Improved P2P Botnet Community Detection: Combining Modularity and Strong Community

Large botnets have enormous combined computation and network resources which can be used to launch powerful attacks. Botnets that use peer-to-peer (P2P) command & control (C&C) overlay networks have emerged to make themselves resilient against detection and disabling of individual bots. In a communication graph with network nodes represented by vertices and network traffic between the nodes represented by edges, the P2P botnet C&C traffic can reveal community structures. Detecting communities in a graph is a well studied problem in literature, and several algorithms have been proposed based on various approaches. Previous works have proposed detecting P2P botnets using various community detection algorithms, though in general they suffer from low precision. We propose BotCLAM, an algorithm to detect P2P botnet community structures in a communication graph, based on the differing definitions of community offered by modularity and strong community. Combining the speed and coverage of modularity optimization algorithms with label propagation approach that finds smaller but strong communities, our algorithm detects P2P communities with improved precision (65% - 75%) without compromising recall (>98%) of modularity optimization.