Ensemble Network Graph-Based Classification for Botnet Detection Using Adaptive Weighting and Feature Extraction

被引：0

作者：

Putra, Muhammad Aidiel Rachman ^{[1
]}

Ahmad, Tohari ^{[1
]}

Hostiadi, Dandy Pramana ^{[2
]}

Ijtihadie, Royyana Muslim ^{[1
]}

机构：

[1] Inst Teknol Sepuluh Nopember, Dept Informat, Surabaya 60111, Indonesia

[2] Inst Teknol & Bisnis STIKOM Bali, Dept Magister Informat Syst, Denpasar 80234, Indonesia

来源：

IEEE ACCESS | 2025年 / 13卷

关键词：

Botnet detection; graph-based representation; machine learning; network security; information security; network infrastructure;

D O I：

10.1109/ACCESS.2025.3541125

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

The number of cybersecurity threats increases every year due to the rapid improvement of methods and tools used by hackers to infect devices. These threats form a network, which is called a botnet, to send and receive commands. Botnets can launch malicious attacks using malware to infect targets in the network and then control them to do illegal things. Previous research has demonstrated that security systems can identify attacks by analyzing communication among bots in a network using a graphing approach. While this analytical method demonstrates satisfactory accuracy, it still faces challenges related to low recall, precision, and F1-score, due to issues such as imbalanced data and the complexity of botnet behavior. This research addresses these challenges by analyzing network flow using adaptive weighting and feature extraction. Network flows are represented in a graph with IP addresses as vertices and communication links between IP addresses as edges. Since botnet attack activity forms a relatively small percentage compared with millions of recorded network flow data, the data is grouped using time gap analysis to handle the imbalance problem. Furthermore, network flows are represented in two graphs, and each edge is weighted based on the 16 types of weighting. The graph representation and weighting output are stored in out-degree and in-degree graph metadata for classification. The analysis is carried out in an ensemble manner with weighting and threshold values to determine whether an IP address is a botnet or a normal host. The experimental results obtained using CTU-13, NCC, and NCC-2 datasets produce reliable performance with an average accuracy of 99.99%, along with 80.91% precision, 93.10% recall, 82.15% f1-score and 39.55 second execution time. The proposed model can function as an effective tool for the forensic analysis of botnet attacks, allowing network administrators to analyze the characteristics of botnet activities and anticipate potential future threats.

引用

页码：31183 / 31204

页数：22

共 41 条

[1] Affinito A., Zinno S., Stanco G., Botta A., Ventre G., The evolution of Mirai botnet scans over a six-year period, J. Inf. Secur. Appl., 79, (2023)
[2] Falowo O.I., Ozer M., Li C., Abdo J.B., Evolving malware and DDoS attacks: Decadal longitudinal study, IEEE Access, 12, pp. 39221-39237, (2024)
[3] Al-Fawa'Reh M., Abu-Khalaf J., Szewczyk P., Kang J.J., MalBoTDRL: Malware botnet detection using deep reinforcement learning in IoT networks, IEEE Internet Things J., 11, 6, pp. 9610-9629, (2024)
[4] Munoz D.C., Valiente A.D.-C., A novel botnet attack detection for IoT networks based on communication graphs, Cybersecurity, 6, 1, (2023)
[5] Wu G., Wang X., Lu Q., Zhang H., Bot-DM: A dual-modal botnet detection method based on the combination of implicit semantic expression and graphical expression, Expert Syst. Appl., 248, (2024)
[6] Borges J.B., Medeiros J.P.S., Barbosa L.P.A., Ramos H.S., Loureiro A.A., IoT botnet detection based on anomalies of multiscale time series dynamics, IEEE Trans. Knowl. Data Eng., 35, 12, pp. 12282-12294, (2023)
[7] Alrowais F., Eltahir M.M., Aljameel S.S., Marzouk R., Mohammed G.P., Salama A.S., Modeling of botnet detection using chaotic binary pelican optimization algorithm with deep learning on Internet of Things environment, IEEE Access, 11, pp. 130618-130626, (2023)
[8] Manasrah A.M., Khdour T., Freehat R., DGA-based botnets detection using DNS traffic mining, J. King Saud Univ.-Comput. Inf. Sci., 34, 5, pp. 2045-2061, (2022)
[9] Kurt A., Erdin E., Akkaya K., Uluagac S., Cebe M., D-LNBot: A scalable, cost-free and covert hybrid botnet on Bitcoin's lightning network, IEEE Trans. Dependable Secure Comput., 21, 4, pp. 2162-2180, (2024)
[10] Balarezo J.F., Wang S., Chavez K.G., Al-Hourani A., Kandeepan S., Dynamics of botnet propagation in software defined networks using epidemic models, IEEE Access, 9, pp. 119406-119417, (2021)

← 1 2 3 4 5 →