5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-

qadisiyah University, Diwaniyah-Iraq

Behavior Analysis of Machine Learning Algorithms

2023 International Conference on Information Technology, Applied Mathematics and Statistics (ICITAMS) | 979-8-3503-3511-8/23/$31.00 ©2023 IEEE | DOI: 10.1109/ICITAMS57610.2023.10525642

for Botnets Detection

Huda H. Ali Ruwaida M. Yas Maysaa H. Abdulameer
Computer Engneering Techneques Informatics Institute for Post- Informatics Institute for Post-
Imam Al-Kadhum College (IKC) Graduation Studies Graduation Studies
Baghdad, Iraq Iraqi Commission for Computer & Iraqi Commission for Computer &
Compeng.lecturer5@alkadhum- Informatic Informatic
col.edu.iq Baghdad, Iraq Baghdad, Iraq
[email protected] [email protected]

Abstract—Botnets constitute a significant cybersecurity and "network." [9]. Nowadays, a lot of people use AI to find
threat becoming increasingly sophisticated and challenging to such attacks. [7]. Security experts and researchers use various
detect. In addition, they are used for various illegal activities, strategies and ways to address the issue as botnets grow more
such as spreading viruses, conducting DDoS attacks, click fraud, dangerous. The detection strategy, like detection by behavior
phishing, and identity theft. This study focuses on the latest or signature, establishes how the solution works. Various
advancements in machine learning-based botnet detection methods serve as the foundation for multiple methods. The
research. It initially describes how ML technology is two methods are usable by ML-based detection approaches.
implemented in network security research and describes the Anomaly and DNS are two other methods for bot detection
properties regarding the botnet's structure prior to the
[10].
introduction of ML for botnet detection. Next, the study
analyzes and summarizes the most commonly used ML Numerous ML techniques were employed to analyze
algorithms and their security features in botnet detection. different types of network traffic data. A few researchers think
Finally, it concludes by summarizing the current ML solutions these techniques are better equipped to handle new Botnet
for describing, detecting, and researching botnets, as well as variants than traditional methods [11]. Finding the best subset
discussing how to evaluate the accuracy of botnet detection of variables out of all those that could represent the data most
techniques. accurately is feature selection (FS). The goal of the FS in
botnet detection is to choose a subset of features that will
Keywords— cyber security, botnets, machine-learning
algorithms, evaluation
accurately indicate the behavior of bots or the particular bot
that is being targeted. Features will be selected based on the
I. INTRODUCTION type of data being utilized [10]. Use a confusion matrix to
compare the algorithms' performance to evaluate the
A botnet can be defined as a collection of several bots outcomes of ML algorithms [12].
programmed to engage in malicious activities on a target
network and controlled by a single unit known as the
botmaster using the command-and-control protocol (C&C).
[1] One of the primary problems in cybersecurity is botnets.
An internet that has malware installed is referred to as a bot.
A botnet comprises bots that can carry out directives from
botmasters (devices controlled directly via an attacker) [2].
According to their architectures, the way that individual bots
join a botnet is divided into three groups (decentralized
Architecture, Centralized Architecture, and hybrid
architecture) [3] Fig. 1 illustrates the three major components
of a botnet: botmaster, bots, and a (C&C) channel [4]. Specific
commands supplied by the botmaster through a (C&C)
channel cause actions to be taken. It's significant to note that
programs propagated by worms or utilized for installing Fig. 1. Botnet elements [5]
backdoors on compromised computers are bots rather than
application vulnerabilities or operating systems [5] P2P (Peer-
to-Peer), IRC (Internet Relay Chat), Domain-Flux, HTTP, and
Fast-Flux are some of the protocols that are utilized in botnets
[6]. As shown in fig. 2, a botnet is a set of internet-connected
devices connected through a bot controlled by a (C&C) botnet.
The botnet damages in many ways, including resource
depletion and service interruption [7]. One of the significant
security risks today is botnets, which carry out a variety of
malicious activities, including DDoS attacks, phishing, and
spamming [8]. A botnet may give access to the devices to an
attacker. Its owner could command it with the use of C&C
software. The term "botnet" is made out of the words "robot" Fig. 2. Botnet attack creation [1]

979-8-3503-3511-8/23/$31.00 ©2023 IEEE 235

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.
 5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-
qadisiyah University, Diwaniyah-Iraq

II. RELATED WORKS Additionally, Satish Pokhrel et al. [1] suggested a botnet
The detection of botnets and bots has been the subject of detection model depending on ANN where the author
much research published in the literature. Both the system and implements SMOTE data resampling method to resample
network levels of this issue have been covered in this research. real-time data into the class balance data. The authors employ
In a nutshell, traffic signature-based detection, anomaly-based an ANN and the BoT-IoT dataset. The authors model the
detection, graphs, and unsupervised and supervised ML are detection system using SMOTE and ANN. The suggested
essential for identifying botnets. Anomaly-based detection system's basic ANN configuration successfully detects DDoS
attempts to pinpoint improper activity depending on the attacks.
detected properties, like network latency, port numbers, or A. Sankaran et al. challenge the comparison regarding
traffic volume. Solutions that use signature-based detection shallow and deep neural networks utilizing datasets in [22].
are aware of the activities of a botnet and use that knowledge He could identify the four types of attacks and anomalies
to detect infected devices. Depending on mathematical using fog-to-things architecture. The system has achieved an
models, graph-based techniques can demonstrate the accuracy of 96.77% for shallow neural network models and
connections between various network nodes and then identify 98.27% for deep neural network models. Since IoT devices
bots. Entropy maps the level of network randomness and frequently have limited memory, another DL approach is also
communication interceptions between malicious devices [13]. suggested in [23] as a highly sufficient model to deploy for
Such a section mainly concentrates on ML-based methods for botnet detection. However, this approach is unsuitable for IoT
detecting botnets. They work with a lot of data and automate devices, so solutions like decreasing the dimension of features
classification quickly and forcefully for many scenarios. are frequently suggested as a workaround.
There is support for comprehending the efficacy of different
ML algorithms for early botnet detection. The most popular In the work shown in [24], ANN has been used to identify
ML-based methods concentrate on developing models for DDoS attacks. The Synthetic Minority Over-Sampling
differentiating between malicious and legitimate data flows Technique (SMOTE) has been employed to enhance the
[14]. These methods were used to foresee attacks based on bot number of normal cases to match the size of DDoS records
activity [15] [16]. Since it employs a set of labeled data before because the Bot-IoT dataset is unbalanced. For testing and
advising the model on how to categorize a new record, training, typical traffic occurrences increased to around
supervised machine learning trains its models. Numerous 656,000 and 1.3 million, respectively. Only binary
supervised ML algorithms exist. Reem, Alhajri, and classification was done by the suggested system, which has
colleagues conducted work focusing on ML methods for been trained on 66% of the dataset and tested on the rest of the
detecting security threats in IoT. Other authors have written 34%. The original 46 features have been just utilized in 41
reviews regarding botnet detection methods and detection features. The findings demonstrated that the SMOTE
approaches using ML [17]. It looks into whether auto- approach had a nearly 100% detection accuracy for DDoS
encoders could be used to find IoT botnets. It illustrated how attacks. The primary distinction between the efforts described
Botnets could grow DDoS attacks and pose a serious security in this part and the focus of this work is how various ML-
risk in the IoT networks because no one approach had proven based methods offered by multiple researchers utilized
effective in removing this security danger. The criteria for IoT different ML techniques to identify botnet activities. The
environments, like energy consumption and processing primary objective of this work is to identify features and
power, are frequently not addressed by such technologies. One strategies of ML methods that are best suited for tackling the
method for detecting botnets is to use auto-encoders. A survey botnet detection problem, as well as who should be
of the forensics and DL techniques used to study botnets and responsible for evaluating the results' accuracy.
their applicability in IoT systems was presented by Koroniotis III. RESEARCH MOTIVATION
et al. in [18]. Along with a taxonomy of the network forensic
solutions created for traditional and IoT environments, they The field of cyber-security and machine learning is always
established a new definition of IoT. The researchers also a challenging task for researchers. As a result, cybercriminals
looked into the applicability of DL in network forensics, the constantly research new approaches to identify weaknesses
intrinsic difficulties in adapting the network forensics methods and use them for nefarious and illegal purposes. For example,
to the Internet of Things, and the route that future research in the Malware-spreading technique is now growing in new and
this area should take. innovative manners. The malware is then used to carry out
further attacks like data exfiltration and denial of service
Gaonkar et al. summarized various methods for attacks utilizing or on compromised machines, building
identifying botnets in [19]. They concentrated on a DL method botnets similar to other cybercrimes. Often, these attackers
for real-time IoT-Bot detection. A survey on ML-based botnet want to steal something valuable or cause trouble for others.
detection strategies in SDN was done by Shinan et al. in [20], Therefore, machine learning was considered a solution to
where the solutions, current fixes, and potential future discover and treat the Botnet attacker.
research areas are examined and clarified. In a study published
in [21], Xing et al. examined and contrasted the most IV. BOTNETS LIFE CYCLE
significant current attempts in botnet detection. In addition to when the botmaster wants to infect another victim device,
categorizing botnet detection approaches, it researched the a botnet first infects a new device connected to the internet
basic properties of the botnet model, lifecycle, and C&C before injecting a few malicious codes. The victim device
channel. It concentrated on employing cutting-edge automatically connects with an operational C&C server when
technology for botnet detection, including complex networks, the malicious malware has been successfully injected. The
DL, moving target defense (MTD), swarm intelligence, and victim device becomes a zombie once malicious code has
SDN. been put into it. The botmaster issues orders to the bot army

236

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.
 5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-
qadisiyah University, Diwaniyah-Iraq

through the C&C server. According to instructions that the [25]. Hybrid architecture has two different kinds of bots: a
victim device receives from the C&C servers, this carries out servant bot and a client bot. The bots are linked to the hybrid
malicious actions. The final step is to keep the zombie active botnet as a servant or a client. Despite the less sophisticated
and periodically deliver updates to zombie devices [3]. design, detecting and monitoring botnets with hybrid
architectures are more complex than those with decentralized
V. BOTNET ARCHITECTURE and centralized systems [3].
Fig. 3 illustrates how the architectures of the individual
bots used to create a botnet are divided into three groups. VI. BOTNET THREATS
Finally, we offer a few techniques for classifying botnet A botnet is more dangerous than other common threats
architectures in this study, along with their benefits and like worms and viruses. The Honeynet experiment
drawbacks. demonstrated many botnet attacks, including spam, DDoS,
cyber warfare, resource exploitation, and the theft of sensitive
1) Centralized Architecture: The simplest for the data [26]. Other research has shown that botnets could be used
botmaster to control and manage is the centralized botnet to carry out a wide range of unlawful actions and many types
architecture. One central point known as the C&C server is of cybercrimes.
where the botmaster controls and manages all of the bots in
the botnet under centralized architecture. In the centralized A. Distributed Denial of Service
botnet model, all bots receive commands from a central point Botnets can launch DDOS attacks, where the victim's
known as a C&C server and report to it. In centralized botnet system is flooded with incoming traffic from many sources. A
architecture, two topologies are employed: hierarchical botnet's massive number gives the DDoS a lot of destructive
topology and star topology. HTTP and Internet Relay Chat potentials. By instructing the bot members to send a huge
(IRC) are the primary protocols utilized in a centralized volume of requests to the victim's system, botmasters can
architecture. However, because C&C is one point of failure, utilize the botnet to take down the victim's control system.
the centralized topology has this as its principal disadvantage Websites that offer gambling and gaming are instances of this
[3] [25]. attack. In addition, attack volume increased from 100Gbps to
2) Decentralized Architecture: No single entity in a 400Gbps globally between 2018 and 2019, and by 2023, the
decentralized or peer-to-peer architecture is in charge of overall number of DDoS attacks is projected to more than
managing the bots in a botnet. Various C&C bots engage in double, rising from 7.9 million in the year 2018 [26].
server communication. In comparison to centralized B. Spam
architecture, detecting such a botnet that uses decentralized
architecture is more complicated. There is no specific C&C Spam can be described as the term for unwanted emails
server in a decentralized architecture; all the bots function as that are delivered to many users and frequently contain
clients and C&C servers [3]. Because only a tiny percentage malicious links or ads. A botnet is the most secure choice for
of the botnet could be affected by the penetration of a single an attacker to employ as a platform for delivering spam
host, such architectures are highly resistant to takedown emails. The 600,000 bots in the "Grum" botnet network have
attempts even though they often have higher latencies than sent about 40 billion malicious emails. This attack started with
ideal regarding command distribution [25]. botmaster commands sent to the bots, which caused them to
send spam emails to the victim's address [2].
C. Information Stealing
A botmaster can have the ability to command the bots to
use techniques like log file reading, screen capture, and
keylogging to steal confidential information from
compromised hosts. An illustration of a botnet that uses
sophisticated keylogging software to gather private data is SD
Bot, which could then be sold to others for use in illegal
activities. Keylogging techniques are the primary tools of
Zeus Bots to access credit card data and private bank accounts.
As a result, the botmaster can gather passwords and usernames
from emails, bank websites, and social network accounts.
Additionally, before the web browser encrypts the data, the
bot could collect private user information from the Windows
API [2] [13].
D. Exploiting Resources
Hosts that have been compromised are used to carry out
illegal actions. For instance, bots have been employed on
Facebook and Twitter to vote for votes and increase the
number of followers. Additionally, a bot might regularly
browse a website using the victim's machine to raise the
Fig. 3. Botnet architecture [3] number of website users without permission [4].

3) Hybrid Architecture: To benefit from decentralized and

centralized architecture, hybrid architecture combines the two

237

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.
 5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-
qadisiyah University, Diwaniyah-Iraq

VII. BOTNET DETECTION three categories: anomaly-based, DNS, and signature-based

The biggest threat to cyber security today is the botnet. [28].
Because of its changing behavior, extensive network, and ● Signature-based
robustness, it has become the most attractive research topic for
detection. Botmasters create new encrypted botnet types that The term "signature" describes well-known traits or
could conceal their existence and become harder to track. patterns of threats from hackers against computer systems. It
Therefore, every company, person, and organization must be is feasible to differentiate between malicious and legitimate
able to recognize a botnet [2]. Based on prior work done, the activity by examining and contrasting specific patterns or
algorithms of botnet detection are grouped into two primary traits. On the other hand, since this approach cannot recognize
classes, which are: novel actions, traits, or patterns, detection through signature
has been uncommonly deployed for botnet detection. This is
Honeynet, Intrusion detection systems [27], as shown in why this strategy is sufficient in the identification of well-
Fig. 4. known bots. However, it is less effective in identifying new
and 0-day bots [28].
● DNS-based Detection
Methods for DNS-based detection have been based on
specific DNS data produced by botnets. As similar anomaly
detection algorithms are used for DNS traffic, DNS-based
detection methods are identical to anomaly detection methods.
For the connection of receiving commands, bots normally
connect to the C&C server first. The bots utilize DNS searches
to find appropriate C&C servers, commonly hosted by DDNS
providers, for accessing the C&C server. Consequently,
through monitoring DNS, it is feasible to detect anomalies in
DNS traffic and detect botnet DNS traffic [29].
● Anomaly Based
Working with network traffic monitoring is an anomaly-
based strategy. To identify a botnet, malicious traffic must be
distinguished from normal traffic. As a result, this method
captures network behavior [27]. Host- and network-based
techniques are subcategories of anomaly-based approaches
Fig. 4. Botnet detection methods classification [28]. The two types of passive base detection are ML-based
and protocol-based. The two most crucial choices for any ML
A. Honeynet-Based Detection activity will be which features to employ and which ML-
With honey wall and honeypot, honeynet-based detection Method (unsupervised, supervised) to choose [2].
is effective. This method is employed to identify and keep VIII. BOTNET DETECTION TECHNIQUES USING MACHINE
track of botnet activity. The word "honeypot" describes a
LEARNING
weak pot that is quickly vulnerable. It also has the potential to
join a botnet and is susceptible to infection by a botmaster. Decision trees, classifiers, and other ML methods are also
The software used to gather and manage honeypot data is employed to identify botnets since they are more effective at
called "honey wall." [27]. identifying bots than C&C servers. To detect IRC-based and
P2P botnets, various studies have used ML classifiers in
B. Intrusion detection systems (IDSs) conjunction with IRC logs. With the aid of classification tools,
An IDS can be defined as a machine of software or many traffic may be examined, discovering bot binaries
hardware that scans system services for malicious activity or simply [30]. There are several studies on this subject; Table I
policy violations and notifies the management site of any lists some essential studies with this focus.
occurrences. IDS detection approaches are further divided into
TABLE I : ML FOR BOTNET DETECTION AND EVALUATION
Re Feature ML Approach Dataset Results Recommendations
f.

[2] Source IP AdaBoost, Random Forest ISOT, CTU-13, CICDDoS2019, 100% We are reducing dependence on labels and
(twice), and SVM BoT-IoT improving the processing time of ANTE
to make the solution feasible online.
[7] packets naïve Bayes, KNN, logistic N-BaIoT 99% Uses various ML and DL models for
regression, decision tree, developing an integrated IoT security
random forest. CNN, RNN, framework that detects a variety of IoT
LSTM and botnet attacks

238

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.
 5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-
qadisiyah University, Diwaniyah-Iraq

[8] Packet, Time, decision tree ISOT dataset, ISCX 2012 IDS 99% Considering multidimensional snapshots
algorithm dataset of network traffic, conversation level
features, Fortifying machine learning-
based detection techniques with the
complementary security devices
[31 traffic packets feature selection. Using (PCA), the publicly available Cyber Clean 97.8% discovering the detection of botnets not
] port number Information Gain (IG). Feed Center (CCC) dataset just for centralized architecture but also to
features: Random Forest (RM), deal with decentralized architecture,
Support Vector Machine which is P2P-based botnets.
(SVM), Logistic Regression
(LR), and Multilayer Perceptron
(MLP)

[32 packets The DNN model has four hidden N-BaIoT, BoT-IoT 100% Representing the network flow in the form
] layers with 115, 256, 128, and of images and applying CNN can be
64 neurons at each layer. The utilized for analysis, and multi-modal
ReLU activation function learning can also be Employed to enhance
follows each hidden layer. the performance of the existing works.

Source and k-mean, Trees J48 ISOT dataset 90.2723 using efficient data partitioning policy for
[33 Destination IP % better result generation
] Address,

[34 traffic behavior Decision Tree ISOT dataset CTU dataset 98.7%. The researchers recommend using a
] decision tree for the multilayer technique
to detect P2P botnet traffic.

most important Artificial neural network N-BaIoT 99% investigate the normal track patterns on
[35 features (ANN), decision tree, and Naïve the different natures of IoT devices to
] (Packet, NW Bayes. extend the anomaly-sub-engine for
traffic) detecting unknown attacks electively.

[1] NW traffic K- Nearest Neighbour (KNN), BOT-IOT dataset 99.4% The authors recommend This model can
Naive Bayes, Multilayer be implemented with Software Defined
Perception, Artificial Neural Network (SDN).
Network

[11 network traffic. Logistic Regression (LR). collect data from the network 99.98%. The authors recommend implementing
] traffic data using port mirroring on more datasets to improve their work.
the switch through the
organizational traffic flows

[36 network traffic Deep Recurrent Neural Network Bot-IoT dataset 99.50% The detection models could be deployed
] data. (DRNN) precision, for
99.75% malicious activities and increase the
recall, trained model to minimize false alarms
while increasing the detection rate.
[37 Destination, Decision Tree, Random Forest, Two datasets, QB-CTU13 and F-score The author recommended botnet detection
] source IPs, the and k-Nearest Neighbor. EQB-CTU13. 85% over high-bandwidth traffic
protocol
network traffic Naïve Bayes, K-Nearest Two datasets Bot-IoT and Accuracy The authors recommended using other
[38 data. Neighbor, Support Vector University of New South Wales of datasets to compare the performance of
] Machine, and Decision Trees (UNSW) datasets, Training the algorithms with different kinds of
99.89%, botnet traffic. And they used unsupervised
Testing learning methods.
100%
network traffic Random Forest (RF) and Bot-IoT dataset 99% The authors recommend using Additional
[2 data Multilayer Perceptron (MLP) types of classifiers, especially deep
4] networks learning classifiers.

TABLE I indicates that there is interest in botnets, and there findings in our case are in the form of a "1," which indicates
are numerous methods for classification and detection. In the that an attack was identified or a "0," which means regular
past decade, ML has emerged as one of the most significant network traffic. There could be four conditions in the
methods for foe bot detection, utilizing at least one algorithm confusion matrix. True Positive (TP) The class feature where
to classify a data type as a bot or not based on the data type the attack was detected has been accurately identified by the
and the chosen feature. The investigations show that ML classifier. True Negative (TN) The class feature has a negative
algorithms perform well when compared with other detection value or normal traffic. False Positive (FP): When a typical
techniques, and the results are positive. Use the confusion stream of traffic is mistakenly classified as an attack by the
matrix, which has been utilized to compare the effectiveness classifier. False Negative (FN) A record of an attack is
of algorithms, for evaluation. The typical format is a table wrongly classified as regular traffic by the classifier. These
outlining the potential outcomes of a classification. When criteria allow us to develop seven measures that could be used
compared to the actual values regarding class features that are to evaluate classifiers: False Alarm Rate (FAR), Accuracy,
already present in the evaluation (i.e., testing) data set, the Specificity, Sensitivity, AUC, False Positive Rate (FPR), and

239

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.
 5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-
qadisiyah University, Diwaniyah-Iraq

Matthews Correlation Coefficient (MCC). The calculation for 2014 IEEE Conference on Communications and Network Security,
these two metrics follows The probability that a record, which IEEE, 2014, pp. 247--255.
could be either an attack or normal traffic, is correctly [9] S. a. J. S. a. A. A. a. A. M. a. N. J. a. o. Ahmad, "Analysis of intrusion
identified could serve as a proxy for accuracy. The results of detection approaches for network traffic anomalies with comparative
calculating overall accuracy are as follows: FAR represents analysis on botnets (2008--2020)," Security and Communication
Networks, vol. 2022, 2022.
the probability that a record will be erroneously categorized.
[10] S. a. B.-E. C. Miller, "The role of machine learning in botnet
Next, determine the sensitivity of each uncertain computer detection," in 2016 11th international conference for internet
input's impact on a specific model result. Demonstrate the technology and secured transactions (icitst), IEEE, 2016, pp. 359--
probability of test attacks with specificity without producing 364.
false-positive outcomes [12]. [11] Z. a. J. A. a. o. Ismail, "A review of machine learning application in
botnet detection system," Sindh University Research Journal-SURJ
IX. CONCLUSION (Science Series), vol. 48, no. 4D, 2016.
Regarding network security, this study especially focuses [12] T. A. a. L. H. V. a. S. L. H. a. K. R. a. P. I. a. S. N. T. K. Tuan,
on a survey of the various facets of defending networks and "Performance evaluation of Botnet DDoS attack detection using
machine learning," Evolutionary Intelligence, vol. 13, pp. 283--294,
recognizing the variances in attacks. To the best of our 2020.
knowledge, there appears to be a significant absence of in-
[13] Z. a. S. D. a. K. M. A. a. J. S. Abaid, "he early bird gets the botnet: A
depth and systematic research on different methods of botnet markov chain based early warning system for botnet attacks," in 2016
detection currently state of the art. This is more directly related IEEE 41st Conference on Local Computer Networks (LCN), IEEE,
to ML-based botnet detection. Also, it is evident from this 2016, pp. 61--68.
survey report that several concerns in network security, [14] S. a. T. I. a. G. A. a. S. B. a. Z. D. a. L. W. a. F. J. a. H. P. Saad,
specifically botnet attacks, require further study. It has "Detecting P2P botnets through network behavior analysis and
examined several methods for locating botnets. This study machine learning," in 2011 Ninth annual international conference on
believes that ML features for bot detection are the most privacy, security and trust, IEEE, 2011, pp. 174--180.
potential area for further research to overcome the constraints [15] Z. a. S. D. a. K. M. A. a. J. S. Abaid, "The early bird gets the botnet:
identified in this survey. While the table of botnet detection A markov chain based early warning system for botnet attacks," in
2016 IEEE 41st Conference on Local Computer Networks (LCN),
explains the features which reflect the real structure of IEEE, 2016, pp. 61--68.
communications, types of ML algorithms, descriptions,
[16] L. Y. F. a. K. S. Lu, "C&C session detection using random forest.," in
findings, and the authors' suggestions that overcome this topic, Proceedings of the 11th International Conference on Ubiquitous
it has shown that there are too many works for utilizing Information Management and Communication, 2017, pp. 1--6.
various types of ML algorithms for both detection goals. They [17] R. R. Z. a. F. A.-H. Alhajri, "Survey for anomaly detection of IoT
used hybrid, single, or multilayer ML algorithms and achieved botnets using machine learning auto-encoders," Int. J. Appl. Eng. Res,
good results. However, such findings were influenced by vol. 14, no. 10, pp. 2417--2421, 2019.
several factors that should be considered when using any [18] N. Koroniotis, "Designing an effective network forensic framework
detection methods based on the working environment. After for the investigation of botnets in the Internet of Things," UNSW
researching the assessment process, it became evident that the Sydney, 2020.
quality, types, and quantity of the data collection and the [19] S. a. D. N. F. a. C. J. a. B. A. a. A. S. a. S. P. Gaonkar, "A survey on
detection methods and features impacted the detection botnet detection techniques," in 2020 International Conference on
Emerging Trends in Information Technology and Engineering (ic-
outcome. ETITE), IEEE, 2020, pp. 1-6.
REFERENCES [20] K. a. A. K. a. A. A. a. A. M. U. Shinan, "Machine learning-based
botnet detection in software-defined network: a systematic review,"
Symmetry, vol. 6, no. 866, p. 13, 2012.
[1] S. a. A. R. a. A. B. Pokhrel, "IoT security: botnet detection in IoT [21] Y. a. S. H. a. Z. H. a. L. D. a. G. L. Xing, "Survey on botnet detection
using machine learning," arXiv preprint arXiv:2104.02231, 2021. techniques: Classification, methods, and evaluation}," Mathematical
[2] A. M. d. N. A. B. N. M. Araujo, "Autonomous machine learning for Problems in Engineering, vol. 2021, pp. 1--24, 2012.
early bot detection in the internet of things," Digital Communications [22] A. K. B. M. T. G. Y. A. Sankaran, "BOTNET DETECTION USING
and Networks, pp. 2352-8648, 2022. MACHINE LEARNING," International Research Journal of
[3] S. Z. J. Z. F. a. I. Z. Anwar, "A review paper on botnet and botnet Engineering and Technology (IRJET), vol. 7, no. 7, 2020.
detection techniques in cloud computing," Proceedings of the ISCI, , [23] M. a. G. I. a. K. S. a. A. I.-U. Lefoane, "Machine learning for botnet
pp. pp.28-29., 2014. detection: An optimized feature selection approach," in The 5th
[4] K. a. A. K. a. A. A. a. A. M. U. Shinan, "Machine learning-based International Conference on Future Networks \& Distributed Systems,
botnet detection in software-defined network: a systematic review," 2021, pp. 195--200.
Shinan, Khlood and Alsubhi, Khalid and Alzahrani, Ahmed and [24] A. e. a. t. d. I. b. a. u. m. learning, "An efficient approach to detect IoT
Ashraf, Muhammad Usman, vol. 13, no. 5, p. 866, 2021. botnet attacks using machine learning," Journal of High Speed
[5] S. S. a. S. R. M. a. P. R. C. a. S. R. M. Silva, "Botnets: A survey," Networks, vol. 26, no. 3, pp. 241--254, 2020.
Computer Networks, vol. 57, no. 2, pp. 378--403, 2013. [25] N. a. M. N. a. S. E. Koroniotis, "Forensics and deep learning
[6] X. a. H. J. a. C. Y. Dong, "Overview of botnet detection based on mechanisms for botnets in internet of things: A survey of challenges
machine learning," in 2018 3rd International Conference on and solutions," IEEE Access, vol. 7, pp. 61764--61785, 2019.
Mechanical, Control and Computer Engineering (ICMCCE), IEEE, [26] S. a. D. A. a. A. R. S. a. A. A. Gannarapu, "Bot detection using
2018, pp. 476--479. machine learning algorithms on social media platforms," in 2020 5th
[7] J. a. S. M. a. H. S. a. S. Y. a. C. E. Kim, "Intelligent detection of iot International Conference on Innovative Technologies in Intelligent
botnets using machine learning and deep learning," Applied Sciences, Systems and Industrial Applications (CITISIA), IEEE, 2020, pp. 1-8.
vol. 10, no. 19, p. 7009, 2020. [27] N. a. S. M. Kaur, "Botnet and botnet detection techniques in cyber
[8] E. B. a. J. H. H. a. S. N. a. G. A. A. Beigi, "Towards effective feature realm," in 2016 international conference on inventive computation
selection in machine learning-based botnet detection approaches," in technologies (ICICT), vol. 3, IEEE, 2016, pp. 1-7.

240

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.
 5th International Conference on Information Technology, Applied Mathematics and Statistics ( ICITAMS- 2023), AL-
qadisiyah University, Diwaniyah-Iraq

[28] A. a. S. R. B. a. S. M. a. S. S. A. A. a. A. I. a. A. N. B. Karim, "Botnet

detection techniques: review, future trends, and issues," Journal of
Zhejiang University SCIENCE C, vol. 15, pp. 943--983, 2014. [34] R. U. a. Z. X. a. K. R. a. S. A. a. G. N. A. a. A. M. Khan, "An adaptive
multi-layer botnet detection technique using machine learning
[29] M. a. S. A. a. R. S. Feily, "A survey of botnet and botnet detection," classifiers," Applied Sciences, vol. 9, no. 11, p. 2375, 2019.
in 2009 Third International Conference on Emerging Security
Information, Systems and Technologies, IEEE, 2019, pp. 268--273. [35] Y. N. a. F. Y. a. S. P. I. a. H. R. a. S. K. Soe, "Machine learning-based
IoT-botnet attack detection with sequential architecture," Sensors, vol.
[30] S. a. V. R. a. A. M. a. S. K. Sriram, "Network flow based IoT botnet 20, no. 16, p. 4372, 2020.
attack detection using deep learning," in IEEE INFOCOM 2020-IEEE
conference on computer communications workshops (INFOCOM [36] S. I. a. A. B. a. A. R. a. H. M. a. A. K. a. A. A. A. Popoola, "smote-
WKSHPS), IEEE, 2020, pp. 189--194. drnn: A deep learning algorithm for botnet detection in the internet-
of-things networks," Sensors}, vol. 21, no. 9, p. 2985, 2021.
[31] A. a. A. M. a. J. A. R. Muhammad, "Robust early stage botnet
detection using machine learning," in 2020 International Conference [37] J. a. G.-C. V. a. F. E. F. a. A. E. Velasco-Mata, "Efficient detection of
on Cyber Warfare and Security (ICCWS), IEEE, 2020, pp. 1-6. botnet traffic by features selection and decision trees," IEEE Access,
vol. 9, pp. 120567--120579, 2021.
[32] S. a. V. R. a. A. M. a. S. K. Sriram, "Network flow based IoT botnet
attack detection using deep learning," in IEEE INFOCOM 2020-IEEE [38] M. a. A. W. a. M. M. a. K. M. a. D. S. a. A. F. Alshamkhany, "Botnet
conference on computer communications workshops (INFOCOM attack detection using machine learning," in 2020 14th International
WKSHPS), IEEE, 2020, pp. 189--194. Conference on Innovations in Information Technology (IIT), IEEE,
2020, pp. 203--208.
[33] S. a. B.-E. C. Miller, "The role of machine learning in botnet
detection," in 2016 11th international conference for internet
technology and secured transactions (icitst), IEEE, 2016, pp. 359--
364.

241

Authorized licensed use limited to: ICIPE - Intl Centre of Insect Physiology & Ecology. Downloaded on October 21,2024 at 15:18:57 UTC from IEEE Xplore. Restrictions apply.