當前的殭屍網絡檢測研究遇到了一些問題和限制，包括殭屍網絡的快速增長、利用合成數據集來驗證性能、數據不平衡和辨別新殭屍網絡類別之後的模型更新。在此之前我們提出了一個基於 BotCluster 的串聯多類殭屍網絡分類器。它可以達到整體 84.72% F1-Score。然而，由於其結構的性質，它會遭受性能下降的影響。為了解決上述問題，我們打算利用基於 BotCluster 的並行結構多類型殭屍網絡分類器。該結構由多個並行的二進制殭屍網絡分類器組成，每個分類器負責檢測特定的殭屍網絡類別。此外，我們使用了一個 SMOTE-ENN 採樣模塊來減少數據不平衡和一個預測聚合模塊來修復不明確的標籤。實驗結果表明，應用 SMOTE-ENN 和預測聚合後，F1 的整體得分可以達到 90%。對於少數類標籤，超過一半的個別殭屍網絡分類器的召回率增加了 10% 以上。結果證明，我們的系統不僅能夠檢測現實世界流量中的殭屍網絡，還可以檢測不平衡數據集下的殭屍網絡。

Current botnet detection research runs into some problems and limitations, including rapid growth of botnet, performance verification with synthetic datasets, data imbalance, and model update after identifying new bot classes. Previously we proposed a BotCluster-based series multiclass botnet classifier. It can achieve an overall 84.72% F1-Score. However, due to the nature of its structures, it would suffer from performance degradation. To address these aforementioned issues, we intend to utilize a parallel structure multi-type botnet classifier based on BotCluster. The structure consists of multiple binary botnet classifiers in parallel, with each responsible for detecting a specific bot class. In addition, we employed a SMOTE-ENN sampling module to reduce data imbalance and a prediction aggregation module to fix ambiguous labels. Experiment results show that the overall F1 score of can achieve 90% after applying SMOTE-ENN and prediction aggregation. For the minority class labels, the recall rates increased by over 10% for over half of those individual classifiers. The results prove that not only is our system capable of detecting bots in real-world traffic, it can also detect bots under imbalance datasets.

[1] C.-Y. Wang, C.-L. Ou, Y.-E. Zhang, F.-M. Cho, P.-H. Chen, J.-B. Chang, and C.-K. Shieh, “BotCluster: A session-based p2p botnet clustering system on NetFlow,” Computer Networks, vol. 145, pp. 175–189, 2018.
[2] A. Ram, S. Jalal, A. Jalal, and M. Kumar, "A Density Based Algorithm for Discovering Density Varied Clusters in Large Spatial Databases", International Journal of Computer Applications, vol. 3, no. 6, pp. 1-4, 2010. Available: 10.5120/739-1038.
[3] W.-Y. Chen, “A Multi-Type Botnet Classifier for Real Traffic Based on
BotCluster”, PhD diss.,2020.
[4] F. Tariq and S. Baig, " Multiclass Machine learning based botnet detection in software defined networks", International Journal of Security and Its Applications, vol. 11, no. 11, pp. 1-12, 2017. Available: 10.14257/ijsia.2017.11.11.01.
[5] I. Ullah, A. Ullah and M. Sajjad, "A Two-Level Hybrid Model for Anomalous Activity Detection in IoT Networks", IoT, vol. 2, no. 3, pp. 428-448, 2021. Available: 10.3390/iot2030022.
[6] D. Tran, H. Mac, V. Tong, H. Tran, and L. Nguyen, "A LSTM based framework for handling multiclass imbalance in DGA botnet detection", Neurocomputing, vol. 275, pp. 2401-2413, 2018. Available: 10.1016/j.neucom.2017.11.018.
[7] H. Chunduri, T. Gireesh Kumar, and P. V. Charan, “A multi class classification for detection of IOT botnet malware,” Communications in Computer and Information Science, pp. 17–29, 2021.
[8] M. Mbow, H. Koide, and K. Sakurai, “Handling class imbalance problem in intrusion detection system based on Deep Learning,” International Journal of Networking and Computing, vol. 12, no. 2, pp. 467–492, 2022.
[9] N. V. Chawla, K. W. Bowyer, L. O. Hall, and W. P. Kegelmeyer, “Smote: Synthetic minority over-sampling technique,” Journal of Artificial Intelligence Research, vol. 16, pp. 321–357, 2002.
[10] R. Alejo, J. M. Sotoca, R. M. Valdovinos, and P. Toribio, “Edited nearest neighbor rule for improving neural networks classifications,” Advances in Neural Networks - ISNN 2010, pp. 303–310, 2010.
[11] Stratosphere IPS. (2020). CTU-13 Dataset — Stratosphere IPS. [online] Available at: https://www.stratosphereips.org/datasets-ctu13
[12] Malware Capture Facility Project (2020) – [online] Available at: https://www.stratosphereips.org/datasets-malware
[13] “S. Saad, I. Traore, A. A. Ghorbani, B. Sayed, D. Zhao, W. Lu, J. Felix, P. Hakimian, "Detecting P2P botnets through network behavior analysis and machine learning", Proceedings of 9th Annual Conference on Privacy, Security and Trust (PST2011), July 19-21, 2011.
[14] S. Garcia, M. Grill, J. Stiborek and A. Zunino, "An empirical comparison of botnet detection methods" Computers and Security Journal, Elsevier. Vol 45, pp 100-123, 2014.
[15] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization”, 4th International Conference on Information Systems Security and Privacy (ICISSP), Portugal, January 2018.
[16] N. Moustafa and J. Slay. "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)." Military Communications and Information Systems Conference (MilCIS), 2015.
[17] S. Garcia, A. Parmisano, & M. J. Erquiaga. “IoT-23: A labeled dataset with malicious and benign IoT network traffic (Version 1.0.0) [Data set].” Zenodo, 2020.
[18] A. Guerra-Manzanares, J. Medina-Galindo, H. Bahsi, and S. Nõmm, “MedBIoT: Generation of an IoT Botnet Dataset in a Medium-sized IoT Network.” In Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1, pp. 207-218, 2020.
[19] M. Tavallaee, E. Bagheri, W. Lu, and A. Ghorbani, “A Detailed Analysis of the KDD CUP 99 Data Set,” Submitted to Second IEEE Symposium on Computational Intelligence for Security and Defense Applications (CISDA), 2009.
[20] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization”, 4th International Conference on Information Systems Security and Privacy (ICISSP), Portugal. 2018.
[21] H. Alzahrani, M. Abulkhair, and E. Alkayal, “A Multi-Class Neural Network Model for Rapid Detection of IoT Botnet Attacks”, International Journal of Advanced Computer Science and Applications(IJACSA), Portugal. 2018.
[22] C. D. McDermott, F. Majdani, and A. V. Petrovski, “Botnet detection in the internet of things using deep learning approaches,” International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2018.
[23] T. Le, Y. E. Oktian, and H. Kim, “XGBoost for Imbalanced Multiclass Classification-Based Industrial Internet of Things Intrusion Detection Systems”, Sustainability, 2022, 14, 8707. doi: https:// doi.org/10.3390/su14148707
[24] M. Al-Hawawreh, E. Sitnikova, and N. Aboutorab, "X-IIoTID: A Connectivity- and Device-agnostic Intrusion Dataset for Industrial Internet of Things", IEEE Dataport, July 30, 2021,doi: https://dx.doi.org/10.21227/mpb6-py55.
[25] N. Moustafa. "A new distributed architecture for evaluating AI-based security systems at the edge: Network TON_IoT datasets." Sustainable Cities and Society , 2021.