殭屍網路(botnet)近年來多被駭客利用作為網路犯罪的工具，而在殭屍網路當中又以分散式通訊結構的P2P殭屍網路最難以偵測及追蹤。以往針對P2P殭屍網路所開發之偵測方法，皆需要取得已知的殭屍網路特徵或是透過複雜的統計分析，訂定出特定的門檻值以判定網路流量的異常與否，然而此作法無法有效達到通用的殭屍網路偵測這個目標。每當殭屍網路行為改變或是產生新的殭屍網路變種，無可避免需要重新設計演算法才能偵測出新的殭屍網路行為，考慮到上述的缺點，提出一個通用的P2P殭屍網路偵測方法勢在必行。
由於同一種殭屍網路是由相同的惡意程式執行檔(binary)所控制，因此通訊時產生的網路流量皆具有相當高的相似性，即使殭屍網路的版本更新、行為改變，相同的殭屍網路成員間依然具有高度的相似性。我們考慮P2P殭屍網路的三個主要特性，設計出一個多維的相似度計算方法，能夠從網路流量中發現具有高度相似性的異常流量，並且進一步偵測出未知型態的P2P殭屍網路。

In recent years, botnet is widely adopted by hackers as the tool for cybercrime. Especially, the P2P botnet with decentralized communication structure is more difficult to detect and trace. The detection methods proposed in previous works require signatures of known botnet or training data in statistics to define a specific threshold for identifying anomalous network traffic. However, these approaches are not generic solutions. Whenever the behavior of botnet is changed or a new variant of botnet appears, we have no choice but to redesign a new method. As mentioned above, it is definitely essential to present a generic detection method.
Since same bots are infected by the same binary, the communication traffic would be very similar. Even if botnet updates or mutates, the same bots still share high similarity. We proposed a multi-dimensional similarity measure based on three major characteristics which can find out anomalous traffic with high similarity and further detect unknown P2P botnet.

[1] 洪宏杰, “主機型P2P殭屍網路偵測與防禦之研究,＂ 南台科技大學資訊管理系碩士學位論文, 2012.
[2] Behal, Sunny, Amanpreet Singh Brar, and Krishan Kumar. "Signature-based Botnet Detection and Prevention." 2010.
[3] Binkley, James R., and Suresh Singh. "An algorithm for anomaly-based botnet detection." Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI). 2006.
[4] 鄧立忠, “P2P殭屍網路的流量分析與辨識,＂ 國立新竹教育大學資訊科學研究所碩士學位論文, 2011.
[5] Saad, Sherif, et al. "Detecting P2P botnets through network behavior analysis and machine learning." Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on. IEEE, 2011.
[6] Zeidanloo, Hossein Rouhani, and Azizah Bt Abdul Manaf. "Botnet detection by monitoring similar communication patterns." 2010.
[7] Nagaraja, Shishir, et al. "BotGrep: Finding P2P Bots with Structured Graph Analysis." USENIX Security Symposium. 2010.
[8] Gu, Guofei, et al. "BotMiner: Clustering Analysis of Network Traffic for Protocol-and Structure-Independent Botnet Detection." USENIX Security Symposium. 2008.
[9] Gu, Guofei, Junjie Zhang, and Wenke Lee. "BotSniffer: Detecting botnet command and control channels in network traffic." 2008.
[10] Madhukar, Alok, and Carey Williamson. "A longitudinal study of P2P traffic classification." Modeling, Analysis, and Simulation of Computer and Telecommunication Systems. 14th IEEE International Symposium on, 2006.
[11] Wang, Ping, et al. "Honeypot detection in advanced botnet attacks." International Journal of Information and Computer Security 4.1 (2010): 30-51.
[12] Bhatia, J. S., R. K. Sehgal, and Sanjeev Kumar. "Honeynet based botnet detection using command signatures." Advances in Wireless, Mobile Networks and Applications. Springer Berlin Heidelberg, 2011. 69-78.
[13] Jeh, Glen, and Jennifer Widom. "SimRank: a measure of structural-context similarity." Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. ACM, 2002.
[14] Dean, Jeffrey, and Sanjay Ghemawat. "MapReduce: simplified data processing on large clusters." Communications of the ACM 51.1 (2008): 107-113.
[15] Hadoop, Apache. "Hadoop." http://hadoop. apache.org. 2009.
[16] Hang, Huy, et al. "Entelecheia: Detecting p2p botnets in their waiting stage." IFIP Networking Conference, 2013. IEEE, 2013.
[17] Zhang, Junjie, et al. "Building a scalable system for stealthy p2p-botnet detection." (2014): 1-1.
[18] Ruehrup, Stefan, et al. "Botnet detection revisited: Theory and practice of finding malicious P2P networks via Internet connection graphs." Computer Communications Workshops (INFOCOM WKSHPS), 2013 IEEE Conference on. IEEE, 2013.
[19] Coskun, Baris, Sven Dietrich, and Nasir Memon. "Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts."Proceedings of the 26th Annual Computer Security Applications Conference. ACM, 2010.
[20] Page, Lawrence, et al. "The PageRank citation ranking: Bringing order to the web." (1999).
[21] Francois, Jerome, et al. "BotCloud: detecting botnets using MapReduce." Information Forensics and Security (WIFS), 2011 IEEE International Workshop on. IEEE, 2011.
[22] Free & Public DNS Servers. Available: http://pcsupport.about.com/od/
tipstricks/a/free-public-dns-servers.htm
[23] Alexa Top 500 Global Sites. http://www.alexa.com/topsites
[24] IP Address of Google and Yahoo Sites. http://compnetworking.about.com/
od/traceipaddresses/
[25] Argus- Auditing Network Activity. Available: http://www.qosient.com/argus/
[26] Open Malware. Available: http://oc.gtisc.gatech.edu:8080/
[27] Combs, Gerald. "Wireshark." Web page: http://www.wireshark.org/last modified (2007): 12-02.
[28] Tcprewrite. http://tcpreplay.synfin.net/wiki/tcprewrite
[29] Tcpreplay. http://tcpreplay.synfin.net/wiki/tcpreplay
[30] Tcpdump. http://www.tcpdump.org/