Proposing the application of a deep learning model to detect the malicious IP address of botnet in the computer network

Abstract

Abstract— Malware in general and botnets in particular are big threats to cybersecurity. They have many sophisticated methods to bypass security systems to infect computers and perform attacks, sabotage, or spying activities. Botnet detection solutions are always focused on and solved by scientists and cybersecurity specialists. The DGA botnet is a group of common botnet families that share the same mechanism of needing to connect back to the C&C server via DNS to receive commands to operate. Many studies that propose algorithms for detecting and classifying DGA botnets have been proposed and tested with high results. In this study, we approach by using the above solutions to detect malicious IP addresses and botnet malware families. First, we evaluate the efficiency of two deep learning models LA_Bin07 and LA_Mul07 on a new specialized dataset, UTL_DGA22. Next, we extended the experiment with the ISCX-Bot-2014 dataset. The results show that LA_Bin07 and LA_Mul07 models both get high accuracy on the new dataset, with 0.98 and 0.86 correspondingly. Experimenting on the reality dataset also gives positive results, helping network administrators to localize malicious IP addresses for deeper investigation. The proposed solution is effective enough to be applied as a module in cybersecurity solutions such as firewalls, intrusion detection, and prevention systems or unified thread management - UTM.