Are Your Hosts Trading or Plotting? Telling P2P File-Sharing and Bots Apart

Peer-to-peer (P2P) substrates are now widely used for both file-sharing and botnet command-and-control. Despite the commonality of their substrates, we show that the different goals and circumstances of these applications give rise to behaviors that can be distinguished in network flow records. Using features related to traffic volume, “churn” among peers, and differences between human-driven and machine-driven traffic, we develop a technique for identifying P2P bots (the Plotters) and, in particular, separating them from file-sharing hosts (the Traders). Evaluations performed on traffic recorded at the edge of a university network show that we can achieve, e.g., 87.50% detection of Storm bots with a 0.47% false positive rate. We also demonstrate the significant extent to which Plotter behaviors would need to change to evade our technique.