Presentation of my paper presented at the IEEE Security & Privacy Workshops, San Jose, USA, May 2014

1. DETECTING PEER-TO-PEER
BOTNETS BY TRACKING
CONVERSATIONS
Pratik Narang1, Subhajit Ray1, Chittaranjan Hota1 and Venkat Venkatakrishnan2
1BITS Pilani, Hyderabad campus, India
2University of Illinois at Chicago

2. Introduction
• What’s a bot ?
• What’s a botnet ?
• What’s a Peer-to-Peer based botnet ?

3. Traditional Botnets
Bot-Master

4. Peer-to-Peer Botnets
Bot-Master

5. P2P: Uses and Misuses

6. Previous work
• Intial work with signature-based approaches
• Evaded by bots using encryption
• Recent work – analysis of network behavior
• Most of it uses 5-tuple ‘flow-based’ approach
<Source IP, Dest. IP, Source port, Dest. Port, Protocol>
• Great success in Internet traffic classification
• Doesn’t suit the needs of P2P traffic

7. Identifying P2P traffic
• Modern P2P apps and bots randomize ports, operate on
TCP as well as UDP
• P2P traffic has bi-directional nature
• E.g.- BitTorrent- seeders and leechers
• Thus, traditional flow-based approaches may give a false
view of network communication
• Notion of a conversation more suited to P2P
• Who is talking to whom ?
• Irrespective of protocol, port, etc.

8. P2P apps v/s P2P bots
Applications:
• A human user-‘bursty’
traffic
• High volume of data
transfers seen
• Small inter-arrival time of
packets seen in apps
Botnets:
• Automated/scripted
commands
• Low in volume,
high in duration
• Large inter-arrival time of
packets seen in stealthy
bots

9. PeerShark: Overview
Conversation
Creation
Module
Conversation
Aggregation
Module
Classification
Module
Packet
Filtering
Module
FLOWGAP initial
FLOWGAP
Packets useful for our system Packets discarded by our system (Corrupted or missing headers)
Conversations classified as benign Conversations classified as malicious

10. Approach
• Parse network traces, discard corrupted packets
• Create ‘conversations’, identified by the tuple <IP1,IP2> and
an initial FLOWGAP parameter
• Aggregate conversations again – this time with a higher
FLOWGAP parameter
• To be decided by Network Admin based on understanding of the
network
• Useful for detecting slow and stealthy bots

11. Approach
• For each tuple, extract 4 features :
– The duration of the conversation
– The number of packets exchanged in the conversation
– The volume of the conversation (no. of bytes)
– The Median value of the inter-arrival time of packets in the conversation
• Hunt for long-lived, stealthy conversations
• Categorize P2P apps & bots with the features
above, using supervised machine learning
approaches

12. Dataset
P2P app name Used for? Type of data/Size of data
eMule P2P file sharing application pcap file/19 GB
uTorrent P2P file sharing application pcap file/33 GB
P2P botnet name What it does? Type of data/Size of data
Storm Email Spam pcap file/ 4.8 GB
Waledac Email spam, password stealing pcap file/ 1.1 GB

14. Results
BayesNet J48
Adaboost with REP
tree
TP FP ROC TP FP ROC TP FP ROC
eMule 0.929 0.012 0.996 0.964 0.012 0.987 0.93 0.021 0.993
Storm 0.988 0.009 0.999 0.986 0.003 0.996 0.979 0.004 0.999
Waledac 0.989 0.01 0.999 0.988 0.005 0.995 0.97 0.009 0.998
uTorrent 0.947 0.019 0.996 0.965 0.012 0.989 0.943 0.025 0.994
Avg. 0.96325 0.0125 0.9975 0.97575 0.008 0.99175 0.9555 0.01475 0.996
90%
91%
92%
93%
94%
95%
96%
97%
98%
99%
100%
BayesNet J48 Adaboost with REP tree
OverallAccuracy(%)

15. Code publicly available for review & feedback:
https://github.com/pratiknarang/peershark

16. Back-up

17. Limitations & Possible evasions of
PeerShark
• Only built for 2 apps and 2 bots. Any new app/bot will also
get (mis)classified into one of these classes.
• If more than one P2P application (benign or malicious) is
running between two peers, PeerShark will not be able to
correctly classify it.
• Smarter bots which engage in occasional file-sharing with
bot-peers (and thus mimic benign behavior) can evade
PeerShark.