本研究提出一種偵測系統設計概念，主要目的在電腦受P2P殭屍病毒感染的初期，尚未造成災害之前，運用貝氏網路分類以及倒傳遞類神經網路分類，即時將受感染電腦辨識出來，對網路管理員發出警報。本系統的設置提出一種基於連線模式的即時P2P流量辨識方法。此方法能夠有效的偵測P2P應用所產生的流量，並藉此過濾資料庫中已知的流量。實驗結果顯示，透過參數不斷的調整並進行訓練與測試(Training-and-Testing)，以及使用決策樹分類法輔助調校，最終取得最佳解。貝氏網路分類在訓練的過程中已可達到90%的異常流量辨識準確率；倒傳遞類神經網路的辨識準確率高達92%。將實際網路流量投入訓練完成的模型之後，所得到的準確率亦相當符合。

This study proposed a design concept for detection system. The main idea is to identify any zombie computer in the first time when being infected. By using Bayes -ian network and Back Propagation Network, recognize the zombies in real time, and giving warning report. This system designed a real time P2P traffic identification based on Connection Patterns. Traffics happened by P2P connections will be filtered by this method effectively. The experiment shows that Bayesian network classifier can recognized 90% anomalous traffic in Training-and-Testing; Back Propagation Network can identified 92% anomalous traffic. After Training-and-Testing, when the real time network traffic go through the model, the identification results are very cooperate with the Training-and-Testing results.

[1] C Arthur Callado, Judith Kelner, Djamel Sadok, Carlos Alberto Kamienski, Stênio, S. Fernandes (2010). "Better network traffic identification through the independent combination of techniques", Journal of Network and Computer Applications 33(4): 433-446.
[2] Karim K. Hirji (1999). “Discovering Data Mining from Concept to Implementation”.
[3] Carela-Español, V., P. Barlet-Ros, Albert Cabellos-Aparicio, J.Sole-Pareta. (2010). "Analysis of the impact of sampling on NetFlow traffic classification", Computer Networks.
[4] Su Chang, Linfeng Zhang, Yong Guan, Daniels, T.E. (2009). "A Framework for P2P Botnets", 594-599.
[5] Wei Lu, Goaletsa Rammidi, Ali A. Ghorbani. (2011). "Clustering botnet communication traffic based on n-gram feature selection." Computer Communications 34(3): 502-514.
[6] Mehdi Mohammadi, Bijan Raahemi, Ahmad Akbari, Hossein Moeinzadeh, Babak Nasersharif. (2010). "Genetic-based minimum classification error mapping for accurate identifying Peer-to-Peer applications in the internet traffic." Expert Systems with Applications.
[7] Juan P. Muñoz-Gea, Josemaria Malgosa-Sanahuja, Pilar Manzanares-Lopez, Juan C. Sanchez-Aarnoutse. (2010). "Implementation of traceability using a distributed RFID-based mechanism." Computers in Industry 61(5): 480-496.
[8] Soysal, M. and E. G. Schmidt (2010). "Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison." Performance Evaluation 67(6): 451-467.
[9] Bin Wang, Piao Ding, Jinfang Sheng. (2008). "P2P Anti-worm: Modeling and Analysis of a New Worm Counter-measurement Strategy." 1553-1558.
[10] Ke Xu, Ming Zhang, Mingjiang Ye, Dah-Ming Chiu, Jianping Wu. (2010). "Identify P2P traffic by inspecting data transfer behavior." Computer Communications 33(10): 1141-1150.
[11] Asud, M.M, Al-khateeb, T., Khan, L., Thuraisingham, B., Hamlen, K.W. (2008). “Flow-based Identification of Botnet Traffic by Mining Multiple Log Files.”
[12] Mizoguchi, S., Kugisaki, Y., Kasahara, Y., Hori, Y., Sakurai, K. (2007). “Implementation and Evaluation of Bot Detection Scheme based on Data Transmission Intervals”
[13] Nahla Ben Amor, Salem Benferhat, Zied Elouedi. (2004). “Naive Bayes vsDecision Trees,” symposium on Applied computing, ACM
[14] Theuns Verwoerd, Ray Hunt. “Intrusion detection techniques and approaches,” Computer Communications, Volume 25, Issue 15, 15:1356-1365.
[15] Lu, C. T., A. P. Boedihardjo, and P. Manalwar. (2005). “Exploiting efficient data mining techniques to enhance intrusion detection systems,” Information Reuse and Integration, Conf.
[16] Animesh Patcha, Jung-Min Park. (2007). “Network Anomaly Detection with Incomplete Audit Data,” Elsevier Computer Networks, Vol. 51, Issue 13.
[17] Strayer, W.T., Walsh, R., Livadas, C., Lapsley, D. (2006). “Detecting Botnets with Tight Command and Control,” IEEE LCN Workshop on Network Security.
[18] Uwe Aickelin, Julie Greensmith, Jamie Twycross. (2004). “Immune SystemApproaches to Intrusion Detection – A Review,” Springer Berlin / Heidelberg.
[19] ShengYi Jiang, Xiaoyu Song, Hui Wang, Jian-Jun Han, Qing-Hua Li. (2006) "A clustering-based method for unsupervised intrusion detections", Pattern Recognition Letters.
[20] Ye, N., Xu, M. and Emran, S.m., (2000) “Probabilistic Networks with Undirected Links for Anomaly Detection,” Proceedings of the IEEE Workshop on Information Assuance and Security
[21] A.K. Ghosh, J. Wanken, F. Charron. (1998) “Detecting anomalous and unknown intrusions against programs”, Proceedings of Computer Security Applications Conference
[22] Ricardo Villamarín-Salomón, José Carlos Brustoloni. (2009) “Bayesian Bot Detection Based on DNS Traffic Similarity”.
[23] S Sen, O Spatscheck, D Wang. (2004) “Accurate, Scalable In-Network Identfication of P2P Traffic Using Application Signatures”
[24] James P. Anderson, (1980). “Computer Security Threat Monitoring and Surveillance,” James P. Anderson Co., Fort Washington, PA.
[25] Dorothy E. Denning. (1987). “An Intrusion-Detection Model”, IEEE Trans. Software Eng., P222~232
[26] Mostafa G.-H Mostafa*, Timothy C. Perkins, Aly A. Farag. (2000). “A Two-step Fuzzy-Bayesian Classification for High Dimensional Data”
[27] 陳薏卉 (2009) "基於連線模式之即時P2P檔案分享的流量辨識方法."
[28] 劉邦威 (2009) "P2P殭屍網路之適應性防禦機制."
[29] 劉建德 (2009) "P2P主動防禦系統之設計與實作."
[30] 陳怡綾 (2009) “在 IRC 伺服器偵測以 IRC 為主的殭屍網路”
[31] 鄧立忠 (2011) "P2P殭屍網路的流量分析與辨識."
[32] 周豐谷 (2006) "P2P資訊流偵測."
[33] 黃程斌 (2003) “入侵偵測系統中基於群及演算法之異常偵測技術評比.”
[34] 李駿偉, 田筱榮, 黃世昆 (2000) “入侵偵測分析方法評估”
[35] Taiwan Honeynet Project http://www.honeynet.org.tw/
[36] 台灣國家資通安全會報 (2007) “Storm Worm 暴風雨加密再進化.”
[37] 葉怡成, (2004)“類神經網路模式應用與實作”, 儒林圖書有限公司
[38] Symantec.cloud™ MessageLabs, (2010 )http://www.symanteccloud.com/
[39] Kohavi, Provost, (1998) “Confusion Matrix” http://www2.cs.uregina.ca/~hamilton/courses/831/notes/confusion_matrix/confusion_matrix.html
[40] Microsoft Research, http://research.microsoft.com/apps/pubs/default.aspx?id=65088
[41] Wiki, http://zh.wikipedia.org/wiki/%E9%BB%9E%E5%B0%8D%E9%BB%9E%E6%8A%80%E8%A1%93
[42] BitComet-DHT, 2005 http://members.multimania.nl/warkinger/read.php?fid=3&tid=27&fpage=1
[43] OSSEC Documentation, http://www.ossec.net/doc/
[44] Snort Documentation, http://www.snort.org/docs
[45] LURHQ Threat Intelligence Group. Phatbot p2p trojan analysis. LURHQ, 2004. http://www.lurhq.com/phatbot.html
[46] IANA, “Port Numbers,” http://www.iana.org/assignments/port-numbers
[47] Jnlin, “File DHT en.svg,” http://commons.wilimedia.org/wiki/File:DHT_en.svg , January 21, 2007.