An explainable botnet detection model based on lightweight graph neural networks

Botnets represent a significant threat to the security of the current internet network environment. They can be employed to carry out various malicious activities, not only impairing the performance and security of individual devices but also causing extensive damage to the entire network. Therefore, efficient detection of botnets is essential for network security. In recent years, the mainstream approach to botnet detection has involved the use of graph neural network (GNN) models, aiming to fully utilise the graph-structured properties of network data. However, current GNN methods frequently struggle with complicated structures and lack interpretability. To address these issues, we have designed a new model based on graph isomorphism networks (GINs). This model significantly simplifies the complexity without compromising detection accuracy and introduces explainable techniques for analysing model weights and conducting subgraph mining. By leveraging the concept of graph isomorphism, our method can more precisely characterise and identify botnet features. Experimental results demonstrate that our model excels in both accuracy and interpretability, making it highly valuable for real-world network environment applications.