Efficient Detection of Botnet Traffic by features selection and Decision Trees

TL;DR

This paper improves botnet traffic detection by selecting optimal features and applying decision trees, achieving high accuracy with minimal computational time on CTU-13 datasets.

Contribution

It introduces a feature selection approach combined with decision trees for efficient botnet detection, optimizing both accuracy and speed.

Findings

Decision Trees with five features achieved 85% F1 score.

Feature selection improved detection performance.

The approach is computationally efficient, classifying samples in under 1 microsecond.

Abstract

Botnets are one of the online threats with the biggest presence, causing billionaire losses to global economies. Nowadays, the increasing number of devices connected to the Internet makes it necessary to analyze large amounts of network traffic data. In this work, we focus on increasing the performance on botnet traffic classification by selecting those features that further increase the detection rate. For this purpose we use two feature selection techniques, Information Gain and Gini Importance, which led to three pre-selected subsets of five, six and seven features. Then, we evaluate the three feature subsets along with three models, Decision Tree, Random Forest and k-Nearest Neighbors. To test the performance of the three feature vectors and the three models we generate two datasets based on the CTU-13 dataset, namely QB-CTU13 and EQB-CTU13. We measure the performance as the macro averaged F1 score over the computational time required to classify a sample. The results show that the highest performance is achieved by Decision Trees using a five feature set which obtained a mean F1 score of 85% classifying each sample in an average time of 0.78 microseconds.