Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Sajjad Arshad,Maghsoud Abbaspour,Mehdi Kharrazi,Hooman Sanatkar

DOI: https://doi.org/10.1109/ICCAIE.2011.6162198

2018-11-02

Abstract:Botnets (networks of compromised computers) are often used for malicious activities such as spam, click fraud, identity theft, phishing, and distributed denial of service (DDoS) attacks. Most of previous researches have introduced fully or partially signature-based botnet detection approaches. In this paper, we propose a fully anomaly-based approach that requires no a priori knowledge of bot signatures, botnet C&C protocols, and C&C server addresses. We start from inherent characteristics of botnets. Bots connect to the C&C channel and execute the received commands. Bots belonging to the same botnet receive the same commands that causes them having similar netflows characteristics and performing same attacks. Our method clusters bots with similar netflows and attacks in different time windows and perform correlation to identify bot infected hosts. We have developed a prototype system and evaluated it with real-world traces including normal traffic and several real-world botnet traces. The results show that our approach has high detection accuracy and low false positive.

Cryptography and Security

Guangli Wu,Xingyue Wang,Qian Lu,Hanlin Zhang

DOI: https://doi.org/10.1016/j.eswa.2024.123384

IF: 8.5

2024-02-11

Expert Systems with Applications

Abstract:A botnet is a group of hijacked devices that conduct various cyberattacks, which is one of the most dangerous threats on the internet. Individuals or organizations can effectively detect botnets by analyzing abnormal behaviors in network traffic. Existing works focus on extracting the deterministic behavioral features, which highly rely on statistical features and existing botnet interaction structures, resulting in unsatisfactory detection accuracy, especially for unknown botnet traffic. The botnet detection method based on the original traffic bytes has more advantages in this regard, especially the use of mining payload information in the traffic to enhance the identification of abnormal botnet behavior is the focus of this study. In this paper, we propose a dual-mode botnet detection scheme, which takes the original traffic bytes as the object, one is to encode the implicit semantic relationship between the traffic bytes through a multi-layer Transformer encoder, and the other is the network traffic Image representation, the spatial relationship of traffic bytes is captured by a deep neural network, and then botnet detection is achieved by maximizing the mutual information between the two. We conduct comprehensive experiments with both known botnets and unknown botnets to evaluate our scheme. Experimental results show that for known botnets, our approach achieves 99.84% and 91.92% detection accuracy with CTU-13 and ISCX-2014 datasets, respectively, which is 3.04% and 2.54% more accurate compared with the state-of-art (DL). For unknown datasets, our scheme is 10.19% more accurate than the existing traffic representation.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Ahmed M. Manasrah,Awsan Hasan,Omar Amer Abouabdalla,Sureswaran Ramadass

DOI: https://doi.org/10.48550/arXiv.0911.0487

2009-11-03

Networking and Internet Architecture

Abstract:IThe botnet is considered as a critical issue of the Internet due to its fast growing mechanism and affect. Recently, Botnets have utilized the DNS and query DNS server just like any legitimate hosts. In this case, it is difficult to distinguish between the legitimate DNS traffic and illegitimate DNS traffic. It is important to build a suitable solution for botnet detection in the DNS traffic and consequently protect the network from the malicious Botnets activities. In this paper, a simple mechanism is proposed to monitors the DNS traffic and detects the abnormal DNS traffic issued by the botnet based on the fact that botnets appear as a group of hosts periodically. The proposed mechanism is also able to classify the DNS traffic requested by group of hosts (group behavior) and single hosts (individual behavior), consequently detect the abnormal domain name issued by the malicious Botnets. Finally, the experimental results proved that the proposed mechanism is robust and able to classify DNS traffic, and efficiently detects the botnet activity with average detection rate of 89 percent.

FAN Yi-yan,WU Guo-rui,CHEN Jian-li,TANG Bo

DOI: https://doi.org/10.16208/j.issn1000-7024.2011.09.064

2011-01-01

Abstract:The contemporary IRC botnet detection methods are not suitable for botnet detection under infrequently command and control interactions.To detect small stealthy botnet,a botnet detection model based on sequential analysis is proposed,which is a complement to contemporary passive detection technologies.Several probe methods and detection algorithms are discussed considering response types of clients,and average round of detection is analyzed,only small portion of command and control interactions are observed to declare single or multiple IRC bot.The results show that botnet detection is completed in expected round under controlled false positive rate and false negative rate.

Swechchha Gupta,Singh,Buddha Singh

DOI: https://doi.org/10.1016/j.cose.2024.103783

IF: 5.105

2024-02-01

Computers & Security

Abstract:In increasingly interconnected digital world, the threat of cyber-attacks and data breaches are a pervasive and growing concern. The Botnets are the most dangerous threats that launch a wide range of cyberattacks such as distributed denial of service (DDoS) attacks, sending spam emails, spreading malware, and stealing sensitive information. The identification and categorization of botnets has become a highly complex and critical process due to the massive amount of network traffic generated every second. This paper presents a multilayer botnet detection and classification framework based on explainable machine learning algorithms. The proposed approach comprises of three distinct layers: Feature Selection Layer, Botnet Detection Layer and Botnet Classification Layer. The Feature Selection Layer reduces the dataset into six essential features, that enhance the accuracy and efficiency of the framework. The botnet detection layer detects botnet activity by filtering the reduced dataset into normal packets and botnet packets. The filtered botnet packets further examined by botnet classification layer to classify the botnet packets into different types of botnets. Moreover, SHAP (SHapley Additive exPlanations) technique is utilized to provide transparency to the model's decision-making process. To evaluate the effectiveness of the proposed model, NCC-2 and CTU-13 datasets are examined. 10-fold cross-validation technique is applied to validate the experimental findings. The average accuracy achieved by proposed approach in botnet detection stands impressively at 99.98%, while the average accuracy achieved in classifying botnet families is 99.30%, exhibiting an exceptional level of performance. The comparative analysis is performed which demonstrates its superiority over existing methods in terms of accuracy, precision, recall, F1-Score.

computer science, information systems

Peng Hui Li,Jie Xu,Zhong Yi Xu,Su Chen,Bo Wei Niu,Jie Yin,Xiao Feng Sun,Hao Liang Lan,Lu Lu Chen

DOI: https://doi.org/10.32604/cmc.2022.029969

2022-01-01

Abstract:At present, the severe network security situation has put forward high requirements for network security defense technology. In order to automate botnet threat warning, this paper researches the types and characteristics of Botnet. Botnet has special characteristics in attributes such as packets, attack time interval, and packet size. In this paper, the attack data is annotated by means of string recognition and expert screening. The attack features are extracted from the labeled attack data, and then use K-means for cluster analysis. The clustering results show that the same attack data has its unique characteristics, and the automatic identification of network attacks is realized based on these characteristics. At the same time, based on the collection and attribute extraction of Botnet attack data, this paper uses RF, GBM, XGBOOST and other machine learning models to test the warning results, and automatically analyzes the attack by importing attack data. In the early warning analysis results, the accuracy rates of different models are obtained. Through the descriptive values of the three accuracy rates of Accuracy, Precision, and F1_Score, the early warning effect of each model can be comprehensively displayed. Among the five algorithms used in this paper, three have an accuracy rate of over 90%. The three models with the highest accuracy are used in the early warning model. The research shows that cyberattacks can be accurately predicted. When this technology is applied to the protection system, accurate early warning can be given before a network attack is launched.

computer science, information systems,materials science, multidisciplinary

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Abdelaziz Amara korba,Aleddine Diaf,Yacine Ghamri-Doudane

2024-07-22

Abstract:In the rapidly evolving landscape of cyber threats targeting the Internet of Things (IoT) ecosystem, and in light of the surge in botnet-driven Distributed Denial of Service (DDoS) and brute force attacks, this study focuses on the early detection of IoT bots. It specifically addresses the detection of stealth bot communication that precedes and orchestrates attacks. This study proposes a comprehensive methodology for analyzing IoT network traffic, including considerations for both unidirectional and bidirectional flow, as well as packet formats. It explores a wide spectrum of network features critical for representing network traffic and characterizing benign IoT traffic patterns effectively. Moreover, it delves into the modeling of traffic using various semi-supervised learning techniques. Through extensive experimentation with the IoT-23 dataset - a comprehensive collection featuring diverse botnet types and traffic scenarios - we have demonstrated the feasibility of detecting botnet traffic corresponding to different operations and types of bots, specifically focusing on stealth command and control (C2) communications. The results obtained have demonstrated the feasibility of identifying C2 communication with a 100% success rate through packet-based methods and 94% via flow based approaches, with a false positive rate of 1.53%.

Cryptography and Security,Artificial Intelligence

Muhammad Qasim,Muhammad Waleed,Tai-Won Um,Peyman Pahlevani,Jens Myrup Pedersen,Asif Masood

DOI: https://doi.org/10.1109/access.2024.3367122

IF: 3.9

2024-03-02

IEEE Access

Abstract:Cyberspace faces unparalleled threats due to the rapid rise in botnet attacks and their profound repercussions. Utilizing AI-assisted systems emerges as a potent solution for detecting and neutralizing such attacks. Existing research on botnet attack detection revolves around dataset creation, amplifying the detection methods' efficacy and precision via sophisticated machine learning models, and a behaviour-centric analysis. A discerning review of current datasets reveals their limitations: the obsolescence of some datasets, their limited relevance to certain attack types, and an imperative lack of ground truth. Addressing these gaps, we introduce a ground truth, the BotLab-DS1 dataset, featuring 5,279 real-world active botnet samples spanning 12 botnet families and 3,000 benign instances. This paper's core is threefold; initially, we delineate a thorough review of existing datasets and their inherent shortcomings. Subsequently, we unfold a holistic data creation strategy and leverage advanced feature engineering methods on static, behavioural, and network-centric attributes. Finally, the research involves training diverse machine learning algorithms using the BotLab-DS1 dataset for enhanced botnet detection. Our empirical findings underline that BotLab-DS1, when paired with the random forest algorithm, attains 98.6% accuracy and 99.0% precision. In contrast, gradient boosting trails closely, registering 96.34% accuracy and 96.0% precision. We believe our study will pioneer new pathways for dataset formulation and algorithmic scrutiny, enriching the research landscape and backing the global initiative to thwart botnet incursions effectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yousof Al-Hammadi,Uwe Aickelin

DOI: https://doi.org/10.48550/arXiv.1001.2665

IF: 14.4

2010-01-15

Artificial Intelligence

Abstract:Botnets, which consist of thousands of compromised machines, can cause significant threats to other systems by launching Distributed Denial of Service (SSoS) attacks, keylogging, and backdoors. In response to these threats, new effective techniques are needed to detect the presence of botnets. In this paper, we have used an interception technique to monitor Windows Application Programming Interface (API) functions calls made by communication applications and store these calls with their arguments in log files. Our algorithm detects botnets based on monitoring abnormal activity by correlating the changes in log file sizes from different hosts.

Aulia Arif Wardana,Grzegorz Kołaczek,Arkadiusz Warzyński,Parman Sukarno

DOI: https://doi.org/10.1038/s41598-024-54438-6

IF: 4.6

2024-02-18

Scientific Reports

Abstract:The botnet attack is one of the coordinated attack types that can infect Internet of Things (IoT) devices and cause them to malfunction. Botnets can steal sensitive information from IoT devices and control them to launch another attack, such as a Distributed Denial-of-Service (DDoS) attack or email spam. This attack is commonly detected using a network-based Intrusion Detection System (NIDS) that monitors the network device's activity. However, IoT network is dynamic and IoT devices have many types with different configurations and vendors in IoT environments. Therefore, this research proposes an Intrusion Detection System (IDS) by ensemble-ing traffic from heterogeneous IoT devices. This research proposes Deep Neural Network (DNN) to create a training model from each heterogeneous IoT device. After that, each training model from each heterogeneous IoT device is used to predict the traffic. The prediction results from each training model are averaged using the ensemble averaging method to determine the final result. This research used the N-BaIoT dataset to validate the proposed IDS model. Based on experimental results, ensemble averaging DNN can detect botnet attacks in heterogeneous IoT devices with an average accuracy of 97.21, precision of 91.41, recall of 87.31, and F1-score 88.48.

multidisciplinary sciences

Tanzeela Altaf,Xu Wang,Wei Ni,Guangsheng Yu,Ren Ping Liu,Robin Braun

DOI: https://doi.org/10.3390/electronics13122274

IF: 2.9

2024-06-11

Electronics

Abstract:This research introduces a novel framework utilizing a sequential gated graph convolutional neural network (GGCN) designed specifically for botnet detection within Internet of Things (IoT) network environments. By capitalizing on the strengths of graph neural networks (GNNs) to represent network traffic as complex graph structures, our approach adeptly handles the temporal dynamics inherent to botnet attacks. Key to our approach is the development of a time-stamped multi-edge graph structure that uncovers subtle temporal patterns and hidden relationships in network flows, critical for recognizing botnet behaviors. Moreover, our sequential graph learning framework incorporates time-sequenced edges and multi-edged structures into a two-layered gated graph model, which is optimized with specialized message-passing layers and aggregation functions to address the challenges of time-series traffic data effectively. Our comparative analysis with the state of the art reveals that our sequential gated graph convolutional neural network achieves substantial improvements in detecting IoT botnets. The proposed GGCN model consistently outperforms the conventional model, achieving improvements in accuracy ranging from marginal to substantial—0.01% for BoT IoT and up to 25% for Mirai. Moreover, our empirical analysis underscores the GGCN's enhanced capabilities, particularly in binary classification tasks, on imbalanced datasets. These findings highlight the model's ability to effectively navigate and manage the varying complexity and characteristics of IoT security threats across different datasets.

engineering, electrical & electronic,physics, applied,computer science, information systems

S. Kumar,R. Sehgal,P. Singh,Ankit Chaudhary

DOI: https://doi.org/10.48550/arXiv.1303.3071

2013-03-13

Abstract:The numbers of the botnet attacks are increasing day by day and the detection of botnet spreading in the network has become very challenging. Bots are having specific characteristics in comparison of normal malware as they are controlled by the remote master server and usually dont show their behavior like normal malware until they dont receive any command from their master server. Most of time bot malware are inactive, hence it is very difficult to detect. Further the detection or tracking of the network of theses bots requires an infrastructure that should be able to collect the data from a diverse range of data sources and correlate the data to bring the bigger picture in view. In this paper, we are sharing our experience of botnet detection in the private network as well as in public zone by deploying the nepenthes honeypots. The automated framework for malware collection using nepenthes and analysis using anti-virus scan are discussed. The experimental results of botnet detection by enabling nepenthes honeypots in network are shown. Also we saw that existing known bots in our network can be detected.

Cryptography and Security

Farhan Sadique,Shamik Sengupta

DOI: https://doi.org/10.1109/ICC42927.2021.9500859

2021-06-09

Abstract:Traditional reactive approach of blacklisting botnets fails to adapt to the rapidly evolving landscape of cyberattacks. An automated and proactive approach to detect and block botnet hosts will immensely benefit the industry. Behavioral analysis of botnet is shown to be effective against a wide variety of attack types. Current works, however, focus solely on analyzing network traffic from and to the bots. In this work we take a different approach of analyzing the chain of commands input by attackers in a compromised host. We have deployed several honeypots to simulate Linux shells and allowed attackers access to the shells to collect a large dataset of commands. We have further developed an automated mechanism to analyze these data. For the automation we have developed a system called CYbersecurity information Exchange with Privacy (CYBEX-P). Finally, we have done a sequential analysis on the dataset to show that we can successfully predict attacker behavior from the shell commands without analyzing network traffic like previous works.

Cryptography and Security

Yousof Al-Hammadi,U. Aickelin,Julie Greensmith

DOI: https://doi.org/10.1109/CEC.2008.4631034

IF: 4.755

2010-01-01

Clinical Orthopaedics and Related Research

Abstract:Ensuring the security of computers and their associated networks is a non-trivial task, with many techniques used by malicious users to compromise these systems. In recent years a new threat has emerged in the form of networks of hijacked zombie machines used to perform complex distributed attacks such as denial of service and to obtain sensitive data such as password information. These zombie machines are said to be infected with a 'bot' - a malicious piece of software which is installed on a host machine and is controlled by a remote attacker, termed the 'botmaster of a botnet'. In this work, we use the biologically inspired Dendritic Cell Algorithm (DCA) to detect the existence of a single bot on a compromised host machine. The DCA is an immune-inspired algorithm based on an abstract model of the behaviour of the dendritic cells of the human body. The basis of anomaly detection performed by the DCA is facilitated using the correlation of behavioural attributes such as keylogging and packet flooding behaviour. The results of the application of the DCA to the detection of a single bot show that the algorithm is a successful technique for the detection of such malicious software without responding to normally running programs. I. INTRODUCTION Computer systems and networks come under frequent attack from a diverse set of malicious programs and activity. Computer viruses posed a large problem in the late 1980's and computer worms were problematic in the 1990s through to the early 21st Century. While the detection of such worms and viruses is improving a new threat has emerged in the form of the botnet. Botnets are decentralised, distributed networks of subverted machines, controlled by a central commander, affectionately termed the 'botmaster'. A single bot is a malicious piece of software which, when installed on an unsuspecting host, transforms host into a zombie machine. Bots can install themselves on host machines through sev- eral different mechanisms, with common methods including direct download from the internet, through malicious files received as emails or via the exploitation of bugs present in internet browsing software (15). Bots typically exploit traditional networking protocols for the communication component of their 'command and control' structure. Such variants of bots IRC (Internet Relay Chat) bots, HTTP bots and more recently Peer-to-Peer bots. In this research we are primarily interested in the detection of IRC bots as they appear to be highly prevalent within the botnet community, and seemingly little research has been performed within this area of computer security. IRC is a chat based protocol consisting of various 'channels' to which a user of the IRC network can connect. Upon infection

Zhichun Li,Anup Goyal,Yan Chen,Vern Paxson

DOI: https://doi.org/10.1145/1533057.1533063

2009-01-01

Abstract:Botnets dominate today's attack landscape. In this work we investigate ways to analyze collections of malicious probing traffic in order to understand the significance of large-scale "botnet probes". In such events, an entire collection of remote hosts together probes the address space monitored by a sensor in some sort of coordinated fashion. Our goal is to develop methodologies by which sites receiving such probes can infer---using purely local observation---information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties such as trend, uniformity, coordination, and darknet avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that our inferences exhibit promising accuracy.

Heba M. Fadhil,Noor Q. Makhool,Muna M. Hummady,Zinah O. Dawood,,,,

DOI: https://doi.org/10.54216/jcim.090106

2022-01-01

Journal of Cybersecurity and Information Management

Abstract:Botnet detection develops a challenging problem in numerous fields such as order, cybersecurity, law, finance, healthcare, and so on. The botnet signifies the group of co-operated Internet connected devices controlled by cyber criminals for starting co-ordinated attacks and applying various malicious events. While the botnet is seamlessly dynamic with developing counter-measures projected by both network and host-based detection techniques, the convention techniques are failed to attain sufficient safety to botnet threats. Thus, machine learning approaches are established for detecting and classifying botnets for cybersecurity. This article presents a novel dragonfly algorithm with multi-class support vector machines enabled botnet detection for information security. For effectual recognition of botnets, the proposed model involves data pre-processing at the initial stage. Besides, the model is utilized for the identification and classification of botnets that exist in the network. In order to optimally adjust the SVM parameters, the DFA is utilized and consequently resulting in enhanced outcomes. The presented model has the ability in accomplishing improved botnet detection performance. A wide-ranging experimental analysis is performed and the results are inspected under several aspects. The experimental results indicated the efficiency of our model over existing methods.

Dr.Priyanka Kaushik

DOI: https://doi.org/10.55938/ijgasr.v2i2.46

2023-06-30

Abstract:Detecting botnet and malware cyber-attacks is a critical task in ensuring the security of computer networks. Traditional methods for identifying such attacks often involve static rules and signatures, which can be easily evaded by attackers. Dl is a subdivision of ML, has shown promise in enhancing the accuracy of detecting botnets and malware by analyzing large amounts of network traffic data and identifying patterns that are difficult to detect with traditional methods. In order to identify abnormal traffic patterns that can be a sign of botnet or malware activity, deep learning models can be taught to learn the intricate interactions and correlations between various network traffic parameters, such as packet size, time intervals, and protocol headers. The models can also be trained to detect anomalies in network traffic, which could indicate the presence of unknown malware. The threat of malware and botnet assaults has increased in frequency with the growth of the IoT. In this research, we offer a unique LSTM and GAN-based method for identifying such attacks. We utilise our model to categorise incoming traffic as either benign or malicious using a dataset of network traffic data from various IoT devices. Our findings show how well our method works by attaining high accuracy in identifying botnet and malware cyberattacks in IoT networks. This study makes a contribution to the creation of stronger and more effective security systems for shielding IoT devices from online dangers. One of the major advantages of using deep learning for botnet and malware detection is its ability to adapt to new and previously unknown attack patterns, making it a useful tool in the fight against constantly evolving cyber threats. However, DL models require large quantity of labeled data for training, and their performance can be affected by the quality and quantity of the data used. Deep learning holds great potential for improving the accuracy and effectiveness of botnet and malware detection, and its continued development and application could lead to significant advancements in the field of cybersecurity.

Rongrong Jiang,Zhengqiu Weng,Lili Shi,Erxuan Weng,Hongmei Li,Weiqiang Wang,Tiantian Zhu,Wuzhao Li

DOI: https://doi.org/10.1002/cpe.8258

2024-08-17

Concurrency and Computation Practice and Experience

Abstract:Summary With the development of the Internet of Things (IoT), the number of terminal devices is rapidly growing and at the same time, their security is facing serious challenges. For the industrial control system, there are challenges in detecting and preventing botnet. Traditional detection methods focus on capturing and reverse analyzing the botnet programs first and then parsing the extracted features from the malicious code or attacks. However, their accuracy is very low and their latency is relatively high. Moreover, they sometimes even cannot recognize the unknown botnets. The machine learning based detection methods rely on manual feature engineering and have a weak generalization. The deep learning‐based methods mostly rely on the system log, which does not take into account the multisource information such as traffic. To address the above issues, from the perspective of the botnet features, this paper proposes an intelligent detection method over parallel CNN‐LSTM, integrating the spatial and temporal features to identify botnets. Experimental demonstrate that the accuracy, recall, and F1‐score of our proposed method achieve up to over 98%, and the precision, 97.8%, is not the highest but reasonable. It reveals compared with the existing start‐of‐the‐art methods, our proposed method outperforms in the botnet detection. Our methodology's strength lies in its ability to harness the multifaceted information present in IoT traffic, offering a more nuanced and comprehensive analysis. The parallel CNN‐LSTM architecture ensures that spatial and temporal data are processed concurrently, preserving the integrity of the information and enabling a more robust detection mechanism. The result is a detection system that not only performs exceptionally well in a controlled environment but also holds promise for real‐world application, where the rapid and accurate identification of botnets is paramount.

computer science, theory & methods, software engineering