過去十年來,P2P殭屍網路成為現在網路環境的威脅之一。
攻擊者散佈惡意程式控制受害者主機，並利用受害者主機為踏板進行攻擊。
隨著偵測機制的提出，現在的殭屍網路有更多的行為來規避偵測，而基於會話的殭屍網路偵測便在這時提出，基於會話的偵測機制可讓部分規避行為無效化。相對低，會有跟其他P2P流量混合在一起的可能。
本文提出一個新的資料型態來定義"會話"，並針對新的資料型態找出特徵，並提出改良後的演算法進行分類，新的演算法名稱為Spatial Clustering of Applications without Parameter”。
最後，當特徵無法判別是否為殭屍網路時，會根據封包大小之間的關係，導入機率的形式做出判斷，結合特徵跟關係，讓我們的系統可以從混合流量中偵測P2P 殭屍網路 。

During the last two decades, P2P botnets have severe security threat to the contemporary information networks. Usually attackers first distribute malware to control the victim’s host and then use the host as a springboard to launch attack on the specific targets.
Because the botnets become smarter than ever to avoid security detection,many researches on both centralized and decentralized botnets regarding security detection have been reported. Among them, some researchers focused on the conversation-based detection. However, the problem of composite traffic occurs frequently in these researches. In our study, we do not use ”conversation” to detect botnet but use ”payload conversation”. With the characteristic of ”payload conversation”, our system can tackle with the composite traffic problems. We then propose a new algorithm called ”Spatial Clustering of Applications without Parameter” (SCAP) to classify the traffic problems. SCAP is a nonparametric algorithm which is an improved version of K-means. SCAP can automatically cluster training data without setting any parameters. With this advantage, our system can deal with the traffic problemsin different P2P applications.

[1] A. Nappa, A. Fattori, M. Balduzzi, M. DellAmico, L. Cavallaro, “Take a deep
breath: a stealthy, resilient and cost-effective botnet using skype,” in in: Proceedings
of the 7th International Conference on Detection of Intrusions and Malware,
and Vulnerability Assessment, DIMVA10,, 2010.
[2] A. Shahrestani, M. Feily, R. Ahmad, S. Ramadass, “Architecture for applying
data mining and visualization on network flow for botnet traffic detection,” in in:
International Conference on Computer Technology and Development, ICCTD 09,
vol. 1, 2009.
[3] B. AsSadhan, J. Moura, D. Lapsley, C. Jones, W. Strayer, “Detecting botnets
using command and control traffic,” in in: Eighth IEEE International Symposium
on Network Computing and Applications,, 2009.
[4] B Rahbarinia, R Perdisci, A Lanzi, K Li, “Peerrush: mining for unwanted p2p
traffic,” in in Detection of Intrusions and Malware, and Vulnerability Assessment
(Springer Berlin, Heidelberg, 2013), 2013.
[5] D. Liu, Y. Li, Y. Hu, Z. Liang, “A p2p-botnet detection model and algorithms
based on network streams analysis,” in IEEE Computer Society, Changzhou,
China,, 2010.
[6] D. Zhang, C. Zheng, H. Zhang, H. Yu, “Identification and analysis of skype peerto-
peer traffic,” in in: Fifth International Conference on Internet and Web Applications
and Services (ICIW), 2010.
[7] David Dagon , Niels Provos , Christopher P. Lee ,Wenke Lee, “Corrupted dns resolution
paths: The rise of a malicious resolution authority,” in Proc. 15th Network
and Distributed System Security Symposium (NDSS), Internet Society,, 2008.
[8] DECKER, A., SANCHO, D., KHAROUNI, L., GONCHAROV,
M., AND MCARDLE, R., “A study of the pushdo / cutwail botnet.”; 2009:
[9] E. Cooke, F. Jahanian, D. McPherson, “The zombie roundup: understanding,
detecting, and disrupting botnets,” in in: Proceedings of the Steps to Reducing
Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the
Internet Workshop, USENIX Association, Berkeley, CA, USA,, 2005.
[10] E. Stinson, J.C Mitchell, “Characterizing bots remote control behavior,” in in:
Proceedings of the 4th International Conference on Detection of Intrusions and
Malware, and Vulnerability Assessment, DIMVA07, 2007.
[11] Elaheh Biglar Beigi, Hossein Hadian Jazi, Natalia Stakhanova and Ali A. Ghorbani
, “Towards effective feature selection in machine learning-based botnet detection
approaches,” in in:Communications and Network Security (CNS), 2014
IEEE Conference on, 2014.
[12] Ester, Martin; Kriegel, Hans-Peter; Sander, Jrg; Xu, Xiaowei, “A density-based algorithm for discovering clusters in large spatial databases with noise,” in Proceedings
of the Second International Conference on Knowledge Discovery and
Data Mining (KDD-96), 1996.
[13] F. Chen, S. Ranjan, P. Tan, “Detecting bots via incremental ls-svm learning with
dynamic feature adaptation,” in in: Proceedings of the 17th ACM SIGKDD International
Conference on Knowledge Discovery and Data Mining, KDD 11,, 2011.
[14] F. Sanchez, Z. Duan, Y. Dong,“Blocking spam by separating end-user machines
from legitimate mail server machines,” in in: Proceedings of the 8th Annual Collaboration,
Electronic messaging, Anti-Abuse and Spam Conference, CEAS 11,
ACM,, 2011.
[15] G. Gu, R. Perdisci, J. Zhang, W. Lee, “Botminer: clustering analysis of network
traffic for protocol-and structure-independent botnet detection,” in in: Proceedings
of the 17th Conference on Security Symposium, 2008.
[16] G. Gu, V. Yegneswaran, P. Porras, J. Stoll, W. Lee, “Active botnet probing to
identify obscure command and control channels,” in in: Computer Security Applications
Conference, ACSAC09, 2009.
[17] G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, “Bothunter: detecting malware
infection through ids-driven dialog correlation,,” in in: Proceedings of 16th
USENIX Security Symposium on USENIX Security Symposium, USENIX Association,,
2007.
[18] H Hang, X Wei,M Faloutsos, T Eliassi-Rad, “Entelecheia: detecting p2p botnets in their waiting stage,” in in IFIP Networking Conference, 2013 (IEEE USA,2013),, 2013.
[19] H.R. Zeidanloo, M.J. Shooshtari, P.V. Amoli, M. Safari, M. Zamani, “A taxonomy
of botnet detection techniques,” in in: 3rd IEEE International Conference
on Computer Science and Information Technology (ICCSIT), vol. 2,, 2010.
[20] Z.Huang, “Extensions to the k-means algorithm for clustering large data sets with
categorical values,” in Data Mining Knowl. Discov., vol. 2, 1998.
[21] J. Goebel, T. Holz, “Rishi: identify bot contaminated hosts by irc nickname evaluation,”
in in: Proceedings of the first conference on First Workshop on Hot
Topics in Understanding Botnets, 2007.
[22] J. Liu, Y. Xiao, K. Ghaboosi, H. Deng, J. Zhang, “Botnet: classification, attacks,
detection, tracing, and preventive measures,,” in EURASIP Journal of Wireless
Communication Networks 2009, 2009.
[23] J. Zhang, R. Perdisci,W. Lee, U. Sarfraz, X. Luo, “Detecting stealthy p2p botnets
using statistical traffic fingerprints,” in in: DNS 2011, IEEE Computer Society,
Los Alamitos, 2011.
[24] J Zhang, R Perdisci, W Lee, X Luo, U Sarfraz, “Building a scalable system for
stealthy p2p-botnet detection,” in inIEEE Transactions on Information Forensics
and Security 9(1), January 2014.
[25] J.B Grizzard, V. Sharma, C. Nunnery, B.B Kang, D. Dagon, “Peer-topeer botnets:
overview and case study,” in in: Proceedings of the First Conference on First
Workshop on Hot Topics in Understanding Botnets, 2007.
[26] J.R Binkley, S. Singh, “An algorithm for anomaly-based botnet detectio,” in Proceedings
of the 2nd Conference on Steps to Reducing Unwanted Traffic on the
Internet, vol. 2, 2006.
[27] C.Kalt, “Rfc 2810-internet relay chat: architecture,” 2000, ¡http://
tools.ietf.org/html/rfc2810¿.
[28] L Li, S Mathur, B Coskun, “Gangs of the internet: towards automatic discovery of
peer-to-peer communities,” in in Communications and Network Security (CNS),,
2013.
[29] L. Liu, S. Chen, G. Yan, Z. Zhang, “Bottracer: Execution-based bot-like malware
detection,” in in: T. Wu, C. Lei, V. Rijmen, D. Lee (Eds.), Information Security,
Lecture Notes in Computer Science, vol. 5222, 2008.
[30] M. Feily, A. Shahrestani, S. Ramadass, “A survey of botnet and botnet detection,”
in in: Emerging Security Information, Systems andTechnologies, 2009.
[31] M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, S. Singh, G.Varghese,
“Network monitoring using traffic dispersion graphs (tdgs),” in in: Proceedings
of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 07,ACM,,
2007.
[32] M. Jelasity, V. Bilicki, “Towards automated detection of peer-to-peer botnets: on
the limits of local approaches,” in in: USENIX Workshop on Large-Scale Exploits
and Emergent Threats (LEET09), 2009.
[33] T.Micro, “Taxonomy of botnet threats,” Trend Micro White Paper,, Tech. Rep.,
2006.
[34] M.P Collins, M.K Reiter, “Hit-list worm detection and bot identification in large
networks using protocol graphs,” in in: Proceedings of the 10th International
Conference on Recent Advances in Intrusion Detection, RAID07, 2007.
[35] P.Narang, “Peershark: flow-clustering and conversation-generation for malicious
peer-to-peer traffic identification,” in EURASIP Journal on Information Security,
2014.
[36] R. Ng and J. Han, “Clarans: A method for clustering objects for spatial data
mining,” in IEEE Trans. Knowl. Data Eng., vol. 14, no. 5, 2002.
[37] O. Thonnard, M. Dacier, “A strategic analysis of spam botnets operations,” in in:
Proceedings of the 8th Annual Collaboration, Electronic messaging, Anti-Abuse
and Spam Conference, CEAS11, 2011.
[38] P. Bacher, T. Holz, M. Kotter, G. Wicherski, “Know your enemy: Tracking botnets
(using honeynets to learn more about bots),,” in Technical Report, The Honeynet
Project,, 2008.
[39] P. Maymounkov, D. Mazieres, “Kademlia: a peer-to-peer information system
based on the xor metric,” in in: Revised Papers from the First International Workshop
on Peer-to-Peer Systems, 2002.
[40] P Narang, JM Reddy, C Hota, “Feature selection for detection of peer-to-peer
botnet traffic,” in in Proceedings of the 6th ACM India Computing Convention
(Compute 13) (ACM New York, NY, USA, 2013),, 2013.
[41] P. Salvador, A. Nogueira, U. Franca, R. Valadas, “Framework for zombie detection using neural networks,” in in: Fourth International Conference on Internet
Monitoring and Protection, ICIMP09, 2009.
[42] P. Wang, S. Sparks, C.C Zou, “An advanced hybrid peer-to-peer botnet,” in in:
Proceedings of the first conference on First Workshop on Hot Topics in Understanding
Botnets, 2007.
[43] P. Wurzinger, L. Bilge, T. Holz, J. Goebel, C. Kruegel, E. Kirda, “Automatically
generating models for botnet detection,” in in: M. Backes, P. Ning (Eds.), Computer
Security ESORICS 2009, Lecture Notes in Computer Science, vol. 5789,
2009.
[44] Pratik Narang, Subhajit Ray, Chittaranjan Hota, “Peershark: Detecting peer-topeer
botnets by tracking conversations,” in in IEEE Security and Privacy Workshops,
2014.
[45] N. Provos, “A virtual honeypot framework,,” in Proceedings of the 13th Conference
on USENIX Security Symposium SSYM04,vol. 13,, 2004.
[46] R Schoof, R Koning, “Detecting peer-to-peer botnets,” University of Amsterdam,
Tech. Rep., 2007.
[47] Rafael A. Rodrguez-Gmez , Gabriel Maci-Fernndez , Pedro Garca-Teodoro ,
Moritz Steiner , Davide Balzarotti, “Resource monitoring for the detection of
parasite p2p botnets,” Computer Networks: The International Journal of Computer
and Telecommunications Networking, 2014.
[48] RAFAEL A. RODRIGUEZ-GO MEZ, GABRIEL MACIA -FERNANDEZ
and PEDRO GARCIA-TEODORO, “Survey and taxonomy of botnet research through life-cycle,” in Published in:ACM Computing Surveys (CSUR),Volume 45
Issue 4, August 2013 Article No. 45, 2013.
[49] Rui Xu, Student Member, IEEE and Donald Wunsch II, Fellow, IEEE, “Survey
of clustering algorithms,” in IEEE Transactions on Neural Networks (Volume:16
, Issue: 3 ), 2005.
[50] S. Basudev, A. Gairola, “Botnet: An overview,” in CERT-In White Paper CIWP-
2005-05, 2005.
[51] S. Guha, R. Rastogi, and K. Shim, “Cure: An efficient clustering algorithm for
large databases,” in in Proc. ACM SIGMOD Int. Conf. Management of Data,
1998.
[52] S. Huang, C. Mao, H. Lee, “Fast-flux service network detection based on spatial
snapshot mechanism for delay-free detection,” in in: Proceedings of the 5th ACM
Symposium on Information, Computer and Communications Security, ASIACCS
10, ACM,, 2010.
[53] S. Stover, D. Dittrich, J. Hernandez, S. Dietrich, “Analysis of the storm and nugache:
P2p is here,” in in: Proceedings of the 4th USENIX Workshop on Cyber
Security Experimentation and Test(CSET11), 2007.
[54] Sndor Molnr,Marcell Pernyi “On the identification and analysis of skype traffic,”
in INTERNATIONAL JOURNAL OF COMMUNICATION SYSTEMS Int. J.
Commun. Syst, 2011.
[55] Snort, “Snort 2.9.0,” in ¡http://www.snort.org¿.
[56] Y.Song, “Detecting p2p botnet by analyzing macroscopic characteristics with
fractal and information fusion,” in inWireless Communication over ZigBee for
Automotive Inclination Measurement. China Communications 12,, 2015.
[57] T Karagiannis, K Papagiannaki, M Faloutsos, “Blinc: multilevel traffic classification
in the dark,” in in SIGCOMM Comput. Commun. Rev., vol. 35, 2005.
[58] T Karagiannis, A Broido, M Faloutsos, K Claffy, “Transport layer identification
of p2p traffic,” in in Proceedings of the 4th ACM SIGCOMM Conference on Internet
Measurement (IMC 04) (ACM New York, NY, USA, 2004), 2004.
[59] T. Zhang, R. Ramakrishnan, and M. Livny, “Birch: An efficient data clustering
method for very large databases,” in in Proc. ACM SIGMOD Conf. Management
of Data, 1996.
[60] W. Lu, M. Tavallaee, G. Rammidi, A. Ghorbani, “Botcop: an online botnet traffic
classifier,,” in in: Seventh Annual Communication Networks and Services Research
Conference,CNSR09,, 2009.
[61] Y. Kugisaki, Y. Kasahara, Y. Hori, K. Sakurai, “Bot detection based on traffic
analysis,” in in: The 2007 International Conference on Intelligent Pervasive
Computing, 2007.
[62] Yong Qiao, Yuexiang Yang, Jie He, Bo Liu, Yingzhi Zeng, “Detecting parasite
p2p botnet in emule-like networks through quasi-periodicity recognition,” inLecture
Notes in Computer Science 7259:127-139, 2012.
[63] S.Zhang, “Conversation-based p2p botnet detection with decision fusion,” in
Masters thesis, Fredericton: University of New Brunswick, 2013.
[64] X.Zhang, “Actibot: A botnet to evade active detection,” in Master’s Projects.
Paper 205. http://scholarworks.sjsu.edu/etdprojects=205; 2011: