殭屍網絡一直是強大的網絡安全威脅。如今，當物聯網（IOT）成為一個重要
的議題時，智能設備（有連接網路的設備）的增長率每年都有超過15％的增長，
當中會有許多設備安全是充滿疑慮的，因此殭屍網路的快速成長將成為更大的問
題。PC 的防毒軟體雖然已經發展了很長的時間但問題仍然很多；智慧型手機的
安全問題才剛剛開始幾年，更不用說智能設備或是物聯網仍然正在發展，當中的
安全議題更是充滿不確定性，所以可以預見會有更多的設備成為殭屍網絡的一部
分。
在本論文中，我們提出了一種透過分析網路上的封包來檢測潛在的殭屍網絡。
它將各個流量的統計信息分組，然後提取每個組的行為模式進行機器學習。該系
統將能用於分析p2p 架構的殭屍網絡，另外它將提取資訊到應用層，所以使用
http 協定溝通的殭屍網絡也會分析。

Botnets have always been a formidable cyber security threat. They are growing rapidly nowadays when the Internet of Things(IOT) has become an important issue and the number of internet-connected smart devices has increased by more than 15% annually. Although PC antivirus solution has been developed for a long time, it is still problematic. And the security issue of smart phones has just come into the spotlight in the near few years, not to mention the fact that smart devices and IoT are still at their growing stages. As such, security issues of the smart devices are full of uncertainty. In the foreseeable future, more devices will become a bot of botnet.
In this thesis, we propose a system for detecting potential botnet by analyzing the flows on the Internet. The system classifies similar flow traffic into groups, and then extracts the behavior patterns of each group for machine learning. The system not only can analyze p2p botnets but also extract the patterns to application layer, it can analyze botnets using http protocols.

Table of Contents .......................................................................................... i
List of Figures ................................................................................................ iii
Chapter 1 Introduction.............................................................................. 1
1.1 Motivation........................................................................................... 2
1.2 Our Contribution ................................................................................ 3
1.3 Organization ....................................................................................... 3
Chapter 2 Background ............................................................................... 4
2.1 Botnet ................................................................................................. 4
2.1.1 Botnet Introduction ............................................................. 4
2.1.2 Client-Server Botnet............................................................. 4
2.1.3 P2P Botnet .......................................................................... 5
2.1.4 Internet of Things with Botnet ............................................ 6
2.2 Machine learning................................................................................. 7
2.2.1 Flow based ........................................................................... 7
2.2.2 WEKA Introduction............................................................. 7
2.2.3 Machine Learning................................................................. 8
2.2.4 Classifier - J48 Decision Tree ............................................... 8
2.2.5 C4.5 Algorithm [1]................................................................ 8
2.2.6 Features selection ................................................................. 9
Chapter 3 Related Works.......................................................................... 11
3.1 Related Paper ..................................................................................... 11
3.2 Tools ................................................................................................... 12
Chapter 4 System Architecture and Design.......................................... 13
4.1 Goal .................................................................................................... 13
4.2 System Framework.............................................................................. 13
i
4.3 Features............................................................................................... 15
Chapter 5 Implementation ........................................................................ 19
5.1 Preparation ......................................................................................... 19
5.1.1 Requirement ......................................................................... 19
5.1.2 Data set................................................................................ 20
5.2 Preprocess ........................................................................................... 20
5.2.1 parsing packets ..................................................................... 20
5.2.2 construct flow and conversation ........................................... 22
5.2.3 calculate features for machine learning ................................ 23
5.2.4 Noise algorithm .................................................................... 25
Chapter 6 Evaluation ................................................................................. 27
6.1 Experiment Design.............................................................................. 27
6.1.1 Purposes............................................................................... 27
6.1.2 Experiment process .............................................................. 27
6.2 Evaluation........................................................................................... 28
6.3 Comparison ......................................................................................... 31
Chapter 7 Conclusions ............................................................................... 34
7.1 Conclusion........................................................................................... 34
7.2 Future work......................................................................................... 34

[1] C4.5 algorithm. https://en.wikipedia.org/wiki/C4.5_algorithm.
[2] botnet-model. https://www.researchgate.net/figure/266209917_fig1_
Fig-1-Typical-ClientServer-Botnet-Command-and-Control-Topology.
[3] iso-osi-layer-model-tcpip-model. http://programmerhelp404.blogspot.tw/
2014/01/iso-osi-layer-model-tcpip-model.html.
[4] Hypertext transfer protocol. http://www.studytonight.com/servlet/
introduction-to-web.php.
[5] iotonlinestore’s report of iot device number. http://www.iotonlinestore.
com/.
[6] Highest botnet flow increasing by year. http://www.ithome.com.tw/news/
111220.
[7] Yaokai Feng. How to fight against botnets in iot. http://staff.cs.kyushu-u.
ac.jp/data/event/2016/02/160107_Yaokai_Feng.pdf.
[8] Machine Learning Group at the University of Waikato. Waikato, weka. http:
//www.cs.waikato.ac.nz/ml/weka/.
[9] weka classifiers trees j48. http://weka.sourceforge.net/doc.dev/weka/
classifiers/trees/J48.html.
[10] Xindong Wu, Vipin Kumar, J Ross Quinlan, Joydeep Ghosh, Qiang Yang,
Hiroshi Motoda, Geoffrey J McLachlan, Angus Ng, Bing Liu, S Yu Philip,
et al. Top 10 algorithms in data mining. Knowledge and information systems,
14(1):1–37, 2008.
[11] Huan Liu, Rudy Setiono, et al. A probabilistic approach to feature selection-a
filter solution. In ICML, volume 96, pages 319–327, 1996.
[12] Elaheh Biglar Beigi, Hossein Hadian Jazi, Natalia Stakhanova, and Ali A Ghorbani.
Towards effective feature selection in machine learning-based botnet detection
approaches. In Communications and Network Security (CNS), 2014
IEEE Conference on, pages 247–255. IEEE, 2014.
[13] Qiben Yan, Yao Zheng, Tingting Jiang, Wenjing Lou, and Y Thomas Hou.
Peerclean: Unveiling peer-to-peer botnets through dynamic group behavior
analysis. In Computer Communications (INFOCOM), 2015 IEEE Conference
on, pages 316–324. IEEE, 2015.
[14] Tao Cai and Futai Zou. Detecting http botnet with clustering network traffic.
In School of Information Security Engineering Shanghai Jiao Tong University,
pages 1–6, 2012.
[15] Francisco Villegas Alejandre, Nareli Cruz Cortés, and Eleazar Aguirre Anaya.
Feature selection to detect botnets using machine learning algorithms. In Electronics,
Communications and Computers (CONIELECOMP), 2017 International
Conference on, pages 1–7. IEEE, 2017.
[16] Kyle Isom. Pypcapfile: a pure python library for handling libpcap savefiles.
2013.
[17] NumPy developers. Numpy: Numpy is the fundamental package needed for
scientific computing with python. 2005-2017.
[18] Gerald Combs et al. Wireshark. https://www.wireshark.org/.
[19] Hypertext transfer protocol. https://en.wikipedia.org/wiki/Hypertext_
Transfer_Protocol.
[20] Babak Rahbarinia, Roberto Perdisci, Andrea Lanzi, and Kang Li. Peerrush:
mining for unwanted p2p traffic. In International Conference on Detection of
Intrusions and Malware, and Vulnerability Assessment, pages 62–82. Springer,
2013.
[21] Czech Republic CTU University. The ctu-13 dataset. a labeled dataset with
botnet, normal and background traffic. 2013.
[22] Erdem Alparslan, Adem Karahoca, and Dilek Karahoca. Botnet detection:
Enhancing analysis by using data mining techniques. In Advances in Data
Mining Knowledge Discovery and Applications. InTech, 2012.