殭屍網路在網際網路中是個很嚴重的威脅。它是由一群被主控者控制的被害電腦所組成，這些被害的電腦我們也稱它們為殭屍。主控者透過一個叫做指揮控制頻道來操縱這些殭屍們，並且利用他們發動危害網路安全的攻擊，像是:分散式網路攻擊(DDOS)、竊取一些私密的資料、發送垃圾郵件等，這些攻擊會造成許多嚴重的後果。所以，偵測殭屍網路成為一個很重要的議題。現在主流的殭屍網路都採用點對點的架構，這種架構讓攻擊者在進行控制和發送指令時更加的彈性，在偵測這種點對點架構的殭屍網路，傳統的偵測方法已經變得相對沒有效率了，因此，我們提供一些和點對點架構殭屍網路相關的特徵值，這些特徵值可以從主機端或者是網路層中提取出來。在這裡，我們利用這些特徵值提供一個基於對話分析來偵測點對點的殭屍網路系統，然後透過機器學習從正常的網路中分辨出殭屍網路。最後我們的結果顯示我們的系統能有很高的偵測率和很低的假陽性率。

Botnets are one of most dangerous threats through the Internet. A botnet is a collection of compromised computers called bots and controlled by their botmaster. Through the command and control (C&C) channel, botnet can be used to perform Distributed Denial of Service Attack (DDOS attack), steal sensitive data, send spam, etc. So detecting botnets has become an important issue. Advanced botnets adopt a peer-to-peer (P2P) infrastructure for more resilient command and control (C&C). Traditional detection techniques become less effective in identifying bots that communicate via a P2P structure. Thus, we propose some features relevant with P2P botnets. Extraction of features in either host or network level to model a botnet has been one of the most popular methods in botnet detection. In this paper, we present a system to detect P2P botnets based on conversations with these extracted features. Then, we can differentiate P2P botnet conversations from normal conversations with machine learning techniques. Our evaluation shows that our system is able to achieve high detection rates with few false positives.

Chapter 1 1
Introduction 1
Chapter 2 3
Background Information 3
2.1 Life cycle of botnet 3
2.1.1 Spread 3
2.1.2 Secondary injection 3
2.1.3 Command & Control (C&C) 4
2.1.4 Attack 4
2.1.5 Update & Maintenance 4
2.2 Classification of botnets 5
2.2.1 Centralized botnets 5
2.2.2 P2P botnets 7
2.2.3 Hybrid botnets 8
2.3 Botnets detection approaches 9
2.3.1 Signature-based detection approach 9
2.3.2 Behavior-based detection approach 9
2.3.3 Honeypot-based detection approach 10
2.3.4 Host-based detection approach 10
2.3.5 Hybrid detection approach 11
2.4 Machine learning 12
2.4.1 Supervised learning 12
2.4.2 Unsupervised learning 12
2.4.3 Semi-supervised learning: 13
Chapter 3 14
Proposed Approach 14
3.1 Packets Tracing 14
3.2 Add Packets into a Conversation/Verify Packets in a Conversation or not 14
3.3 Feature Extraction and Data Pre-processing: Labeling 15
3.4 Feature Selection 16
3.5 Put Data into weka 17
Chapter 4 18
Experiments and Results 18
Chapter 5 31
Conclusion 31

[1] Matija Stevanovic and Myrup Pedersen, An efficient flow-based botnet detection using supervised machine learning, Networking and Security Section, Department of Electronic Systems.
[2] S. Zhang, Conversation-based P2P Botnet Detection with Decision Fusion, THE UNIVERSITY OF NEW BRUNSWICK, 2013.
[3] C. H. H. T. S. Pratik Narang, Noise-resistant mechanisms for the detection of stealthy peer-to-peer botnets, Singapore: Department of Electrical and Computer Engineering, National University of Singapore, 2016.
[4] Babak Rahbarinia, Roberto Perdisci Andrea Lanzi, Kang Li, PeerRush: Mining for Unwanted P2P Traffic, Dept. of Computer Science, University of Georgia, Athens, GA 30602, USA.
[5] Dilara Acarali, Muttukrishnan Rajarajan, Nikos Komninos, Ian Herwono, Survey of approaches and features for the identification of HTTP-based botnet traffic, University of London, London, United Kingdom: School of Mathematics, Computer Science and Engineering, 2016.
[6] Sergio S.C. Silva, Rodrigo M.P. Silva, Raquel C.G. Pinto, Ronaldo M.Salles, Botnets: A survey, Brazil: Military Institute of Engineering, 2013.
[7] Kisom, “kisom/pypcapfile,”https://github.com/kisom/pypcapfile.
[8] Experts in network security monitoring and network forensics, “Publicly available PCAP files,”http://www.netresec.com/?page=PcapFiles.
[9] “python pypcapfile,” Python Software Foundation, https://pypi.python.org/pypi/pypcapfile.
[10] “Weka 決策樹分類法使用教學/ Weka J48 Decision Tree Classification Tutorial,” 19/ 5/ 2016. http://blog.pulipuli.info/2016/05/weka-weka-j48-decision-tree.html.
[11] “Weka的BayesNet分類器操作說明 / A Tutorial on BayesNet Classifier with WEKA,” 28/ 10/ 2014. http://blog.pulipuli.info/2014/10/wekabayesnet-tutorial-on-bayesnet.html.
[12] “MALWARE-TRAFFIC-ANALYSIS.NET,” 2014-2017. http://malware-traffic-analysis.net/training-exercises.html.
[13] WIKIPEDIA, “Botnet,” https://en.wikipedia.org/wiki/Botnet.
[14] Jaime Alvarez, Botnet Detection Using Unsupervised Machine Learning, Hsinchu, Taiwan: Institute of Information Systems and Applications, National Tsing Hua University, 2015.
[15] Qiben Yan, Yao Zheng, Tingting Jiang, Wenjing Lou, Y. Thomas Hou, PeerClean: Unveiling Peer-to-Peer Botnets through Dynamic Group Behavior Analysis, Virginia Polytechnic Institute and State University, Blacksburg, VA, USA: IEEE Conference on Computer Communications (INFOCOM), 2015.
[16] Elaheh Biglar Beigi, Hossein Hadian Jazi, Natalia Stakhanova and Ali A. Ghorbani, Towards Effective Feature Selection in Machine Learning-Based Botnet Detection Approaches, Information Security Center of Excellence Faculty of Computer Science, University of New Brunswick, Fredericton, Canada: IEEE Conference on Communications and Network Security, 2014.
[17] “Weka (machine learning),” WIKIPEDIA, https://en.wikipedia.org/wiki/Weka_(machine_learning).
[18] Nabil Hachem, Yosra Ben Mustapha, Gustavo Gonzales Granadillo and Herve Debar, Botnets: Lifecycle and Taxonomy, Evry, France: Institute TELECOM, 2011.
[19] Wireshark教學, http://blog.shaolin.tw/2008/03/wireshark.html