Towards Developing Network Forensic Mechanism for Botnet Activities in the IoT Based on Machine Learning Techniques

  • Nickolaos KoroniotisEmail author
  • Nour Moustafa
  • Elena Sitnikova
  • Jill Slay
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 235)


The IoT is a network of interconnected everyday objects called “things” that have been augmented with a small measure of computing capabilities. Lately, the IoT has been affected by a variety of different botnet activities. As botnets have been the cause of serious security risks and financial damage over the years, existing Network forensic techniques cannot identify and track current sophisticated methods of botnets. This is because commercial tools mainly depend on signature-based approaches that cannot discover new forms of botnet. In literature, several studies have conducted the use of Machine Learning (ML) techniques in order to train and validate a model for defining such attacks, but they still produce high false alarm rates with the challenge of investigating the tracks of botnets. This paper investigates the role of ML techniques for developing a Network forensic mechanism based on network flow identifiers that can track suspicious activities of botnets. The experimental results using the UNSW-NB15 dataset revealed that ML techniques with flow identifiers can effectively and efficiently detect botnets’ attacks and their tracks.


Botnets Attack investigation Machine learning Internet of Thing (IoT) 



Nickolaos Koroniotis would like to thank the Commonwealth’s support, which is provided to the aforementioned researcher in the form of an Australian Government Research Training Program Scholarship.


  1. 1.
    Silva, S.S.C., Silva, R.M.P., Pinto, R.C.G., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)CrossRefGoogle Scholar
  2. 2.
    Khattak, S., Ramay, N.R., Khan, K.R., Syed, A.A., Khayam, S.A.: A taxonomy of Botnet behavior, detection, and defense. IEEE Commun. Surv. Tutor. 16(2), 898–924 (2014)CrossRefGoogle Scholar
  3. 3.
    Negash, N., Che, X.: An overview of modern Botnets. Inf. Secur. J.: Glob. Perspect. 24(4–6), 127–132 (2015)Google Scholar
  4. 4.
    Amini, P., Araghizadeh, M.A., Azmi, R.: A survey on Botnet: classification, detection and defense. In: 2015 International Electronics Symposium (IES), pp. 233–238. IEEE (2015)Google Scholar
  5. 5.
    Goodman, N.: A survey of advances in Botnet technologies. arXiv preprint arXiv:1702.01132 (2017)
  6. 6.
    Sheen, S., Rajesh, R.: Network intrusion detection using feature selection and Decision tree classifier. In: TENCON 2008-2008 IEEE Region 10 Conference. IEEE (2008)Google Scholar
  7. 7.
    Chandrashekar, G., Sahin, F.: A survey on feature selection methods. Comput. Electr. Eng. 40(1), 16–28 (2014)CrossRefGoogle Scholar
  8. 8.
    Jović, A., Brkić, K., Bogunović, N.: A review of feature selection methods with applications. In: 2015 38th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). IEEE (2015)Google Scholar
  9. 9.
    Bhavsar, Y.B., Waghmare, K.C.: Intrusion detection system using data mining technique: support vector machine. Int. J. Emerg. Technol. Adv. Eng. 3(3), 581–586 (2013)Google Scholar
  10. 10.
    Area, S., Mesra, R.: Analysis of bayes, neural network and tree classifier of classification technique in data mining using WEKA (2012)Google Scholar
  11. 11.
    Sebastian, S., Puthiyidam, J.J.: Evaluating students performance by artificial neural network using weka. Int. J. Comput. Appl. 119(23) (2015)CrossRefGoogle Scholar
  12. 12.
    Xiao, L., Chen, Y., Chang, C.K.: Bayesian model averaging of Bayesian network classifiers for intrusion detection. In: 2014 IEEE 38th International Computer Software and Applications Conference Workshops (COMPSACW), pp. 128–133. IEEE (2014)Google Scholar
  13. 13.
    Moustafa, N., Slay, J.: The significant features of the UNSW-NB15 and the KDD99 data sets for network intrusion detection systems. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). IEEE (2015)Google Scholar
  14. 14.
    Moustafa, N., Slay, J.: UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set). In: Military Communications and Information Systems Conference (MilCIS), 2015. IEEE (2015)Google Scholar
  15. 15.
    Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: analysing the rise of IoT compromises. EMU 9, 1 (2015)Google Scholar
  16. 16.
    Ronen, E., Shamir, A., Weingarten, A.O., O’Flynn, C.: IoT goes nuclear: creating a ZigBee chain reaction. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 195–212 (2017)Google Scholar
  17. 17.
    Roux, J., Alata, E., Auriol, G., Nicomette, V., Kaâniche, M.: Toward an intrusion detection approach for IoT based on radio communications profiling. In: 13th European Dependable Computing Conference (2017)Google Scholar
  18. 18.
    Lin, K.C., Chen, S.Y., Hung, J.C.: Botnet detection using support vector machines with artificial fish swarm algorithm. J. Appl. Math. 2014, 9 (2014)Google Scholar
  19. 19.
    Greensmith, J.: Securing the Internet of Things with responsive artificial immune systems. In: Proceedings of the 2015 Annual Conference on Genetic and Evolutionary Computation, pp. 113–120. ACM (2015)Google Scholar
  20. 20.
    Pijpker, J., Vranken, H.: The role of internet service providers in botnet mitigation. In: Intelligence and Security Informatics Conference (EISIC), 2016 European. IEEE (2016)Google Scholar
  21. 21.
    Wang, X.-J., Wang, X.: Topology-assisted deterministic packet marking for IP traceback. J. China Univ. Posts Telecommun. 17(2), 116–121 (2010)CrossRefGoogle Scholar
  22. 22.
    Khan, S., Gani, A., Wahab, A.W.A., Shiraz, M., Ahmad, I.: Network forensics: review, taxonomy, and open challenges. J. Netw. Comput. Appl. 66, 214–235 (2016)CrossRefGoogle Scholar
  23. 23.
    Moustafa, N., Slay, J., Creech, G.: Novel geometric area analysis technique for anomaly detection using trapezoidal area estimation on large-scale networks. IEEE Trans. Big DataGoogle Scholar
  24. 24.
    Prakash, P.B., Krishna, E.S.P.: Achieving high accuracy in an attack-path reconstruction in marking on demand scheme. i-Manager’s J. Inf. Technol. 5(3), 24 (2016)Google Scholar
  25. 25.
    Sangkatsanee, P., Wattanapongsakorn, N., Charnsripinyo, C.: Practical real-time intrusion detection using machine learning approaches. Comput. Commun. 34(18), 2227–2235 (2011)CrossRefGoogle Scholar
  26. 26.
    Moustafa, N., Creech, G., Slay, J.: Big data analytics for intrusion detection system: statistical decision-making using finite dirichlet mixture models. In: Palomares Carrascosa, I., Kalutarage, H.K., Huang, Y. (eds.) Data Analytics and Decision Support for Cybersecurity. DA, pp. 127–156. Springer, Cham (2017). Scholar
  27. 27.
    Bansal, S., Qaiser, M., Khatri, S., Bijalwan, A.: Botnet Forensics Framework: Is Your System a Bot. In: 2015 Second International Conference on Advances in Computing and Communication Engineering, Dehradun, 2015, pp. 535–540 (2015)Google Scholar
  28. 28.
    Moustafa, N., Slay, J.: A hybrid feature selection for network intrusion detection systems: central points. arXiv preprint arXiv:1707.05505 (2017)
  29. 29.
    Divakaran, D.M., Fok, K.W., Nevat, I., Thing, V.L.L.: Evidence gathering for network security and forensics. Digit. Investig. 20(S), S56–S65 (2017)CrossRefGoogle Scholar
  30. 30.
    Wang, K., Du, M., Sun, Y., Vinel, A., Zhang, Y.: Attack detection and distributed forensics in machine-to-machine networks. IEEE Netw. 30(6), 49–55 (2016)CrossRefGoogle Scholar
  31. 31.
    Moustaf, N., Slay, J.: Creating novel features to anomaly network detection using darpa-2009 data set. In: Proceedings of the 14th European Conference on Cyber Warfare and Security. Academic Conferences Limited (2015)Google Scholar
  32. 32.
    Rose, K., Eldridge, S., Chapin, L.: The Internet of Things: an overview (2015)Google Scholar
  33. 33.
    Hossain, M.M., Fotouhi, M., Hasan, R.: Towards an analysis of security issues, challenges, and open problems in the internet of things. In: 2015 IEEE World Congress on Services, New York City, NY, pp. 21–28 (2015)Google Scholar
  34. 34.
    Shattuck, J., Boddy, S.: Threat Analysis Report DDoS’s Latest Minions: IoT Devices. F5 LABS, vol. 1 (2016)Google Scholar
  35. 35.
    Schneier, B.: Botnets of things. MIT Technol. Rev. 120(2), 88–91 (2017). Business Source Premier, EBSCOhost. Accessed 24 Aug 2017Google Scholar
  36. 36.
    Ronen, E., O’Flynn, C., Shamir, A., Weingarten, A.-O.: IoT goes nuclear: creating a ZigBee chain reaction. In: Cryptology ePrint Archive, Report 2016/1047 (2016)Google Scholar
  37. 37.
    Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: analysing the rise of IoT compromises. In: Francillon, A., Ptacek, T. (eds.). Proceedings of the 9th USENIX Conference on Offensive Technologies (WOOT 2015). USENIX Association, Berkeley, CA, USA, p. 9 (2015)Google Scholar
  38. 38.
    Rahimian, A., Ziarati, R., Preda, S., Debbabi, M.: On the reverse engineering of the citadel botnet. In: Danger, J.-L., Debbabi, M., Marion, J.-Y., Garcia-Alfaro, J., Zincir Heywood, N. (eds.) FPS -2013. LNCS, vol. 8352, pp. 408–425. Springer, Cham (2014). Scholar
  39. 39.
    Houmansadr, A., Borisov, N.: BotMosaic: collaborative network watermark for the detection of IRC-based botnets. J. Syst. Softw. 86(3), 707–715 (2013). ISSN 0164-1212CrossRefGoogle Scholar
  40. 40.
    Weka tool. Accessed Aug 2017
  41. 41.
    Moustafa, N., Slay, J.: The evaluation of network anomaly detection systems: statistical analysis of the UNSW-NB15 data set and the comparison with the KDD99 data set. Inf. Secur. J.: Glob. Perspect. 25(1–3), 18–31 (2016)Google Scholar

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  • Nickolaos Koroniotis
    • 1
    Email author
  • Nour Moustafa
    • 1
  • Elena Sitnikova
    • 1
  • Jill Slay
    • 1
  1. 1.School of Engineering and Information TechnologyUniversity of New South Wales CanberraCanberraAustralia

Personalised recommendations