殭屍網路(Botnet)在世界各地引發了大規模的DDoS，垃圾郵件和網絡釣魚等網絡犯罪，已成為互聯網上的主要的安全威脅，而殭屍網絡檢測也成為現今甚為重要的網路安全研究議題。在先前的研究中，我們提出了一種用於P2P殭屍網絡檢測的批次處理系統BotCluster；該系統可成功檢測NetFlow上惡意流量並且達到超過90％的精確率(Precision)。此外BotCluster的研究成果也證明了採用「會話」方式(Session-Based)可充分表現出殭屍網絡流量和一般流量的顯著差異。在本研究中，我們提出了一個縮短檢測時間的惡意流量分析模型，並討論基於「會話」方式匯集NetFlow流量應用於深度學習中是否有等同成效。本研究中使用兩個著名的殭屍網絡流量資料集PeerRush與CTU-13作為驗證與測試「會話」方式應用於訓練深度學習模型之可能性。為了找出最佳的模型參數，我們進行了一系列超參數調整實驗以達到最大化分類成效。實驗結果顯示訓練完成的模型可達到99.08％的召回率(recall or True Positive Rate)，98.82％的準確率(accuracy)，99.47％的精確率(precision)與0.393％的假真率 (False Positive Rate)；此外總體F量測可達98.95％。上述實驗結果也表明基於「會話」方式的深度學習模型可有效的判別NetFlow上惡意與良善之流量，以及未來使用於實際網路流量殭屍網路檢測的可能性。

Botnets, arising cybercrimes such as DDoS, spamming, and phishing, become a significant threat on the Internet today; meanwhile, the study on botnet detection also obtain great attention in recent cybersecurity research. In our previous work, BotCluster, a batch-based processing system for detecting P2P botnet on NetFlow, had shown high precision above 90% in real traffic. It also proved that converting NetFlow records into sessions in P2P Botnet detection can express a full overview of communications among compromised hosts. In this paper, we give a discussion about utilizing sessions as input with the deep learning to construct a model for predicting malicious behavior in botnets and reducing the detection time compared to a batch-based approach. Two famous datasets PeerRush and CTU-13 are used for training and testing the availability of using session in deep learning. Besides, for finding the best parameter of our model in P2P botnet detection, several experiments were presented for hyperparameter tuning. Experiments show that the performance of the model with best parameters has 99.08% of recall, 98.82% of precision, 99.47% of accuracy, 0.39% of the false positive rate, and 98.95% of F1 Score. The results confirm the effectiveness of session-based characteristics on P2P botnet detection and reinforce the feasibility for applying the deep learning over real traffic to expose cybercrimes in the future.

[1] Wang, C.-Y., Ou, C.-L., Zhang, Y.-E., Cho, F.-M., Chen, P.-H., Chang, J.-B. and Shieh, C.-K. 2018. BotCluster: A session-based P2P botnet clustering system on NetFlow. Computer Networks. 145, 175-189. DOI= https://doi.org/10.1016/j.comnet.2018.08.014.
[2] Garc´ıa, S., Grill, M., Stiborek, J. and Zunino, A. 2014. An empirical comparison of botnet detection methods. Computers & Security. 45, 100–123. DOI= https://doi.org/10.1016/j.cose.2014.05.011.
[3] Rahbarinia, B., Perdisci, R., Lanzi, A. and Li, K. Peerrush: Mining for unwanted p2p traffic. Journal of Information Security and Applications. 19, 3, 94–208. DOI= https://doi.org/10.1016/j.jisa.2014.03.002.
[4] Jiang, F., Fu, Y., Gupta, B.B., Lou, F., Rho, S., Meng, F. and Tian, Z. 2018. Deep Learning based Multi‐channel intelligent attack detection for Data Security. IEEE Transactions on Sustainable Computing. DOI= 10.1109/TSUSC.2018.2793284.
[5] Nataraj, L., Karthikeyan, S., Jacob, G. and Manjunath, B. 2011. Malware Images: Visualization and Automatic Classification. Proceedings of the 8th International Symposium on Visualization for Cyber Security. DOI= 10.1145/2016904.2016908.
[6] Cui, Z., Cao, Y., Cai, X., Cai, J. and Chen, J. 2018. Optimal LEACH protocol with modified bat algorithm for big data sensing systems in Internet of Things. Journal of Parallel and Distributed Computing. DOI= https://doi.org/10.1016/j.jpdc.2017.12.014.
[7] Zhou, Z., Yao, L., Li, J., Hu, B., Wang, C. and Wang, Z. 2018. Classification of botnet families based on features self-learning under Network Traffic Censorship. 2018 Third International Conference on Security of Smart Cities, Industrial Control System and Communications (SSIC). DOI= 10.1109/SSIC.2018.8556792.
[8] McDermott, C., Majdani, F. and Petrovski, A. 2018. Botnet Detection in the Internet of Things using Deep Learning Approaches. 2018 International Joint Conference on Neural Networks (IJCNN). DOI= https://doi.org/10.1109/IJCNN.2018.8489489.
[9] Mongkolluksamee, S., Visoottiviseth, V. and Fukuda, K. 2018. Robust Peer to Peer Mobile Botnet Detection by Using Communication Patterns. Proceedings of the Asian Internet Engineering Conference on - AINTEC '18. 38-45. DOI= 10.1145/3289166.3289172.
[10] Karagiannis, T., Papagiannaki, K. and Faloutsos, M. 2005. BLINC: multilevel traffic classification in the dark. ACM SIGCOMM Computer Communication Review. 35,4 (Oct. 2005), 229-240. DOI= 10.1145/1090191.1080119.
[11] Taheri, S., Salem, M. and Yuan, J. 2018. Leveraging Image Representation of Network Traffic Data and Transfer Learning in Botnet Detection. Big Data and Cognitive Computing. 2, 4, 37. DOI= https://doi.org/10.3390/bdcc2040037.
[12] Huang, G., Liu, Z., Maaten, L. and Weinberger, K. Q. 2018. Densely Connected Convolutional Networks. IEEE Conference on Computer Vision and Pattern Recognition.
[13] Zhou, H. 2019. Malware Detection with Neural Network Using Combined Features. Methods in Molecular Biology. 96-106. DOI= 10.1007/978-981-13-6621-5_8.
[14] Roopak, M., Tian, G.-Y. and Chambers, J. 2019. Deep Learning Models for Cyber Security in IoT Networks. 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC). 452-457. DOI= 10.1109/CCWC.2019.8666588.
[15] Chen, S.-C., Chen, Y.-R. and Tzeng, W.-G. 2018. Effective Botnet Detection Through Neural Networks on Convolutional Features. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). 372-378. DOI= 10.1109/TrustCom/BigDataSE.2018.00062.
[16] Azmoodeh, A., Dehghantanha, A. and Choo, K.-K. R. 2019. Robust Malware Detection for Internet of (Battlefield) Things Devices Using Deep Eigenspace Learning. IEEE Transactions on Sustainable Computing. 4, 1, 88-95. DOI= 10.1109/TSUSC.2018.2809665.
[17] Riesen, K. and Bunke, H. 2010. Graph Classification and Clustering Based on Vector Space Embedding. Series in Machine Perception and Artificial Intelligence. DOI= https://doi.org/10.1142/7731
[18] Cui, Z., Xue, F., Cai, X., Cao, Y., Wang, G.-G. and Chen, J. 2018. Detection of Malicious Code Variants Based on Deep Learning. IEEE Transactions on Industrial Informatics. 14, 7, 3187-3196. DOI= 10.1109/TII.2018.2822680
[19] Twcc.ai. (2019). TWCC. [online] Available at: https://www.twcc.ai/
[20] Top500.org. (2019). Home | TOP500 Supercomputer Sites. [online] Available at: https://www.top500.org/
[21] Stratosphere IPS. (2019). CTU-13 Dataset — Stratosphere IPS. [online] Available at: https://www.stratosphereips.org/datasets-ctu13
[22] Peerrush.cs.uga.edu. (2019). PeerRush Traces. [online] Available at: http://peerrush.cs.uga.edu/peerrush/
[23] NETSCOUT Arbor Confirms 1.7 Tbps DDoS Attack; The Terabit Attack Era Is Upon Us.
[online] Available at: https://www.netscout.com/blog/asert/netscout-arbor-confirms-17-tbps-ddos-attack-terabit-attack-era
[24] Esraa A., Selvakumar M., B. B. Gupta, Shankar K., and Rafeef A., 2012. Botnet-based Distributed Denial of Service (DDoS) Attacks on Web Servers: Classification and Art. International Journal of Computer Applications. 40, 7.
[25] V. Nair and G. E. Hinton, "Rectified linear units improve restricted boltzmann machines," in Proceedings of the 27th international conference on machine learning (ICML-10), 2010, pp. 807-814.
[26] TensorFlow. [Online]. Available: https://www.tensorflow.org/
[27] Apache Hadoop. [Online]. Available: http://hadoop.apache.org/
[28] R. Eldan and O. Shamir, "The power of depth for feedforward neural networks," in Conference on Learning Theory, 2016, pp. 907-940.
[29] National Center for High-performance Computing (NCHC), https://www.nchc.org.tw/
[30] NFDUMP. [Online]. Available: http://nfdump.sourceforge.net/