Abstract Among all the security threats in the cyberworld, botnet is one which is highly destructive and ever-increasingly populated such that an attacker can remotely control a large set of compromised computers to launch group or individual attacks against targeted or non-targeted system. In recent years, the operation model of botnet control has evolved from the centralized IRC or HTTP botnets to the decentralized P2P botnet. The change inflicted degradation in the ability to detect the existence of botnet. The new P2P botnet adopting P2P communication model allows an attacker the capability to deliver attack command from any node in a P2P botnet. Hence, the existing botnet detection or defense mechanisms based on the centralized operation model are not effective in deterring the threats resulted from P2P botnet. Therefore, we devised a 2-stage adaptive detection and defense mechanism for P2P botnet. Processes utilizing P2P communication model are identified according to their network behavior. Then, they are subjected to be monitored for all activities on host computers. When any of the designated anomaly behaviors is detected, defense mechanism, such as the activation of a firewall rule to block the traffic to or from the corresponding communication port, are employed. The proposed mechanism can perform the intended defense whether or not the bot malware is a known one, a variation or a previously unknown one. A prototype system has been implemented and the effectiveness of the proposed scheme is verified.