Pattern-based Botnet Detection Using Network Flow Analysis and Deep Learning Techniques

Publication Date

Spring 5-25-2021

Degree Type

Master's Project

Degree Name

Master of Science in Computer Science (MSCS)


Computer Science

First Advisor

Fabio Di Troia

Second Advisor

Thomas Austin

Third Advisor

Navrati Saxena


botnet, malware, command and control (C&C) server, network flow, deep learning, classification based detection


In modern technology, botnet attacks pose a serious threat to the Internet infrastructure and its users. Botnets are operated through a command and control (C&C) channel which uniquely distinguishes it from other typical malwares. The C&C server sends commands to execute malicious activities to the botnets using commonly used Internet protocols like Hypertext transfer (HTTP) or Internet Relay Chat (IRC). Since these protocols are common, detecting botnet activities has been a challenge. This research project proposes an approach to identify the IP addresses of C&C servers and infected hosts in a network, without prior knowledge of their IP addresses or the type of the botnet. The approach is based on the observation that there are unique patterns in the communication between C&C server and bots which could be used to distinguish botnets from other normal or background traffic. Regular botnet activities like orchestrated attacks, heartbeat signals, or periodic distribution of commands are the main causes that produce such patterns. This project analyzes the network flow in a network with the focus of finding patterns. Deep learning techniques are applied on the extracted patterns to classify potential botnet traffics. The results show this pattern-based botnet detection technique is able to achieve high classification accuracy with low false positive rate.

This document is currently not available here.