防治殭屍網路對於維護網路安全來說至關重要。雖現已有許多防治殭屍網路之偵測工具，但大多數是使用批次處理系統來進行偵測。像是我們實驗室之前的研究成果──BotCluster系統，即是以批次處理方式來偵測點對點殭屍網路。而像我們BotCluster的批次處理系統需要事先累積足量的資料才能開始進行完善的群聚分析，故從資料產生到分析完資料之間的偵測時間會很長。對於較爲緊急的殭屍網路而言，降低其偵測時間就能夠大幅降低其危害程度。
故在本研究中，將利用BotCluster對先前網路流量群聚分析過後的惡意網路行爲特徵來對新進之網路流量進行快速篩檢，並使用串流式系統使其能夠對此新進之資料進行快速的分析，故能達到對已知之點對點殭屍網路縮短偵測時間的效果。最終快篩系統能夠偵測出接近九成的準確率，並能讓偵測時間從原先的24小時降至約2小時。

Preventing botnets is crucial for maintaining cybersecurity. Although there are many detection tools for preventing botnets, most of them use batch processing systems for detection. For example, the work of our previous research, BotCluster, uses batch processing system to detect P2P botnets. The batch processing system like BotCluster needs to accumulate enough data in advance to start a perfect detection of our grouping algorithm, so the time to detection (TTD), which is from data generation to analysis of the data, will be very long. For urgent botnets, reducing the TTD can significantly reduce the damage of these botnets.
In this research, we will use the malicious network behavior characteristics of the previously detected result from BotCluster to quickly detect the new incoming NetFlow data. Besides, the quick detection will perform in the streaming process platform for processing the input data rapidly. Finally, the quick detection can reach 90% precision and reduce the TTD from 24 hours to 2 hours.

[1] “Bots and botnets – the most dangerous threat on the internet - BullGuard.” [Online]. Available: https://www.bullguard.com/bullguard-security-center/internet-security/internet-threats/bots-and-botnets?lang=en-in. [Accessed: 09-Jul-2018].
[2] “Hospitality Industry Under Attack For Credentials, PII Theft - Security News - Trend Micro USA.” [Online]. Available: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hospitality-industry-under-attack-for-credentials-pii-theft. [Accessed: 09-Jul-2018].
[3] “Hotels, airlines and travel sites battle bot attacks | ZDNet.” [Online]. Available: https://www.zdnet.com/article/hotels-airlines-and-travel-sites-battle-bot-attacks [Accessed: 09-Jul-2018].
[4] C.-Y.Wang, C.-L.Ou, Y.-E.Zhang, F.-M.Cho, J.-B.Chang, andC.-K.Shieh, “BotCluster: A Session-based P2P Botnet Clustering System on NetFlow.” Submitted to Computer Networks
[5] Apache Software Foundation, “Apache Hadoop,” Apache Hadoop website, 2017. [Online]. Available: https://hadoop.apache.org/.
[6] M.Ester, H.Kriegel, X.Xu, andD.-Miinchen, “A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise,” 1996.
[7] I.Ghafir et al., “BotDet: A System for Real Time Botnet Command and Control Traffic Detection,” IEEE Access, vol. PP, no. c, p. 1, 2018.
[8] O.Haq, Z.Abaid, N.Bhatti, Z.Ahmed, and A.Syed, “SDN-inspired, real-time botnet detection and flow-blocking at ISP and enterprise-level,” IEEE Int. Conf. Commun., vol. 2015–Septe, pp. 5278–5283, 2015.
[9] M.Yahyazadeh and M.Abadi, “BotOnus An Online Unsupervised Method for Botnet Detection,” ISeCure, vol. 4, no. 2, pp. 125–136, 2012.
[10] “Spark Streaming | Apache Spark.” [Online]. Available: https://spark.apache.org/streaming/. [Accessed: 27-Jun-2018].
[11] “Apache Storm.” [Online]. Available: https://storm.apache.org/. [Accessed: 27-Jun-2018].
[12] The Apache Software Foundation, “Apache Flink: Scalable Stream and Batch Data Processing,” flink.apache.rog, 2017. [Online]. Available: https://flink.apache.org/. [Accessed: 13-Jul-2018].
[13] “Euclidean distance.” [Online]. Available: https://en.wikipedia.org/wiki/Euclidean_distance. [Accessed: 15-Jul-2018].
[14] “Harmonic Mean.” [Online]. Available: https://en.wikipedia.org/wiki/Harmonic_mean. [Accessed: 20-Jul-2018].
[15] “Lambda Architecture » λ lambda-architecture.net.” [Online]. Available: http://lambda-architecture.net/. [Accessed: 08-May-2018].