This research focuses on botnet detection through implementation of techniques such as traffic analysis, unsupervised machine learning, and similarity analysis between benign traffic data and bot traffic data. In this study, we tested and experimented with different clustering algorithms and recorded their accuracy with our prepared datasets. Later, the best clustering algorithm was used to proceed with the next steps of the methodology such as determination of majority clusters (cluster with most flows), removal of duplicate flows, and calculation of similarity analysis. Results were recorded for the removal of duplicate flows stage, the results indicate how many flows each majority cluster contains and how many duplicate flows were removed from this majority cluster. Next, results for similarity analysis indicate the value of the similarity coefficient for the comparisons between all datasets (bot datasets and benign dataset.) With these results we can conclude and present some concluding heuristics for determining possible bot infection in a certain host.
本研究使用了不同的技術來偵測殭屍網路, 我們使用了網路流量分析, 非監督式學習, 以及分析正常網路與殭屍網路之間的相似性等技術來實踐。 研究中, 我們測試了不同的分群演算法並比較它們的表現, 下一步,我們選擇表現最好的分群演算法,去決定主群體還有移除多餘且相同的網路資料, 並分析其相似度。 藉由計算出的網路相似度結果, 我們設計出了啟發式的方法來偵測殭屍網路