An intelligent multi-layer framework with SHAP integration for botnet detection and classification

Abstract

In increasingly interconnected digital world, the threat of cyber-attacks and data breaches are a pervasive and growing concern. The Botnets are the most dangerous threats that launch a wide range of cyberattacks such as distributed denial of service (DDoS) attacks, sending spam emails, spreading malware, and stealing sensitive information. The identification and categorization of botnets has become a highly complex and critical process due to the massive amount of network traffic generated every second. This paper presents a multilayer botnet detection and classification framework based on explainable machine learning algorithms. The proposed approach comprises of three distinct layers: Feature Selection Layer, Botnet Detection Layer and Botnet Classification Layer. The Feature Selection Layer reduces the dataset into six essential features, that enhance the accuracy and efficiency of the framework. The botnet detection layer detects botnet activity by filtering the reduced dataset into normal packets and botnet packets. The filtered botnet packets further examined by botnet classification layer to classify the botnet packets into different types of botnets. Moreover, SHAP (SHapley Additive exPlanations) technique is utilized to provide transparency to the model's decision-making process. To evaluate the effectiveness of the proposed model, NCC-2 and CTU-13 datasets are examined. 10-fold cross-validation technique is applied to validate the experimental findings. The average accuracy achieved by proposed approach in botnet detection stands impressively at 99.98%, while the average accuracy achieved in classifying botnet families is 99.30%, exhibiting an exceptional level of performance. The comparative analysis is performed which demonstrates its superiority over existing methods in terms of accuracy, precision, recall, F1-Score.