近年來，點對點殭屍網路被用於多種的網路犯罪。雖然有許多偵測點對點殭屍網路的研究，但這些研究大部分是針對單一網域的網路流量進行分析，我們認為僅對單一網域流量作分析是不夠的，原因在於點對點殭屍網路通常分布在多個網域，若能作跨網域分析，將能提高點對點殭屍網路的偵測率。
在本篇研究，我們提出一個可以作跨域網路流分析的點對點殭屍網路偵測演算法，演算法的第一階段先作單一網域的分析，第二階段再作跨網域分析。使用真實世界網路流量的實驗結果顯示跨域網路流分析是可行的，透過VirusTotal的資料庫驗證，我們的準確率至少在80%以上。

Recently, peer-to-peer (P2P) botnets have been adopted for a variety of cyber-crimes. Many approaches for P2P botnet detections had studied, but most of them are based on a single domain traffic to analyze bot activities. It seems hard to recognize the malicious activities from a single domain traffic, especially for P2P botnets that often scattered across the Internet to exchange information.
In this paper, we propose an innovative P2P botnet detection algorithm to federate multiple sites to inter-domain traffic analysis. Our algorithm first extracts traffic as feature vectors, and then run a cooperative graph-based algorithm across multiple domains to improve precision. We believe our P2P botnet detection can solve well-known and unknown botnets. Evaluation based on real traffic journal shows the availability of our approach, and the verification was given using VirusTotal to validate the outcomes correctness which at least 80 percentage malicious IPs appeared on it.

[1] Wang, Ping, Sherri Sparks, and Cliff C. Zou. "An Advanced Hybrid Peer-to-Peer Botnet." IEEE Transactions on Dependable and Secure Computing 7.2 (2010): 113.
[2] Feily, Maryam, Alireza Shahrestani, and Sureswaran Ramadass. "A survey of botnet and botnet detection." 2009 Third International Conference on Emerging Security Information, Systems and Technologies. IEEE, 2009.
[3] Chandola, Varun, Arindam Banerjee, and Vipin Kumar. "Anomaly detection: A survey." ACM computing surveys (CSUR) 41.3 (2009): 15.
[4] Zhang, Junjie, et al. "Building a scalable system for stealthy p2p-botnet detection." IEEE transactions on information forensics and security 9.1 (2014): 27-38.
[5] Wang, Chun-Yu, et al. "Federated MapReduce to transparently run applications on multicluster environment." 2014 IEEE International Congress on Big Data. IEEE, 2014.
[6] Jeh, Glen, and Jennifer Widom. "SimRank: a measure of structural-context similarity." Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 2002.
[7] Kirubavathi, G., and R. Anitha. "Botnet detection via mining of traffic flow characteristics." Computers & Electrical Engineering 50 (2016): 91-101.
[8] Celik, Z. Berkay, et al. "Malware traffic detection using tamper resistant features." Military Communications Conference, MILCOM 2015-2015 IEEE. IEEE, 2015.
[9] Yan, Qiben, et al. "PeerClean: Unveiling peer-to-peer botnets through dynamic group behavior analysis." 2015 IEEE Conference on Computer Communications (INFOCOM). IEEE, 2015.
[10] Stevanovic, Matija, and Jens Myrup Pedersen. "An analysis of network traffic classification for botnet detection." Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), 2015 International Conference on. IEEE, 2015.
[11] Dave, Mayank. "PeerFox: Detecting parasite P2P botnets in their waiting stage." Signal Processing, Computing and Control (ISPCC), 2015 International Conference on. IEEE, 2015.
[12] TcpInitialRTT, https://technet.microsoft.com/en-us/library/cc938207.aspx
[13] TcpMaxConnectRetransmissions,
https://technet.microsoft.com/en-us/library/cc938209.aspx
[14] DNS Clients and Timeouts,
http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
[15] Hall, Mark, et al. "The WEKA data mining software: an update." ACM SIGKDD explorations newsletter 11.1 (2009): 10-18.
[16] Free and Public DNS Servers,
http://pcsupport.about.com/od/tipstricks/a/free-public-dns-servers.htm
[17] Alexa Top 500 sites on the web. http://www.alexa.com/topsites/global
[18] Top Sites in Taiwan. http://www.alexa.com/topsites/countries/TW
[19] VirusTotal, https://www.virustotal.com/