Performance evaluation of Botnet DDoS attack detection using machine learning

  • Tong Anh Tuan
  • Hoang Viet Long
  • Le Hoang Son
  • Raghvendra Kumar
  • Ishaani Priyadarshini
  • Nguyen Thi Kim SonEmail author
Special Issue


Botnet is regarded as one of the most sophisticated vulnerability threats nowadays. A large portion of network traffic is dominated by Botnets. Botnets are conglomeration of trade PCs (Bots) which are remotely controlled by their originator (BotMaster) under a Command and-Control (C&C) foundation. They are the keys to several Internet assaults like spams, Distributed Denial of Service Attacks (DDoS), rebate distortions, malwares and phishing. To over the problem of DDoS attack, various machine learning methods typically Support Vector Machine (SVM), Artificial Neural Network (ANN), Naïve Bayes (NB), Decision Tree (DT), and Unsupervised Learning (USML) (K-means, X-means etc.) were proposed. With the increasing popularity of Machine Learning in the field of Computer Security, it will be a remarkable accomplishment to carry out performance assessment of the machine learning methods given a common platform. This could assist developers in choosing a suitable method for their case studies and assist them in further research. This paper performed an experimental analysis of the machine learning methods for Botnet DDoS attack detection. The evaluation is done on the UNBS-NB 15 and KDD99 which are well-known publicity datasets for Botnet DDoS attack detection. Machine learning methods typically Support Vector Machine (SVM), Artificial Neural Network (ANN), Naïve Bayes (NB), Decision Tree (DT), and Unsupervised Learning (USML) are investigated for Accuracy, False Alarm Rate (FAR), Sensitivity, Specificity, False positive rate (FPR), AUC, and Matthews correlation coefficient (MCC) of datasets. Performance of KDD99 dataset has been experimentally shown to be better as compared to the UNBS-NB 15 dataset. This validation is significant in computer security and other related fields.


Botnet detection Command and control channel Distributed Denial of service attack Machine learning Unsupervised learning 


Compliance with ethical standards

Conflict of interest

The authors declare that they do not have any conflict of interests.

Human and animal rights

This research does not involve any human or animal participation. All authors have checked and agreed the submission.


  1. 1.
    Al-Jarrah OY, Alhussein O, Yoo PD, Muhaidat S, Taha K, Kim K (2016) Data randomization and cluster-based partitioning for Botnet intrusion detection. IEEE Trans Cybern 46(8):1796–1806CrossRefGoogle Scholar
  2. 2.
    Bhushan K, Gupta BB (2018) Distributed denial of service (DDoS) attack mitigation in software defined network (SDN)-based cloud computing environment. J Ambient Intell Humaniz Comput. CrossRefGoogle Scholar
  3. 3.
    Tom Ball (2018) Malicious Botnets responsible for 40% of global login attempts.
  4. 4.
    Nadji Y, Antonakakis M, Perdisci R, Dagon D, Lee W (2013) Beheading hydras: performing effective Botnet takedowns. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, pp 121–132Google Scholar
  5. 5.
    Cao N, Li G, Zhu P, Sun Q, Wang Y, Li J, Zhao Y (2018) Handling the adversarial attacks. J Ambient Intell Humaniz Comput 1–15Google Scholar
  6. 6.
    Singh K, Guntuku SC, Thakur A, Hota C (2014) Big data analytics framework for peer-to-peer Botnet detection using random forests. Inf Sci 278:488–497CrossRefGoogle Scholar
  7. 7.
    Karim A, Salleh RB, Shiraz M, Shah SAA, Awan I, Anuar NB (2014) Botnet detection techniques: review, future trends, and issues. J Zhejiang Univ Sci C 15(11):943–983CrossRefGoogle Scholar
  8. 8.
    Pillutla H, Arjunan A (2018) Fuzzy self organizing maps-based DDoS mitigation mechanism for software defined networking in cloud computing. J Ambient Intell Humaniz Comput. CrossRefGoogle Scholar
  9. 9.
    Beitollahi H, Deconinck G (2014) Connection score: a statistical technique to resist application-layer ddos attacks. J Ambient Intell Humaniz Comput 5(3):425–442CrossRefGoogle Scholar
  10. 10.
    Rodríguez-Gómez RA, Maciá-Fernández G, García-Teodoro P (2013) Survey and taxonomy of Botnet research through life-cycle. ACM Comput Surv (CSUR) 45(4):45CrossRefGoogle Scholar
  11. 11.
    Reza M, Sobouti M, Raouf S, Javidan R (2016) Network traffic classification using machine learning techniques over software defined networks. Int J Adv Comput Sci Appl 8(7):220–225Google Scholar
  12. 12.
    Jha S, Kumar R, Son L, Abdel-Basset M, Priyadarshini I, Sharma R, Long H (2019) Deep learning approach for software maintainability metrics prediction. IEEE Access 7:61840–61855CrossRefGoogle Scholar
  13. 13.
    Pritam N, Khari M, Son L, Kumar R, Jha S, Priyadarshini I, Abdel-Basset M, Long H (2019) Assessment of code smell for predicting class change proneness using machine learning. IEEE Access 7:37414–37425CrossRefGoogle Scholar
  14. 14.
    Hoang X, Nguyen Q (2018) Botnet detection based on machine learning techniques using DNS query data. Future Internet MDPI 10(5):43CrossRefGoogle Scholar
  15. 15.
    Zekri M, Kafhali S, Aboutabit N, Saadi Y (2017) DDoS attack detection using machine learning techniques in cloud computing environments. In: 3rd international conference of cloud computing technologies and applications (CloudTech), pp 1–7.
  16. 16.
    Different types of bots. Retrieved from
  17. 17.
    Sarwar S, Zahoory A, Zahra A, Tariq S, Ahmed A (2014) BOTNET—threats and countermeasures. Int J Sci Res Develop 1(12):2682–2683Google Scholar
  18. 18.
    Gu G, Yegneswaran V, Porras P, Stoll J, Lee W (2009) Active Botnet probing to identify obscure command and control channels. In: Annual computer security applications conference, IEEE, pp 1–13Google Scholar
  19. 19.
    Erbacher R, Cutler A, Banerjee P, Marshall J (2008) A multi-layered approach to Botnet detection. In: 2007, proceedings of the 2008 international conference on security & management, SAM, 30:1–308Google Scholar
  20. 20.
    Wolff R, Hobert S, Schumann M (2019) How may i help you?—state of the art and open research questions for chatbots at the digital workplace. In: Hawaii international conference on system sciences, pp 95–104Google Scholar
  21. 21.
    Lu W, Tavallaee M, Ghorbani A (2009) Automatic discovery of Botnet communities on large-scale communication networks. In: Proceedings of the 4th international symposium on information, computer, and communications security, pp 1–10Google Scholar
  22. 22.
    Gupta S, Borkar D, Mello C, Patil S (2015) An E-commerce website based chatbot. Int J Comput Sci Inf Technol 6(2):1483–1485Google Scholar
  23. 23.
    Ceron J, Jessen K, Hoepers C, Granville L, Margi C (2019) Improving IoT Botnet investigation using an adaptive network layer. Sens MDPI 19(3):727CrossRefGoogle Scholar
  24. 24.
    Andriesse D, Rossow C, Stone-Gross B, Plohmann D, Bos H (2013) Highly resilient peer-to-peer Botnets are here: an analysis of Gameover Zeus. In: 2013 8th international conference on malicious and unwanted software [proceedings]: “The Americas”, MALWARE 2013. [6703693], ACM, IEEE Computer Society, Fajardo, pp 116–123Google Scholar
  25. 25.
    John J, Moshchuk A, Gribble S, Krishnamurthy A (2009) Studying spamming Botnets using Botlab. In: Proceedings of the 6th USENIX symposium on Networked systems design and implementation, pp 291–306Google Scholar
  26. 26.
    Boshmaf Y, Muslukhov I, Beznosov K, Ripeanu M (2013) Design and analysis of a social Botnet. Comput Netw 57(2):556–578CrossRefGoogle Scholar
  27. 27.
    Alomari E, Manickam S, Gupta BB, Karuppayah S, Alfaris R (2012) Botnet-based distributed denial of service (DDoS) attacks on web servers: classification and art. Preprint arXiv:1208.0403
  28. 28.
    Zhao D, Traore I, Ghorbani A, Sayed B, Saad S, Lu W (2012) Peer to peer Botnet detection based on flow intervals. Inf Secur Priv Res 87–102Google Scholar
  29. 29.
    Garasia SS, Rana DP, Mehta RG (2012) HTTP Botnet detection using frequent patternset mining. Proc Int J Eng Sci Adv Technol 2:619–624Google Scholar
  30. 30.
    Bilge L, Balzarotti D, Robertson W, Kirda E, Kruegel C (2012) Disclosure: detecting Botnet command and control servers through large-scale net flow analysis. In: Proceedings of the 28th annual computer security applications conference, ACM, pp 129–138Google Scholar
  31. 31.
    Thapngam T, Yu S, Zhou W, Makki S (2012) Distributed Denial of service (DDoS) detection by traffic pattern analysis. In: Peer-to-Peer networking and applications December 2014, Springer, Vol 7, Issue 4, pp 346–358Google Scholar
  32. 32.
    Feizollah A, Anuar NB, Salleh R, Amalina F, Shamshirband S (2013) A study of machine learning classifiers for anomaly-based mobile Botnet detection. Malaysian J Comput Sci 26(4):251–265Google Scholar
  33. 33.
    Zhao D, Traore I, Sayed B, Lu W, Saad S, & Ghorbani A, Garant D (2013) Botnet detection based on traffic behavior analysis and flow intervals. Comput Secur 39:2–16. CrossRefGoogle Scholar
  34. 34.
    Khattak S, Ramay NR, Khan KR, Syed AA, Khayam SA (2014) A taxonomy of Botnet behavior, detection, and defense. IEEE Commun Surv Tutor 16(2):898–924CrossRefGoogle Scholar
  35. 35.
    Lim S, Ha J, Kim H, Kim Y, Yang S (2014) A SDN-oriented DDoS blocking scheme for Botnet-based attacks. In: 2014 6th international conference on ubiquitous and future networks (ICUFN), IEEE, pp 63–68Google Scholar
  36. 36.
    Hoque N, Bhattacharyya DK, Kalita JK (2015) Botnet in DDoS attacks: trends and challenges. IEEE Commun Surv Tutor 17(4):2242–2270CrossRefGoogle Scholar
  37. 37.
    Sieklik B, Macfarlane R, Buchanan WJ (2016) Evaluation of TFTP DDoS amplification attack. Comput Secur 57:67–92CrossRefGoogle Scholar
  38. 38.
    Stevanovic M, Pedersen JM (2016) On the use of machine learning for identifying Botnet network traffic. J Cyber Secur Mob 4(2):1–32CrossRefGoogle Scholar
  39. 39.
    Sahay R, Blanc G, Zhang Z, Debar H (2017) ArOMA: an SDN based autonomic DDoS mitigation framework. Comput Secur 70:1–18. Scholar
  40. 40.
    Antonakakis M, April T, Bailey M, Bernhard M, Bursztein E, Cochran J, Kumar D (2017) Understanding the miraiBotnet. In: USENIX security symposiumGoogle Scholar
  41. 41.
    Wang TS, Lin HT, Cheng WT and Chen CY (2017) DBod: Clustering and detecting DGA-based botnets using DNS traffic analysis. Comput Secur 64:1–15CrossRefGoogle Scholar
  42. 42.
    Ali ST, Mc Corry P, Lee PHJ, Hao F (2017) Zombie Coin 2.0: managing next-generation Botnets using Bitcoin. Int J Inf Secur 1–12Google Scholar
  43. 43.
    Anagnostopoulos M, Kambourakis G, Gritzalis S (2016) New facets of mobile Botnet: architecture and evaluation. Int J Inf Secur 15(5):455–473CrossRefGoogle Scholar
  44. 44.
    Kirubavathi G, Anitha R (2018) Structural analysis and detection of android Botnets using machine learning techniques. Int J Inf Secur 17(2):153–167CrossRefGoogle Scholar
  45. 45.
    Pillutla H, Arjunan A (2018) Fuzzy self organizing maps-based DDoS mitigation mechanism for software defined networking in cloud computing. J Ambient Intell Humaniz Comput 1–13Google Scholar
  46. 46.
    Fok K, Zheng L, Watt K, Su L, Thing V (2018) Automated Botnet traffic detection via machine learning. In: Conference: TENCON 2018Google Scholar
  47. 47.
    Homayoun S, Ahmadzadeh M, Hashemi S, Dehghantanha A, Khayami R (2018) BoTShark: a deep learning approach for Botnet traffic detection. In: Dehghantanha A, Conti M, Dargahi T (eds) Cyber threat intelligence advances in information security, vol 70. Springer, ChamGoogle Scholar
  48. 48.
    Koroniotis N (2017) Towards developing network forensic mechanism for Botnet activities in the IoT based on machine learning techniques. Preprint arXiv:1711.02825
  49. 49.
    Nour M, Slay J (2015) UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military communications and information systems conference (MilCIS), IEEEGoogle Scholar
  50. 50.
  51. 51.
    Evgeniou T, Pontil M (2000) Support vector machines: theory and applications. In: 2000, Machine learning and its applications, advanced Lectures, pp 249–257CrossRefGoogle Scholar
  52. 52.
    Shiruru K (2016) An introduction to artificial neural network. Int J Adv Res Innov Ideas Edu 1(5):27–30Google Scholar
  53. 53.
    Taheri S, Mammadov M (2013) Learning the naive Bayes classifier with optimization models. Int J Appl Math Comput Sci 23(4):787–795MathSciNetCrossRefGoogle Scholar
  54. 54.
    Rokach L, Maimon O (2004) Decision Trees. The data mining and knowledge discovery handbook, In book, pp 165–192zbMATHGoogle Scholar
  55. 55.
    Khanum MA, Mahboob T, Imtiaz W, Ghafoor HA, Sehar R (2015) A survey on unsupervised machine learning algorithms for automation, classification and maintenance. Int J Comput Appl 119(13):34–39Google Scholar
  56. 56.
    Rodríguez J, Pérez A, Lozano JA (2010) Sensitivity analysis of k-fold cross validation in prediction error estimation. IEEE Trans Pattern Anal Mach Intell 32:569–575CrossRefGoogle Scholar
  57. 57.
    Nour M, Slay J (2016) The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf Secur J A Glob Perspect 25(13):18–31Google Scholar
  58. 58.
    Son NTK, Dong NP, Son LH, Long HV (2019) Towards granular calculus of single-valued neutrosophic functions under granular computing. Multimed Tools Appl. CrossRefGoogle Scholar
  59. 59.
    Son NTK, Dong NP, Long HV, Son LH, Khastan A (2019) Linear quadratic regulator problem governed by granular neutrosophic fractional differential equations. ISA Trans. CrossRefGoogle Scholar
  60. 60.
    Khan MMT, Singh K, Son LH, Abdel-Basset M, Long HV, Singh SP (2019) A novel and comprehensive trust estimation clustering based approach for large scale wireless sensor networks. IEEE Access 7:58221–58240CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.The People’s Police University of Technology and LogisticsThuận ThànhVietnam
  2. 2.VNU Information Technology InstituteVietnam National UniversityHanoiVietnam
  3. 3.Department of Computer Science and EngineeringLNCT CollegeBhopalIndia
  4. 4.University of DelawareNewarkUSA
  5. 5.Division of Computational Mathematics and Engineering, Institute for Computational ScienceTon Duc Thang UniversityHo Chi Minh CityVietnam
  6. 6.Faculty of Mathematics and StatisticsTon Duc Thang UniversityHo Chi Minh CityVietnam

Personalised recommendations