Botnet sequential activity detection with hybrid analysis

Botnet is one type of malware that infects devices to carry out illegal activities controlled by a botmaster. Many previous studies detected botnets as a single activity while botnet activities were related. This paper focused on detecting host botnets by analyzing the linkages between each activity on a network. The research proposed a novel method combining sequential pattern mining, feature engineering, and hybrid analysis. The goal is to forensically discover network actors suspected of being botnets by analyzing interrelated network activity. Compared to other methods, the proposed approach provides more stable performance in identifying botnet and non-botnet activities. Besides, the experiment also tested the processing time and obtained optimal performance. The experiment uses three datasets and shows on average 97.71% of accuracy, 94.42% of recall, 94.42% of TPR, 97.96% of TNR, 2.29% of FPR, 5.58% of FNR, and 800.94 s of time processing. Furthermore, this model can help network admins forensically analyze botnet attacks on computer networks.