隨著網路的快速發展，網路犯罪已成為當今社會的一個主要問題。殭屍網路是網路犯罪行為之一，且對現今網路而言仍然一個很大的危害。許多人都在針對如何偵測殭屍網路進行研究。我們之前研究，BotCluster，是一個非監督式的P2P殭屍網路偵測系統。它使用Netflow作為輸入，可以克服封包加密造成的問題。三層分群演算法可以有效濾除正常P2P流量。儘管BotCluster在P2P殭屍網路偵測方面表現良好，但它無法偵測到集中式殭屍網路。
在本研究中，我們提出了一種基於評分的集中式殭屍網路偵測方法，且能夠與BotCluster相關聯。我們針對集中式殭屍網路的特性去修改分群演算法。為了降低誤報率，我們設計了一種評分方法來過濾掉具高相似性的正常流量。我們使用合成數據和實際流量來評估我們的方法。合成數據的精確度和召回率可達到約85%和90％。透過VirusTotal驗證的實際流量精度平均也可達到90％。

With the rapid development of the Internet, cybercrime has become a major issue in today’s society. Botnet is one of the cybercrimes, which is still a big hazard of the Internet. Many studies have focused on how to detect botnets. Our previous research, BotCluster, was an unsupervised P2P botnet detection system. It used Netflow as input which can overcome the challenge of encryption. The 3-level grouping algorithm can effectively filter the benign P2P traffic. Although BotCluster had a well performance on P2P botnet detection, it couldn’t detect centralized-botnet.
In this paper, we propose a ranking-based centralized-botnet detection method, which is associated with BotCluster. We modify the clustering architecture to match the behavior of the centralized botnet. In order to reduce the false positive rate, we design a ranking approach to filter high similarity benign traffic. We evaluate our method with synthetic data and real traffic. The precision and recall in synthetic data can reach about 85% and 90%. The precision in real traffic with VirusTotal verification can also reach 90% on average.

[1] Spamhaus Botnet Threat Report 2017, https://www.spamhaus.org/news/article/772/spamhaus-botnet-threat-report-2017
[2] M. Bailey, E. Cooke, F. Jahanian, Y. Xu, and M. Karir, “A survey of botnet technology and defenses,” in Conference For Homeland Security, 2009. CATCH’09. Cybersecurity Applications & Technology. IEEE, pp. 299–304, 2009
[3] Chun-Yu Wang, Chi-Lung Ou, Yu-En Zhang, Feng-Min Cho, Jyh-Biau Chang, Ce-Kuen Shieh, “BotCluster: A Session-based P2P Botnet Clustering System on NetFlow”, Submitted to Computer Networks
[4] S. S. Silva, R. M. Silva, R. C. Pinto, R. M. Salles, "Botnets: A survey", Comput. Netw., vol. 57, no. 2, pp. 378-403, February 2013
[5] G. Gu, J. Zhang, and W. Lee. BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08), 2008
[6] G. Gu, R. Perdisci, J. Zhang, and W. Lee, “Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection,” in Proc. of 17th USENIX Security Symposium (USENIX Security ’08), pp. 139–154, June 2008
[7] Meisam Eslahi, Habibah Hashim and Noorita Tahir, ”An Efficient False Alarm Reduction Approach in HTTP-based Botnet Detection,” in Proc. IEEE Symposium on Computers & Informatics, pp. 201-205, April 2013
[8] B. Soniya, M. Wilsey, "Fuzzy inference system based on entropy of traffic for bot detection on an endpoint host", Data Science & Engineering (ICDSE) 2014 International Conference on, pp. 112-117, 2014
[9] Elaheh Biglar Beigi, Hossein Hadian Jazi, Natalia Stakhanova, Ali A. Ghorbani, "Towards effective feature selection in machine learning-based botnet detection approaches", Communications and Network Security (CNS) 2014 IEEE Conference on, pp. 247-255, 2014
[10] Yuan-Chin Lee, Chuan-Mu Tseng, Tzong-Jye Liu, "A HTTP botnet detection system based on ranking mechanism", Digital Information Management (ICDIM) 2017 Twelfth International Conference on, pp. 115-120, 2017
[11] Alexa top site, https://www.alexa.com/topsites
[12] M. N. Sakib, C.-T. Huang, "Using anomaly detection based techniques to detect http-based botnet c&c traffic", Proceedings of International Conference on Communications (ICC) ser. ICC'16, pp. 1-6, 2016
[13] F. Haddadi, A. Nur Zincir-Heywood, "Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification", IEEE Systems Journal, 2016
[14] Ahmad Azab, Mamoun Alazab, Mahdi Aiash, "Machine Learning Based Botnet Identification Traffic", Trustcom/BigDataSE/ISPA 2016 IEEE, pp. 1788-1794, 2016
[15] WEKA, https://www.cs.waikato.ac.nz/ml/weka/
[16] W. T. Strayer, R. Walsh, C. Livadas, and D. Lapsley. Detecting botnets with tight command and control. In Proceedings of the 31st IEEE Conference on Local Computer Networks (LCN’06), 2006
[17] A. K. Sood, S. Zeadally, and R. Bansal, ‘‘Cybercrime at a scale: A practical study of deployments of HTTP-based botnet command and control panels,’’ IEEE Commun. Mag., vol. 55, no. 7, pp. 22–28, July 2017
[18] Braavos, https://www.nchc.org.tw/tw/inner.php?CONTENT_ID=744
[19] National Center for High-Performance Computing, https://www.nchc.org.tw/tw/
[20] VirusTotal, https://www.virustotal.com/