殭屍網路是一群受到殭屍病毒感染的電腦，這些電腦是目前網際網路安全的重大威脅。攻擊者先在正常使用者的電腦中植入殭屍病毒，再經由網路下達命令操控所有的受害電腦，執行分散式阻斷服務攻擊、偷竊私密資訊或散佈垃圾郵件等進行各種的惡意行為。殭屍網路其中類型之一：P2P殭屍網路，其架構模仿P2P軟體，使用多主控端架構避免單點故障問題，並搭配加密技術，讓各種特徵比對偵測技術無法發揮其效果。但是P2P殭屍網路的運作有別於一般正常網路行為，它具有建立大量連線卻不會消耗大量頻寬的特性，故仍可用異常行為偵測技術來偵測它的存在。本論文提出一個使用資料探勘的技術的方法論來偵測P2P殭屍網路，實作於一個網路環境，並驗證其可用來尋找出P2P殭屍網路的宿主。其關鍵作法在於使用P2P殭屍網路與正常網路行為的原生相異點作為資料探勘參數，不受限於P2P殭屍網路的加密特性，透過資料探勘技術加以分群，以利分辨，並可達到可接受的正確率，從而找出潛伏於網路中的殭屍電腦。

Botnet is a collection of software agents, or robots, that run autonomously and automatically. Unfortunately it is often associated with malicious software and becoming one of the main threats of information security. The attacker usually installs via drive-by-downloads exploiting web browser vulnerabilities, worms, Trojan horses, or backdoors, under a common command-and-control infrastructure. One of the botnet types, the P2P botnet, imitates the behavior of P2P software. It makes use of multiple controller to avoid single point failure. In addition, the command it delivers is encrypted to evade signature detection. Though the operation of P2P botnet is different from common network behavior, it is characterized by massive connecting without bringing up heavy traffic flow. Consequently, this can be identified by anomaly detection. We are able to apply to clustering technique of data mining to detect the existence of a botnet and find its host. The main idea is to differentiate the botnet behavior from usual network behaviors. We achieve satisfactory precision without decrypting botnet message circulating in the network. The result of the experiment shows the applicability of the proposed method.