Deep fused flow and topology features for botnet detection basing on pretrained GCN

TL;DR

This paper introduces a novel botnet detection method that combines flow and topology features using a pretrained graph convolutional network, significantly improving detection accuracy on public datasets.

Contribution

The paper presents the first deep fusion of flow and topology features with a pretrained GCN for botnet detection, enhancing model performance and adaptability.

Findings

Achieved over 92% recall and F1-score on C2 botnets.

Achieved over 94% recall and F1-score on P2P botnets.

Outperformed existing leading detection models.

Abstract

Nowadays, botnets have become one of the major threats to cyber security. The characteristics of botnets are mainly reflected in bots network behavior and their intercommunication relationships. Existing botnet detection methods use flow features or topology features individually, which overlook the other type of feature. This affects model performance. In this paper, we propose a botnet detection model which uses graph convolutional network (GCN) to deeply fuse flow features and topology features for the first time. We construct communication graphs from network traffic and represent nodes with flow features. Due to the imbalance of existing public traffic flow datasets, it is impossible to train a GCN model on these datasets. Therefore, we use a balanced public communication graph dataset to pretrain a GCN model, thereby guaranteeing its capacity for identify topology features. We then feed the communication graph with flow features into the pretrained GCN. The output from the last hidden layer is treated as the fusion of flow and topology features. Additionally, by adjusting the number of layers in the GCN network, the model can effectively detect botnets under both C2 and P2P structures. Validated on the public ISCX2014 dataset, our approach achieves a remarkable recall rate 92.90% and F1-score 92.76% for C2 botnets, alongside recall rate 94.66% and F1-score of 92.35% for P2P botnets. These results not only demonstrate the effectiveness of our method, but also outperform the performance of the currently leading detection models.