A botnet is a network of remotely-controlled infected computers that can send spam, spread viruses, or stage denial-of-service attacks, without the consent of the computer owners. Since the beginning of the 21st century, botnet activities have steadily increased, becoming one of the major concerns for Internet security. In fact, botnet activities are becoming more and more difficult to be detected, because they make use of Peer-to-Peer protocols (eMule, Torrent, Frostwire, Vuze, Skype and many others). To improve the detectability of botnet activities, this paper introduces the idea of association analysis in the field of data mining, and proposes a system to detect botnets based on the FP-growth (Frequent Pattern Tree) frequent item mining algorithm. The detection system is composed of three parts: packet collection processing, rule mining, and statistical analysis of rules. Its characteristic feature is the rule-based classification of different botnet behaviors in a fast and unsupervised fashion. The effectiveness of the approach is validated in a scenario with 11 Peer-to-Peer host PCs, 42063 Non-Peer-to-Peer host PCs, and 17 host PCs with three different botnet activities (Storm, Waledac and Zeus). The recognition accuracy of the proposed architecture is shown to be above 94%. The proposed method is shown to improve the results reported in literature.

僵尸网络是受远程控制的受感染计算机的网络，未经计算机所有者的同意，它们可以发送垃圾邮件，传播病毒或进行拒绝服务攻击。自21世纪初以来，僵尸网络的活动稳步增长，已成为Internet安全的主要问题之一。实际上，僵尸网络活动变得越来越难以检测，因为它们利用了对等协议（eMule，Torrent，Frostwire，Vuze，Skype等）。为了提高僵尸网络活动的可检测性，本文介绍了数据挖掘领域的关联分析思想，并提出了一种基于FP-growth（频繁模式树）频繁项挖掘算法的僵尸网络检测系统。该检测系统由三部分组成：数据包收集处理，规则挖掘，和规则的统计分析。它的特征是快速且不受监督地对各种僵尸网络行为进行基于规则的分类。在具有11个对等主机PC，42063非对等主机PC和17个具有三种不同僵尸网络活动（Storm，Waledac和Zeus）的主机的情况下，验证了该方法的有效性。所提出的体系结构的识别精度显示为94％以上。结果表明，所提出的方法可以改善文献报道的结果。以及具有三种不同僵尸网络活动（Storm，Waledac和Zeus）的17台主机。所提出的体系结构的识别精度显示为94％以上。结果表明，所提出的方法可以改善文献报道的结果。以及具有三种不同僵尸网络活动（Storm，Waledac和Zeus）的17台主机。所提出的体系结构的识别精度显示为94％以上。结果表明，所提出的方法可以改善文献报道的结果。