Deep fused flow and topology features for botnet detection basing on pretrained GCN

Nowadays, botnets have become one of the major threats to cyber security. The characteristics of botnets are mainly reflected in bots network behavior and their intercommunication relationships. Existing botnet detection methods use flow features or topological features of the communication graph individually and overlook the other type of feature, which affects model performance. In this paper, we propose a botnet detection model which uses graph convolutional network (GCN) to deeply fuse flow features and topological features for the first time. We construct communication graphs from network traffic and represent nodes with flow features. Due to the imbalance of existing public traffic flow datasets, it is impossible to train a GCN model on these datasets. Therefore, we use a balanced public communication graph dataset to pretrain a GCN model, thereby guaranteeing its capacity for recognizing topological features. We then feed the communication graph with flow features into the pretrained GCN. The output from the last hidden layer is treated as the fusion of flow and topological features. Additionally, by adjusting the number of layers in the GCN network, the model can effectively detect botnets operating under both C2 and P2P structures. Validated on the public ISCX2014 dataset, our approach achieves a remarkable accuracy of 98.85% and a recall rate of 92.90% for C2 botnets, alongside an accuracy of 99.10% and a recall rate of 94.66% for P2P botnets. These results not only demonstrate the efficacy of our method, but also surpass the performance of the currently leading detection models.