點對點（P2P）殭屍網路已經成為網路安全的重大威脅。在本文中，我們探討了使用深度類神經網路偵測P2P殭屍網路行為的可行性。在我們先前的研究中提出了一個可應用於長期網路資料的P2P殭屍網路偵測系統，其需要累積一段的資料來有效使用群聚演算法。首先，該系統將雙向的網路流合併，稱之為「會話」，並汲取出會話的特徵，藉由特徵將相似的會話群聚起來。實驗結果得出該系統在惡意IP位置的偵測上可產生90%以上的高精確率。透過此系統，我們可收集大量具有標籤的會話資料。因此，我們想研究是否能利用深度類神經網路，從這些會話資料中學習會話特徵與其標籤之間的關聯性。一個訓練完成的類神經網路可即時偵測單一個會話是屬於可疑或正常的會話。為了達成此目的，我們使用大量已標籤的會話特徵來訓練類神經網路模型。此外，訓練完成的模型可部署在嵌入式裝置上，即時偵測從邊緣網路裝置中收集到的網路流量是否具有殭屍網路活動。為了獲得模型的最佳效能，我們以網格搜尋的方式找出適當隱藏層數的類神經網路。最後，我們藉由校園網路流量來評估模型效能，並在偵測會話類別上取得平均85%以上的偵測率。實驗結果顯示，該方法能夠以單一會話的特徵來偵測P2P殭屍網路流量。

Peer-to-Peer (P2P) botnets have emerged as a serious threat to Internet security. In this study we explore the feasibility of detecting P2P botnet behavior using deep neural network. In our previous study, a system is presented to identify P2P botnet activities in long-term data. It need to accumulate data for a period of time to effectively perform clustering algorithm for botnet detection. The system extract session features from network trace and cluster similar sessions into the same group, where a session merge flows in two opposite directions. The experiments show that the system can yields a high precision of over 90% in malicious IP addresses detection. By using this system, we can collect a lot of labeled sessions. Therefore, we want to investigate whether a deep neural network can learn from the collected data to associate the session’s feature vector and its label. A trained model can identify a single session as suspicious or benign one in real time. To achieve this, we train a model on a large training dataset consisting of labeled sessions. Furthermore, the trained model can be deployed on embedded system to provide real-time botnet detection on traffic flow collected in edge device. To fine-tune model performance, we perform grid search on different depths of neural network. Our study evaluates the model on sessions extracted from campus traffic and obtains an detection rate of over 85% averagely in session classification. The experimental results demonstrate that the proposed method is possible to identify P2P botnet traffic by a single session.

[1] C.-Y. Wang, C.-L. Ou, Y.-E. Zhang, F.-M. Cho, J.-B. Chang, and C.-K. Shieh, "BotCluster: A Session-based P2P Botnet Clustering System on NetFlow," Submitted to Computer Networks, 2018.
[2] Y. Yu, J. Long, and Z. Cai, "Network Intrusion Detection through Stacking Dilated Convolutional Autoencoders," Security and Communication Networks, vol. 2017, pp. 1-10, 2017.
[3] W. Wang, M. Zhu, X. Zeng, X. Ye, and Y. Sheng, "Malware traffic classification using convolutional neural network for representation learning," in Information Networking (ICOIN), 2017 International Conference on, 2017, pp. 712-717: IEEE.
[4] M. Alauthaman, N. Aslam, L. Zhang, R. Alasem, and M. A. Hossain, "A P2P Botnet detection scheme based on decision tree and adaptive multilayer neural networks," Neural Comput Appl, vol. 29, no. 11, pp. 991-1004, 2018.
[5] N. Koroniotis, N. Moustafa, E. Sitnikova, and J. Slay, "Towards Developing Network Forensic Mechanism for Botnet Activities in the IoT Based on Machine Learning Techniques," in International Conference on Mobile Networks and Management, 2017, pp. 30-44: Springer.
[6] D. Santana, S. Suthaharan, and S. Mohanty, "What we learn from learning-Understanding capabilities and limitations of machine learning in botnet attacks," arXiv preprint arXiv:1805.01333, 2018.
[7] Y. Bengio, "Practical recommendations for gradient-based training of deep architectures," in Neural networks: Tricks of the trade: Springer, 2012, pp. 437-478.
[8] S. Arora, N. Cohen, and E. Hazan, "On the optimization of deep networks: Implicit acceleration by overparameterization," arXiv preprint arXiv:1802.06509, 2018.
[9] R. Eldan and O. Shamir, "The power of depth for feedforward neural networks," in Conference on Learning Theory, 2016, pp. 907-940.
[10] J. Duchi, E. Hazan, and Y. Singer, "Adaptive subgradient methods for online learning and stochastic optimization," Journal of Machine Learning Research, vol. 12, no. Jul, pp. 2121-2159, 2011.
[11] D. P. Kingma and J. Ba, "Adam: A method for stochastic optimization," arXiv preprint arXiv:1412.6980, 2014.
[12] V. Nair and G. E. Hinton, "Rectified linear units improve restricted boltzmann machines," in Proceedings of the 27th international conference on machine learning (ICML-10), 2010, pp. 807-814.
[13] X. Glorot and Y. Bengio, "Understanding the difficulty of training deep feedforward neural networks," in Proceedings of the thirteenth international conference on artificial intelligence and statistics, 2010, pp. 249-256.
[14] H. Larochelle, Y. Bengio, J. Louradour, and P. Lamblin, "Exploring strategies for training deep neural networks," Journal of machine learning research, vol. 10, no. Jan, pp. 1-40, 2009.
[15] TensorFlow. [Online]. Available: https://www.tensorflow.org/
[16] Apache Hadoop. [Online]. Available: http://hadoop.apache.org/