Analysis the P2P botnet detection methods

Transcription

1 Analysis the P2P botnet detection methods Atef Ahmed Obeidat 1 1 Al-Huson University College, Al-Balqa Applied University, Al-Huson, Jordan ABSTRACT Botnets are one of the most important Internet security issues. They evolve their structure from centralized into decentralized nature of Peer-to-Peer (P2P) botnets that makes them difficult to detect. This study analyzis and compares the most significant proposals in the field of the P2P-based detection. It fulfills the following tasks: First, it studies the previous surveys. Second, it proposes new dimensions for analyzing the proposals; third, it classifies and compares the most important detection proposals; and fourth, it describes the problems in this field.we conclude that perfect solutions are achieved in the field so far, but there are still many open problems. Keywords: Botnets, information security, botnet detection, survey, peer-to-peer. 1. INTRODUCTION A bot is a computer running a malicious program which enables an attacker (botmaster) to remotely control the infected computers. A network of such compromised end-hosts is called a Botnet, which are usually connected by one attacking methods, such as Trojan horses, worms, and viruses[1]. Botnets with many computers have high bandwidth and computing capability that is increased through time. The botmasters control other bots by initiating various malicious activities, such as, spam, Distributed Denial of Service (DDoS) attacks, key-logging, Bitcoin mining, click-fraud scam and password cracking. Traditional botnets architecture was a centralized approach that used IRC (Internet Relay Chat) for its Comand & Control (C & C) channels. Detecting the centralized C & C server means removing the entire botnet. Then Botmasters utilizes a P2P protocol [2]to build botnets. The peer-to-peer approach provides higher resiliency, and the botnets implementing this approach are harder to be detected and taken down. Nugache[3] and Storm worm[4, 5] are two representative P2P botnets. Several surveys on P2P Botnet detection were carried out [6-9]. Although these surveys provided more information on botnets, they didn't include an analysis of P2P botnet detection methods. Our work aims to analyze, classify, and compare the most significant P2P botnet detection methods. The key contributions of the work are as follows: Comparing the previous surveys in this field. Comparing and classifying of P2P botnet detection features. Studying the most important proposals. Focusing on the drawbacks of P2P botnet detection. We conclude that P2P botnet detection methods gained significant so far. However, many open problems still exist. 2. PREVIOUS SURVEYS No complete and comprehensive surveys on P2P botnet detection methods were carried out so far. However, several surveys on botnets detection include a brief analysis of detection methods. In this section, these surveys are analyzed to describe how the detection methods are classified. Several methods for P2P botnet detection are enumerated in a previous work[6]. These methods are not thoroughly analyzed. In addition, the detection techniques in previous studies are individually considered, and the ideas and drawbacks of these techniques are explained. A previous work [6] analyzis three approaches more elaborately and one of the three approaches is proposed. The general ideas, advantages, and shortcomings of these approaches are presented[7]. P2P botnet detection techniques based on traffic features of the P2P botnet were studied[8]. Detection techniques are classified into three categories: data mining, machine learning, network behavior and traffic analysis. The general principles of these techniques are presented. However, the shortcomings, advantages, and algorithms of these techniques were not explained. P2P botnet detections methods are surveyed by several review papers in the field, which determined the current problem and Volume 4 Issue 3 March 2016 Page 1

2 existing solution[9]. In addition, the survey uses a table to relate the proposed techniques in the literature. Analysis dimensions Table 1: Categories of comparing detection techniques This work Related work [6] [7] [8] [9] Detection methods Advantages no no Shortcomings no no Detection algorithms Partially no no no Data sources no no no Partially Detection features no no no Partially Comparison no no no 2.1. Survey comparison The previous surveys [6-9] demonstrated that categorizing the detection methods is difficult. Each survey emphasized different aspects of the papers. Thus, identifying a common comparison criterion was challenging. The comparison approach of each survey was studied to extract the main dimensions in which information was organized. Table 1 shows information analyzed in each survey. These dimensions are summarized as follows: Data sources: sources of base information, such as logs of application from a general network, NetFlow logs from a private network, or network packets from a honeypot[10]). Detection features: the properties employed to establish the topology. The papers were studied according to these properties (e.g. encrypted botnet detection, botnet protocol detected, and rule needed for detection). Detection algorithms: algorithms used to achieve a task (e.g. Bayesian statistics and neural networks). Advantages and disadvantages algorithms: the benefits and shortcomings of each of the discussed method. Comparison of algorithms: employed to compare the botnet detection papers. In addition, The study of the surveys determined several restrictions from the view of classifying detection methods: All the surveys utilize distinct terminologies, which make the study hard. For example, approach in a paper is called technique in another. All the surveys used a few dimensions. As in Table 1, there is no survey that includes the dimension of data sources dimension, whereas another survey describes the detection methods only. In general, the surveys are designed to describe the methods instead of studying them. Most surveys used a few number of references in the comparison between the papers. To overcome these limitations, we present a comprehensive survey, which contains a complete topology and a comparison in order to analysis the detection methods deeply. 3. THE COMPARISON APPROACH This section presents the comparison of the detection proposals based on different views: 1.The first view, the detection proposals are arranged in a topology map of P2P botnet detection characteristics. The map, as shown in Figure 1, aims to clarify how the detection proposals differ from each other. This map allows researchers to determine the papers that implemented each technique quickly where each paper can appear more than once. The topology map is divided into the following categories to include the different aspects of the papers: (1) Detection algorithms: differentiates the types of algorithms. (a) The neuronal network-based algorithm uses the neuronal network to build supervised machine learning models for the detection of P2P botnets. The approaches are validated with the following multiple machine-learning algorithms: decision trees[11], boosted REP trees[11], Bayesian networks[11], discrete Fourier transforms and Shannon's entropy theory[12], Weka machine learning suite[13], SVM [14, 15], J48 [14, 15], C4. 5 decision tree classifiers [14, 15], Apache Volume 4 Issue 3 March 2016 Page 2

3 Mahout Algorithms [16], and FURIA, which is a fuzzy rule generating algorithm[17][18]. (b) The heuristic threshold-based algorithm uses a threshold for detection. For example, the Packet ratio [19], which is the sum up of packets divided by the sum of down packets, is less than 0.4, and it uses Traffic pattern with three periods of more than five minutes apart and with the standard deviation of less than 150. In addition, the distance between two botcompromised hosts that is decided by the minimum distance of their respective fingerprint clusters is employed in a previous work [20]. The distances of fingerprint clusters from botnet P2P protocols are smaller compared with those from legitimate P2P protocols. (c) The mining-based algorithm uses data mining technique to detect botnets. For example, synergistic graph-mining is applied in a previous work[20], whereas another work [21] is based on mining the periodic patterns of traffic datasets. (2) Detection techniques differentiate the main techniques used for detection. a. Flow-based techniques examine network flows between two nodes. b. b) Resource sharing behavior monitoring-based techniques model the evolution of the number of peers sharing a resource in a P2P network over time. c. Node-based techniques examine the input and output flow for every node. d. Conversation-based techniques aim to detect the stealthy behavior of P2P botnets. e. Signature-based techniques inspect each packet in the network traffic. (3) Detection sources refer to the location where packets were captured and not how these packets were captured. a. Normal packets verify normal packets. i. Virtual internal networks capture verified normal packets from an internal and controlled network. ii. Real networks capture packet from real networks; traffic should label as background if it is not verified. b. Botnet packets refer to the source of botnet packets: i. Honeypots are connected to the Internet. ii. Darknets are from the darknet, which is an overlay network that can only be accessed with specific software often using non-standard communications protocols and ports[22]. iii. Virtual networks result from a controlled virtual network. Malware is manually installed. iv. Custom Produced malware is a modified version of a known malware. v. The real malware uses unmodified real binary malware to infect computers. vi. Packets logs utilize packet logs. 2. The second view, the approaches are compared according to a group of important features. The botnet detection proposals exhibit a common set of features that can be employed to better understand them. These features are more significant than the positive results of the report. Next, we will describe the key features of a P2P botnet detection proposal. These features help explain and compare the proposals. These features determine the lacking component in each paper and identify the fields being over emphasized. These features were created partially based on principles from previous surveys. The features descriptions are presented in the following: 1. Dataset features: it reflects of training dataset diversity, experimental setup, Capture in a host or in a network, Preprocessing and training dataset verification as in Tables 4 and Accuracy-based performance metrics: To evaluate the performance of the approaches as in Table Statistically bot detection: to determine the bot statistical features that the proposal detects as in Table Encrypted botnet detection: to classify if the approach can detect botnet that uses encrypted connections or not as in Table Real-time botnet detection: to classify if the approach can detect botnets in real time or not as in Table 8. Both views cover the different sides of the proposals and contribute information on the state of the field. So, the topology map is the first map presented in P2P botnet detection. In the following subsections, these perspectives are employed to compare the detection papers based on the key features that are similar to the comparison scheme in the work [23] The results of comparisons between the main subjects between papers are visualized in tables. The comparisons provide important information for the papers. This information provides summaries about the details of the works and explains the proposals. Volume 4 Issue 3 March 2016 Page 3

4 Neuronal network based [11-15, 24] P2P botnet detection characteristics Detection Algorithms Detection Techniques Detection Sources Normal sources Botnet sources Heuristic threshold based[19, 25-28] Mining-based[20, 21] Flow-based [11-15, 17, 18, 20, 21, 28, 29] Resource sharing behavior monitoring based[14] Node based [16, 27, 30] Conversation based [11, 13, 19, 26] Virtual networks [16, 26, 28, 29] Real networks [11, 17, 20, 25, 29] Produced networks [12-15, 19, 21, 24, 27, 29, 30] Virtual networks [16, 26] Real Malware networks [17, 20, 21, 25-27] Honeypots [14, 21, 30] Darknets Custom Produced Malware [11, 15, 19, 25, 26, 28-30] Packets Logs [12, 13, 24] Figure 1 Topology map of the detection characteristics of P2P botnet 3.1 The categories of detection techniques comparison. Table 2 presents categories of comparing detection techniques used in each paper. The proposal solutions for P2P botnet detection can be classified into the following techniques: 1) Flow-based or flow analysis-based botnets detection[11-15,17,18,20,21,28,29]:it analysis network flows between two nodes by aggregating packets that belong to the identical flow where a flow is defined as a set of packets with the same source address, source port, destination address, and destination port. The principle of the flow-based Methods is by modeling the botnet communication patterns of the flow features, such as the count of the packets in the flow and order of the packet arrivals. The extracted features of the flow are used to build classifiers that can distinguish between the malicious bot flows and normal flows. Thus, the flow-based analysis can detect the malicious bots based on the similarity with the behavior of the known bots. However, flow-based techniques have two restrictions. First, all the flows between any two nodes need to be analyzed, although, most of these flows belong to normal network nodes. Second, the flow features must be extracted at runtime, which implies that the analysis needs huge computational overhead at runtime. 2) Resource sharing behavior monitoring-based detection[25] is grounded on modeling the evolution of the number of peers sharing a resource in a P2P network over time. This allows the detection of abnormal behaviors associated with parasite P2P botnet resources in this kind of environment. 3) Node-based detection [16, 27,30] examines input and output flow for every node where the approaches aggregate behavioral metrics for each P2P node (host) seen in network communications and use them to distinguish benign P2P hosts from hosts infected by P2P botnets. 4) Conversation-based detection[11,13,19,26] does not rely on deep packet inspection or signature-based mechanisms. This approach aims to detect the stealthy behavior of P2P botnets, that is, when they lie hidden in their rally or waiting for stages or while they perform malicious activities (spamming, password stealing, etc.) that are not observable by a network administrator. Table 2: Categories of comparing detection techniques Category Flow based [12, 17, 18, 20, 21, 24, 27-30] Node based [16, 30] Based on resource sharing behavior monitoring [25] Conversation-based [11] [14, 15, 19, 26] Hybrid with flow-based and conversation-based [13] Volume 4 Issue 3 March 2016 Page 4

5 3.2 Comparison of detection algorithms Table 3 shows a comparison of the algorithms used in each paper for detection botnets. Creating this table was difficult because some proposals did not explain the details of the algorithms. Most papers used one or more machine learning algorithms to detect the botnets. Table 3: Comparison of detection algorithms Algorithms [29] Convergence between the set of IPs [30] Machine learning algorithm [25] Popularity threshold [11] Machine learning algorithms: decision trees, boosted REP trees, and Bayesian networks [12] Machine learning based on discrete Fourier transforms and Shannon's entropy theory; K-nearest neighbor algorithm (signal processing) [13] Weka machine learning suite [14] K-means clustering; Machine learning algorithms: SVM, J48, and C4.5 decision tree classifiers; Euclidian distance [26] Offline detection depends on the success rate of the connection; Markov chain. Online detection by counting the data flow number for source and destination addresses [19] Based on traffic meta-data of the NetFlow protocol; a) Packet ratio b) Traffic pattern [20] Synergistic graph-mining. [15] Machine learning algorithms (e.g. SVM, J48, C4.5) [24] Machine learning technique; the unsupervised incremental K-means clustering algorithm [16] Machine learning algorithms /Apache Mahout algorithms [21] Based on mining the periodic patterns of traffic datasets [28] Based on the distance between two bot-compromised hosts [17] Machine learning by using FURIA - a fuzzy rule generating algorithm [27] By aggregation flows corresponding to P2P network activities; by analyzing their network behavior patterns. 3.3 Comparison of the detection sources. This subsection presents a comparison of normal and botnet data sources which have been used by the proposal methods as explained in Tables 4 and 5. These datasets used for training or verifying the proposal methods. The dataset is the main factor to validate the papers, so the studying design and methodology of data sets are necessary to understand conditions of the experiment results. In these tables, we used the following terms: the produced term refers to botnets which are collected by the authors from public source codes. Produced botnets must be initialized before being used. Thus, these malwares are not equal to the ones in natural botnets. However, the implications of using modified malware are normally underestimated. The term virtual also used in these tables to refer to the use of virtual networks. Using virtualization technology is commonly accepted for malware execution. Finally, the terms training and testing are adopted with reference to the training and testing phases of the approach, respectively. Only one of these labels appears, that means the method did not use the other phase. After studying these tables, we found that most proposals do not have all types of dataset. If an algorithm must be trained, at least, independent training and testing datasets should be used. There is one paper without datasets[24]. Moreover, few proposals include the same training and testing datasets. The tables also help to compare the amount of data used in each method. In addition, some methods generated different numbers of the bot in a virtual network. Table 4: Comparison of normal sources for detection Normal packets [29] Testing: Mbps from private traffic; five real legitimate P2P clients from DNS traffic and five virtual legitimate P2P clients of popular P2P applications [30] Testing: Capturing at the time intervals of 10, 20, 60, and 180 seconds [25] Training: Three-fourths of the 34,075 resources are consulted four websites where 14,869 resources are corroborated Volume 4 Issue 3 March 2016 Page 5

6 Normal packets as legitimate. Testing: One-fifth of the resources. Training: Data from two P2P applications (emule and utorrent) and two P2P botnet applications (Waledac and [11] Storm) were used for this work. Testing: Benign P2P Data: 50,000 conversations each of emule and utorrent Testing: 78,000 conversations of clean data were sampled from the multiple P2P applications, namely, emule, [12] utorrent, Vuze, and Frostwire. [13] Testing: 50,000 conversations each of emule and utorrent. [14] Training: 794 benign P2P clusters. [26] Testing: simulating 4 P2P zombie host, are A1, A2, A3, A4; capturing each virtual machine s traffic for 2 minutes with an interval of 1 minute [19] Testing: flows of 7 p2p traffic, The data set includes complied web traffic by crawlers. [20] Testing: 24 hours from a Trans-Pacific backbone line between the U.S. and Japan; 3,528,849 unique IPs and 82,380,945 flows. 89%: TCP;11%: UDP [15] Training: 2,975 P2P flow clusters Testing: Three hours of anonymized NetFlow for 4,347 IP addresses. [24] - [16] Training: For a number of days, the data of P2P applications were generated in a private lab environment [21] Testing: the ISOT lab; university campus. One hour live traffic emule [28] Testing: several hours (e.g. 24 or 5 hours) two virtual P2P applications [17] Training: university campus Testing: as training [27] Testing: 24 hours, three P2P applications; two hosts for each. Table 5: Comparison of botnet sources for detection Botnet packets [29] Testing: produced 16 P2P bots, the Storm traces included 13 hosts and the Waledac included three hosts. [30] Testing: produced dataset by combining Storm and Waledac. [25] Testing: monitoring the Internet for three months, a total of 71,135 resources shared by millions of different IPs [11] Testing: 50,000 conversations each for Storm and Waledac [12] Testing: 10,000 conversations each for Storm and Waledac; 2,657 conversations for Zeus [13] Testing: 50,000 conversations each of Storm and Waledac. [14] Training: 80% of 1, 445 malware clusters. Testing: 20% of 1, 445 malware clusters. [26] Testing: produced five virtual P2P hosts, the traffic each of them for two minutes [19] Testing: 2,125 of traffic flows of three different binaries of the Zeus P2P malware were obtained via the public sandbox malwr.com [20] Testing: 13 hosts infected with Storm and 82 hosts with Nugache for a period of 24 hours [15] Training: 1,317 P2P malware samples to build the malware classifier, belonging to 8 different malware families Testing: Three hours of net flow for 4,347 distinct IP addresses [24] Training: 20,000 malware samples for three months Testing: 85% of the P2P malware learning set, and 15% malware samples [16] Testing: Two-thirds of 3.9 GB for Storm and Waledac Training: 1/3 data set [21] Testing: university campus [28] Testing: produced two P2P botnets, Storm, and Waledac. Storm contains 13 different bot-compromised hosts, whereas Waledac contains three different bot-compromised hosts. [17] Training: Two university campuses Testing: The same as training [27] Testing: 24h for two P2P applications; 13 hosts for the first and three hosts for the second. Volume 4 Issue 3 March 2016 Page 6

7 3.4 Comparison of accuracy-based performance metrics We can measure the accuracy-based performance metrics by multiple techniques [24]. Table 6 presents the most important results of this work. The table shows that some values were not computed at all. None of the papers reported all the values. Most of the papers did not compute the total value for each metric (where the U reference was utilized).instead, the proposals presented part values for each experiment. Moreover, most of the papers did not compute some values at all. Therefore, we need to calculate the missing metrics using its counterpart value (the C reference). Finally, none of the papers reported the F-measure and the error rate metrics. Table 6 summarizes the following metrics: True positives (TP) are the number the positive cases that have been properly classified as positive. False negatives (FN) are the number the positive cases that have been classified as negative. False positives (FP) are the number the negative cases that have been classified as positive. True negatives (TN) are the number the negative cases that have been properly classified as negative. The metrics can be described based on these definitions: Percent correct or accuracy =(TP +TN)/(TP + FN + FP + TN). The error rate = (FN + FP)/(TP +FN + FP + TN). Precision = TP/(TP + FP). True-positive rate (TPR) or recall = TP/(TP + FN). True-negative rate (TNR) = TN/(FP + TN). False-negative rate (FNR) = FN/(TP + FN). Also 1 TPR. False-positive rate (FPR) = FP/(FP + TN). Also 1 TNR. F-measure is the mean of precision and recall (TPR). Table 6 shows that all the papers did not present the four basic metrics together. If a proposal only reports the TPR value, understanding the significance of its results is very difficult. we use the following references for the computed non-original values: G: Generating a final value from isolated results. C: When there is no value for some metric. However, we could calculate some approximation as the difference with its counter value. FPR = 1 TNR, FNR = 1 TPR, TNR = 1 FPR and TPR = 1 FNR. : No value or computation was reported. FPR a (%) Table 6: Comparison of accuracy-based performance metrics FNR b (%) TPR c (%) TNRd (%) Error rate (%) F-measure (%) Percent correct [29] 0.2(G) 0.8(C) 100% (C) [30] 0-2(G) % (G) [25] 0.5(G) >99% [11] 0.012(G) 0.036(C) % (G) [12] 0.08(C) 0.92(G) 88% [13] 2-3(G) 5-12(C) 88-95% [14] 20(G) 93%(G) [26] [19] 0(G) 100(G) 100%(G) [20] 23(G) 6.6(G) 91.8%, 98.1(G) [15] 0.8(G) 3.5(G) 1(G) 99.2(C) 99% [24] 97.6% [16] (C) (C) [21] [28] 2 98(C) 2(C) 98(C) 100% [17] 0.01(C) % [27] (C) %(C) 98.5(C) a.fpr, false-positive rate; b.fnr, false-negative rate; c.tpr, true-positive rate; d.tnr, true negative rate. Volume 4 Issue 3 March 2016 Page 7

8 3.5 Dataset comparison. This comparison includes the different datasets that were captured and the types of botnets analyzed. Establishing a varied dataset is essential because every botnet has unique characteristics. The applicability of each approach could be analyzed by studying the botnet that was included in the training and testing datasets. Tables 4 and 5 demonstrate that several proposals used small numbers of botnets only for training and testing. Other proposals employed the same dataset for training and testing. 3.6 Comparison of statistical features This comparison includes many of the statistical features which are used to detect botnet by the proposals. Table 7 shows the used features in different papers whereas the paper [23] is not used any statistical features. We can analyze and compare the proposal approaches according to the kind of features which are used to detect the botnet in each of them. Table 7:Comparison of statistical features Features [29] The active time of a P2P client. [30] Statistics on the packets. [25] Number of bots of a parasite botnet, Mean duration of the sharing phase of botnet resources, Mean bot arrival and leaving rates and Disappearing interval. [11] The duration of the conversation, the inter-arrival time of packets, the amount of data exchanged, # packets. [12] Duration, Payload, Inter-arrival times, Number of Packets and Compression Ratio. The features of the flow: Protocol, Packets per second (f/w), Packets per second (b/w), Avg. Payload size (f/w), and [13] Avg. Payload size (b/w). For conversation: Duration conversation, #packets, exchanged in the conversation,volume-data exchanged, and median of the inter-arrival time. [14] Periodicities, chunk rate and geographical distribution. [26] (1) ICMP reports - the initial stage, (2) the same communication traffic - the trance stage (3) SMTP - the attack stage. [19] Packet ratio and Traffic pattern. [20] Volume and Duration. [15] Time of malware activity, space(chunk rate and distributed P2P) and size of NetFlow. [24] Flow size, number of packets, bits per packet, and flow duration. [16] Number of destination hosts, volume of data sent, and the average of the TTL value. [21] The time series, the event time series. [28] T P2P a, N f b, No-DNS Peers c, N clust d, N pgp e, T p2p f [17] The numeric flow level. [27] No statistical features. a.t P2P: the active time of P2P application; b.n f: the number of failed connections per hour; c.no-dns Peers: the percentage of flows associated with no domain names; d. N clust: the number of clusters; e.n pgp: the largest number of unique bgp prefixes in one cluster; f.t p2p: the estimated active time for P2P application. 3.7 Comparison of encrypted, unknowing and Real-time botnet detection Table 8 shows the comparison between the approaches in terms of the possibility of detecting encrypted and unknowing of the botnets in real-time. Features Table 8: Encrypted, unknowing and Real-time botnet detection Real-time [13-15, 19, 20, 27, 28] Encrypted [11-18, 27-30] Unknowing [13, 20, 24, 28] Volume 4 Issue 3 March 2016 Page 8

9 4. DISCUSSIONS ABOUT THE P2P-BASED BOTNET DETECTION FIELD This section discusses the problems encountered in P2P botnet detection. The analyzes of previous surveys and botnet detection of methods determine the solved problems, the algorithms used, and the questions that remain unanswered. The region achieved good results. However, there are many open problems to be solved. The following paragraphs discuss some general problems. 1. Rebuilding. Most methods cannot be rebuilt because of two reasons: First, the datasets were not published. Second, information about the methods is insufficient. Without the detailed description of the algorithms, the threshold used, and the characteristics, reproduction may be unachievable. The papers did not present their datasets and the necessary information to recalculate their results. 2. Number of nodes. The amount of nodes in the P2P network is important to detect botnets. The number of nodes normally depends on the design of the proposal. Most proposals require a lot of nodes and packets to obtain meaningful results. This limitation may adversely affect the future implementation of the method. A lot of nodes can only be obtained by capturing packets in large networks. 3. Filtering of data. An important phase of a botnet detection research is the filtering of data before the extraction the features. Some proposals tend to over filter the data and produce algorithms that work better with a specific dataset. For example, some proposals filter out the packets of the UDP or Internet Control Message Protocol without further explanation [12], narrowing the sample to match their hypothesis. 4. Issues of The performance metrics. Three important issues were identified regarding the accuracy-based performance metrics. The first issue, as shown in Table 7, is that most proposals did not compute the entire set of metrics. This implies that most proposals cannot be compared. The effectiveness of these methods is difficult to determine. The second issue, some methods have not a complete description for the design of its experiments. The third issue, many papers did not provide specific values for the used metrics. However, the papers used high or low quantifiers, as in[11, 12, 15, 20, 28-30]. 5. Comprehensive dataset. Employing a good dataset could lead to effective methods whereas a dataset with a few botnets could lead to very limited methods. For example, some previous works [15, 28, 29] only used less than five botnets. 6. The design: the experiments should be carefully designed to achieve meaningful results. The mixture between normal and botnet dataset is important to accept the experiment. Some paper presents a balanced mixture of the dataset similar to reality but without explaining the processes[21]. Different balances produce different results and benefits. Nevertheless, more packets of normal activity are more common than botnet activity. Achieving the mixture of the dataset preferably by merging traffic, however, it is more difficult to determine. 7. The detection methods should be dynamic to discover the changing of botnet plans. Increasing the detection of unknown botnets is needed. Several methods are fulfilled experiments with unknown botnets [14, 24]. 5. CONCLUSIONS We studied the previous surveys and the most significant and latest papers in p2p-based botnet detection field. The previous surveys, botnet detection features, topology map, and p2p-based proposals were analyzed and compared to understand the problem in the field. These results are useful in the future. It is used to develop the research in the field. The present study has the following restrictions. First, most of the studied works did not show the details of their algorithms. Second, most datasets cannot be rebuild. Third, the works did not present the complete results. These restrictions have made comparisons difficult between the papers. We found that the majority of problems in the previous surveys are undefined terminology, insufficient analysis of the papers, and small number of works covered in the surveys and focus on the different features of the methods. We can determine that that difficulties in the field that need consideration are the datasets contains a small number of botnets, different mixture of traffic for building the datasets, inaccurate outcomes of experiments, the comparisons are not enough with other works, the datasets are not standard and the performance metrics does not have precise results. In addition to these difficulties, the fast development of botnets and the complexities of building real and running the botnets. Based on these results, we can determine the following properties for detecting botnets: First, the focus must not be to find the best ways, but to determine the most useful detection method. Second: The approaches that consider the dynamic changes behavior is respect to time, in which it will be better to detect the botnets. Third: To detect new botnets, the general features are used, even though some particular features are missed. fourth: Utilizing a hybrid detection methods give a good approach so as to double the accuracy of the results Finally, when a large amount of data is used by experiments this implies producing accuracy results for the proposals. The future works should focus on designing a standard dataset and to increase the methods covered in comparisons. Volume 4 Issue 3 March 2016 Page 9

10 6. ACKNOWLEDGMENTS This research is supported by Department of Information Technology, Al-huson University College, Al- Balqa Applied University. REFERENCES [1] P. Narang, J.M.R., and C. Hota, Feature selection for detection of peer-to-peer botnet traffic. in Proceedings of the 6th ACM India Computing Convention, 2013: p. 16:1 16:9. [2] Dittrich, D. and S. Dietrich. P2P as botnet command and control: a deeper insight. in Malicious and Unwanted Software, MALWARE rd International Conference on. 2008: IEEE. [3] Lemos, R., Bot software looks to improve peerage [4] J. B. Grizzard, V.S., C. Nunnery, B. B. Kang, and D. Dagon Peer-to-peer botnets: Overview and case study. In Proceedings of USENIX HotBots'07, [5] T. Holz, M.S., F. Dahl, E. Biersack, and F. Freiling, Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the First USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET'08), [6] vadivu, P.S. and K.S.Karthika, A Survey On Botnet Detection Approaches In Peer-To-Peer Network. International Journal of Advances in Computer Science and Technology, (5): p [7] Elhalabi, M.J., et al., A Review of Peer-To-Peer Botnet Detection Techniques. Journal of Computer Science, (1): p [8] Han, K.-S. and E.G. Im, A Survey on P2P Botnet Detection. Proceedings of the International Conference on IT Convergence and Security 2011, : p [9] Ghalebandi, S.G., R.B.M. Noor, and A.H. Lashkari. A Survey on P2P Botnets Detection. in International Conference on Computer Engineering and Technology, 3rd (ICCET 2011). 2011: ASME Press. [10] Pouget, F. and M. Dacier. Honeypot-based forensics. in AusCERT Asia Pacific Information Technology Security Conference [11] Narang, P., et al., PeerShark: Detecting Peer-to-Peer Botnets by Tracking Conversations [12] Narang, P., V. Khurana, and C. Hota. Machine-learning approaches for P2P botnet detection using signal-processing techniques. in Proceedings of the 8th ACM International Conference on Distributed Event-Based Systems. 2014: ACM. [13] Narang, P., C. Hota, and V. Venkatakrishnan, PeerShark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification. EURASIP Journal on Information Security, (1): p [14] Kheir, N., X. Han, and C. Wolley, Behavioral fine-grained detection and classification of P2P bots. Journal of Computer Virology and Hacking Techniques, 2014: p [15] Kheir, N. and C. Wolley, BotSuer: Suing stealthy P2P bots in network traffic through netflow analysis, in Cryptology and Network Security. 2013, Springer. p [16] Narang, P., A. Thakur, and C. Hota. Hades: a Hadoop-based framework for detection of peer-to-peer botnets. in Proceedings of the 20th International Conference on Management of Data. 2014: Computer Society of India. [17] Barthakur, P., M. Dahal, and M.K. Ghose, Adoption of a Fuzzy Based Classification Model for P2P Botnet Detection [18] Hühn, J. and E. Hüllermeier, FURIA: an algorithm for unordered fuzzy rule induction. Data Mining and Knowledge Discovery, (3): p [19] Dillon, C., Peer-to-Peer Botnet Detection Using NetFlow [20] Hang, H., et al. Entelecheia: Detecting p2p botnets in their waiting stage. in IFIP Networking Conference, : IEEE. [21] Qiao, Y., et al., Detecting P2P bots by mining the regional periodicity. Journal of Zhejiang University SCIENCE C, (9): p [22] Mansfield-Devine, S., Darknets Computer Fraud & Security : p [23] García, S., A. Zunino, and M. Campo, Survey on network based botnet detection methods. Security and Communication Networks, (5): p [24] Kheir, N. and X. Han, Peerviewer: Behavioral tracking and classification of P2P malware, in Cyberspace Safety and Security. 2013, Springer. p [25] Rodríguez-Gómez, R.A., et al., Resource monitoring for the detection of parasite P2P botnets. Computer Networks, : p [26] Fan, Y. and N. Xu, A P2P Botnet Detection Method Used On-line Monitoring and Off-line Detection. International Journal of Security & Its Applications., (3): p Volume 4 Issue 3 March 2016 Page 10

11 [27] He, J., et al. PeerDigger: Digging Stealthy P2P Hosts through Traffic Analysis in Real-Time. in Computational Science and Engineering (CSE), 2014 IEEE 17th International Conference on. 2014: IEEE. [28] Zhang, J., et al. Detecting stealthy P2P botnets using statistical traffic fingerprints. in Dependable Systems & Networks (DSN), 2011 IEEE/IFIP 41st International Conference on. 2011: IEEE. [29] Zhang, J., et al., Building a scalable system for stealthy p2p-botnet detection [30] Yin, C., et al., Towards Accurate Node-based Detection of P2P Botnets. The Scientific World Journal, AUTHOR Atef Ahmed Obeidat received the B.S. degree in Computer science from Yarmuk University in 1991 and M.S. degrees in Computer science from Jordanian University in But the PhD degree in communication and network systems. He received from Novosibirsk State Technical University in Volume 4 Issue 3 March 2016 Page 11