GADFly: A Fast and Robust Algorithm to Detect P2P Botnets in Communication Graphs

Botnets can be used to launch large scale and expensive attacks. Botnets are also difficult to detect and disable, especially when they use peer-to-peer (P2P) command & control structures. In this paper we propose GADFly - a fast and robust algorithm to detect P2P botnet structures in communication graphs built from network flow meta-data. While other algorithms have been proposed in literature that use graph analysis or machine learning techniques to detect botnets, they are either slow or have impractical false positives for realistically large graphs with millions of nodes. They also assume availability of universal communication graph data, which is not realistic. The method proposed here is able to precisely detect P2P botnet structures with extremely low false positive rates. In addition, GADFly is also very fast and robust in the face of gaps in communication graph data, making it suitable for practical deployments.