Detection and Classification of Botnet Traffic using Deep Learning with Model Explanation

Abstract

Distributed denial-of-service attacks are a kind of malicious attempts among many others that make target services unavailable to legitimate users by using a large number of bots, which send many service requests exceeding the processing capacity of the services. Detection of botnet traffic is therefore critical to maintaining the availability and quality of the services. In contrast, identifying the type of botnet attacks helps system administrators quickly determine which part of the computer and network system is under attack. Current works focus on rule-based detection, which sets rules in the network firewall to drop suspicious traffic that matches the rules. With the emergence of machine learning and deep learning (ML/DL), several preliminary works have been developed to learn botnet traffic behavior and perform detection. However, the performance of existing ML/DL models can be further improved and their decision/prediction are not transparent, making it hard for users to interpret and trust the results. In this work, we develop a novel deep learning model for botnet detection and classification combined with its ability of explaining the decision of the model. We first leverage latent representation of traffic features generated using convolutional neural networks to detect whether a traffic record is generated by a bot then determine the type of bots. We adopt an existing explainable framework to interpret the prediction of the developed deep learning model. We perform extensive experiments with real network traffic as well as synthetic traffic generated by IXIA BreakingPoint System. We compare the developed model with existing models on various performance metrics. The experimental results show that the developed model outperforms the existing machine learning models with an improvement of up to <inline-formula><tex-math notation="LaTeX">$15\%$</tex-math></inline-formula> for all performance metrics while providing a clear explanation of the model decision.