Deep learning to detect botnet via network flow summaries

Pektas A., ACARMAN T.

NEURAL COMPUTING & APPLICATIONS, vol.31, no.11, pp.8021-8033, 2019 (Journal Indexed in SCI) identifier identifier

  • Publication Type: Article / Article
  • Volume: 31 Issue: 11
  • Publication Date: 2019
  • Doi Number: 10.1007/s00521-018-3595-x
  • Page Numbers: pp.8021-8033
  • Keywords: Network security, Network flow, Botnet detection, Machine learning, Network traffic modeling, CLASSIFICATION, ANALYTICS


Compromised computer systems on the Internet, namely botnets, receive commands and share information with their central malicious systems while executing frequent and common network activities. Former botnet detection methods such as blacklists and botnet's signature matching cannot timely and reliably discover evolving botnet variants. Analysis of botnet network communication flows can be used to discover behavior of botnets toward detection. A rich dataset constituted by both botnet and normal network traffic flow summaries can be used for training and testing purposes. Furthermore, neural networks along emerging parallelization computing tools and processors may improve classification statistical metric results in an efficient manner. A neural network built by a higher number of layers and its architecture enhances classification accuracy. In this paper, we present a combination of convolutional and recurrent neural network to identify botnets. To validate the effectiveness of the proposed method, we test and benchmark the proposed method with two publicly available datasets, which are CTU-13 and ISOT, involving both botnet and normal data traffic. We evaluate statistical metric results by tuning the neural network architecture and compare the results with respect to baseline classifiers. Our experiment results show that the presented deep network learning-based botnet detection method is reached at 99.3% level in accuracy and 99.1% in F-measure, respectively.