and then distinguishes P2P bots from benign P2P hosts by analyzing their network behavior patterns. The experimental results demonstrate that our system is able to identity P2P bots with an average TPR of 98.07% and an average FPR of 1.5% within 4 minutes.