Botnet detection revisited: Theory and practice of finding malicious P2P networks via Internet connection graphs

In this paper we review state-of-the-art botnet detection algorithms that reveal the control traffic of malicious peer-topeer (P2P) networks by targeting topological properties of their interconnectivity graph. This class of detection methods does not rely on the exchanged content and therefore is also applicable to encrypted control traffic. However, in practice, an ISP monitoring customer traffic over an edge router will usually see only a fraction of the overall botnet, thus restricting the available bot connectivity information and limiting the applicability of general community detection approaches. In this paper we critically review graph based detection methods suitable for edge router monitoring using two types of real network traces. We show experimentally that using meta-graphs of mutual contacts proposed by Coskun et al. 2010 has the highest potential on result quality. We improve this approach by presenting a computationally less complex algorithm with similar result quality. Furthermore we explain ways to alleviate the cost of dealing with false positives in the result set.