The botnet has been one of the most common threats to network security. Among all emerged botnet, Peer to Peer (P2P) botnets are more perilous and resistant due to their distributed nature. In addition to their resiliency against takedown strategies, modern P2P botnets are stealthier in the way they perform fraudulent activities. One of the main challenges to detect P2P bots/botnets is the presence of benign P2P traffic. The botnet traffic can blend in with legitimate P2P traffic, and it makes the P2P bots stealthier. However, the problem of detecting P2P botnets in the presence of legitimate P2P traffic has received little attention from the research community.

In this paper, a novel P2P botnet detection framework resilient to the presence of legitimate P2P traffic is proposed based on a two-phase Sequential Pattern Mining (SPM) approach. The proposed framework is evaluated in many different cases of the coexistence of P2P malicious and legitimate traffics, using real-world network traffic. Our experimental results show that the proposed framework is capable of detecting P2P bots in the presence of legitimate P2P traffic with a detection rate of 99.2%. Besides its accurate detection, our proposed framework is highly scalable and can detect even one bot in the network or different bots from different bot families.

僵尸网络一直是对网络安全的最常见威胁之一。在所有新兴的僵尸网络中，点对点（P2P）僵尸网络由于其分布式特性而更加危险和具有抵抗力。现代P2P僵尸网络除了具有抵御删除策略的能力外，在执行欺诈活动时也更加隐蔽。检测P2P僵尸程序/僵尸网络的主要挑战之一是良性P2P流量的存在。僵尸网络流量可以与合法的P2P流量融合在一起，这使P2P僵尸程序更加隐蔽。但是，在存在合法P2P流量的情况下检测P2P僵尸网络的问题很少受到研究界的关注。

在本文中，基于两阶段顺序模式挖掘（SPM）方法，提出了一种对合法P2P流量的存在具有弹性的新颖P2P僵尸网络检测框架。使用现实世界的网络流量，在P2P恶意流量和合法流量共存的许多不同情况下，对提出的框架进行了评估。我们的实验结果表明，提出的框架能够在存在合法P2P流量的情况下检测P2P僵尸程序，检测率为99.2％。除了精确检测之外，我们提出的框架还具有高度的可扩展性，甚至可以检测网络中的一个机器人或来自不同机器人家族的不同机器人。