近年來，C&C殭屍網路被用於多種網路犯罪。雖然至今有許多研究提出偵測此種殭屍網路的方法，但這些研究大部分是針對封包內容進行分析，而這種針對封包分析的方式無法偵測未知病毒與變種，原因在於目前的病毒更新相當快速，若針對封包內容某些特點進行偵測很容易被規避並且有隱私方面的疑慮。然而，另一些利用病毒特徵來進行群聚偵測的方法，雖然能夠偵測未知的病毒，但因為是利用群聚的方式來偵測，容易將一些正常的流量與惡意流量群聚在一起，造成誤判率較高。
因此，在本篇研究中，提出一個可以對於NetFlow格式之網路流進行網路行為群聚之C&C殭屍網絡偵測方法，演算法的第一階段先針對殭屍病毒樣本挑選出具有代表性的特徵，第二階段再針對C&C殭屍網路特點進行三步驟的群聚，並且透過群聚數量Threshold的設計，盡可能將正常流量排除。在實驗方面，分別使用了合成十隻殭屍病毒流量以及真實世界網路流量的分別進行偵測，兩種實驗結果皆顯示此方法是可行的，不僅在合成實驗之召回率高達九成八，對於真實世界網路流量的結果，透過VirusTotal的資料庫驗證推論後，我們的準確率亦在九成以上。

In recent years, C&C botnets have been used for a variety of cybercrime. Many approaches for C&C botnet detection had studied, and most of them are based on packet (payload) analysis. However, if botnets have updated or packets are encrypted, these methods may fail and have privacy concerns. Further, though other methods which are based on unsupervisd learning can detect unknown botnets, clustering methods may group malicious traffics and some normal traffics together. It causes their false positives rate is high.
Therefore, in this study, we propose a C&C botnet detection method that can cluster network behavior for NetFlow format. The first stage of the algorithm selects representative features for C&C botnet samples. In the second stage, three steps of clustering based on C&C botnets properties are performed and the normal traffics are excluded as much as possible through the design of the clustering threshold. In the experiment, we use synthetic ten botnet samples log and real-world Netflow traffic to detect. Two experiment results show that this method is effective. In the synthesis experiment, the recall rate is as high as 98%, and in real-world traffic experiment, our accuracy rate is also above 90% after inference through VirusTotal.

[1] Smominru, https://www.cyber.nj.gov/threat-profiles/botnet-variants/smominru
[2] Monero, https://getmonero.org/
[3] A. J.Alzahrani and A. A.Ghorbani, “Real-time signature-based detection approach for SMS botnet,” 2015 13th Annu. Conf. Privacy, Secur. Trust. PST 2015, pp. 157-164, 2015.
[4] N.Perdisci, Roberto and Lee, Wenke and Feamster, “Behavioral clustering of HTTP-based malware and signature generation using malicious network traces,” Proc. 7th USENIX Conf. Networked Syst. Des. Implement., pp. 26-26, 2010.
[5] J.Goebel andT.Holz, “Rishi: identify bot contaminated hosts by IRC nickname evaluation,” HotBots’07 Proc. first Conf. First Work. Hot Top. Underst. Botnets, p. 8, 2007.
[6] M.Stevanovic and J.M.Pedersen, “An efficient flow-based botnet detection using supervised machine learning,” 2014 Int. Conf. Comput. Netw. Commun., pp. 797-801, 2014.
[7] W. T.Strayer, D.Lapsely, R.Walsh, and C.Livadas, “Botnet Detection Based on Network Behavior,” Botnet Detect., vol. 36, no. August, pp. 1-24, 2008.
[8] M. M.Masud, T.Al-khaleeb, L.Khan, B.Thuraisinghatn, and K. W.Hamlcn, “Flow-based identification of botnet traffic by mining multiple log files,” 2008 1st Int. Conf. Distrib. Fram. Appl. DFmA 2008, pp. 200-206, 2008.
[9] F.Haddadi, J.Morgan, E. G.Filho, and A. N.Zincir-Heywood, “Botnet behaviour analysis using IP flows: With http filters using classifiers,” Proc. - 2014 IEEE 28th Int. Conf. Adv. Inf. Netw. Appl. Work. IEEE WAINA 2014, pp. 7-12, 2014.
[10] Pcap, https://en.wikipedia.org/wiki/Pcap
[11] Zeus, https://en.wikipedia.org/wiki/Zeus_(malware)
[12] Sality, https://en.wikipedia.org/wiki/Sality
[13] NetFlow, https://zh.wikipedia.org/wiki/NetFlow
[14] L.Lu, Y.Feng, andK.Sakurai, “C and C session detection using random forest,” Proc. 11th Int. Conf. Ubiquitous Inf. Manag. Commun., IMCOM ’17, pp. 1-6, 2017.
[15] CCC (MWS2017), http://www.iwsec.org/mws/2017/about.html
[16] L.Bilge, D.Balzarotti, W.Robertson, E.Kirda, andC.Kruegel, “Disclosure: Detecting Botnet Command and Control Servers Through Large-scale NetFlow Analysis,” Proc. 28th Annu. Comput. Secur. Appl. Conf., pp. 129-138, 2012.
[17] Chun-Yu Wang, Chi-Lung Ou, Yu-En Zhang, Feng-Min Cho, Jyh-Biau Chang, Ce-Kuen Shieh, “BotCluster: A Session-based P2P Botnet Clustering System on NetFlow”, Submitted to Computer Networks
[18] FastFlux, https://en.wikipedia.org/wiki/Fast_flux
[19] DGA, https://en.wikipedia.org/wiki/Domain_generation_algorithm
[20] G.Gu, R.Perdisci, J.Zhang, and W.Lee, “BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection,” SS’08 Proc. 17th Conf. Secur. Symp., pp. 139-154, 2008.
[21] Alexa, https://www.alexa.com/
[22] VirusTotal, https://www.virustotal.com/zh-tw/
[23] VirusShare, https://virusshare.com/
[24] Chthonic, https://securelist.com/chthonic-a-new-modification-of-zeus/68176/
[25] Andromeda, https://resources.infosecinstitute.com/andromeda-bot-analysis/#gref
[26] Cycbot, http://www.trendmicro.tw/vinfo/tw/threat-encyclopedia/malware/cycbot
[27] Dorkbot, https://en.wikipedia.org/wiki/Dorkbot_(malware)
[28] Virut, https://en.wikipedia.org/wiki/Virut
[29] Dridex, https://en.wikipedia.org/wiki/Dridex
[30] Heodo, https://fortiguard.com/encyclopedia/botnet/7630295
[31] Gozi, https://www.secureworks.com/research/gozi
[32] Random Forest, https://en.wikipedia.org/wiki/Random_forest
[33] Support Vector Machine, https://en.wikipedia.org/wiki/Support_vector_machine
[34] Naive Bayes, https://en.wikipedia.org/wiki/Naive_Bayes_classifier
[35] Braavos, https://www.nchc.org.tw/tw/inner.php?CONTENT_ID=744
[36] VirusShare, https://virusshare.com/
[37] Standford Data Mining for CyberSecurity , https://web.stanford.edu/class/cs259d/lectures/Session2.pdf
[38] G.Kirubavathi and R.Anitha, “Botnets: A Study and Analysis”, Computational Intelligence, Cyber Security and Computational Models, vol. 246, pp. 203–214, 2014.
[39] P.Amini, M. A.Araghizadeh, andR.Azmi, “A survey on Botnet: Classification, detection and defense,” Proc. - 2015 Int. Electron. Symp. Emerg. Technol. Electron. Information, IES 2015, pp. 233–238, 2016.
[40] M.Yahyazadeh andM.Abadi, “BotOnus An Online Unsupervised Method for Botnet Detection,” ISeCure, vol. 4, no. 2, pp. 125–136, 2012.