Detecting Botnets Through Deep Learning and Network Flow Analysis

Publication Date


Document Type

Contribution to a Book

Publication Title

Advances in Information Security





First Page


Last Page



Botnet attacks pose a serious threat to the Internet infrastructure and its users. Botnets are operated through a command and control (C&C) channel which uniquely distinguishes it from other typical malware threats. The C&C server sends commands to the botnets to execute malicious activities using common Internet protocols, such as Hypertext transfer (HTTP), and Internet Relay Chat (IRC). Since these protocols are common, detecting botnet activities has been a challenge. This paper proposes an approach to identify the IP addresses of C&C servers and infected hosts in a network, without prior knowledge of the addresses or the type of the botnet. The approach is based on the observation that there are unique patterns in the communication between C&C server and bots which could be used to distinguish botnets from the background traffic. Regular botnet activities such as orchestrated attacks, heartbeat signals, or periodic distribution of commands are the main causes that produce such patterns. Deep learning techniques are applied on the extracted patterns to classify potential botnet traffics. The results show this pattern-based botnet detection technique is able to achieve high classification accuracy with low false positive rate.


Computer Science