Simultaneous Botnet Attack Detection Using Long Short Term Memory-Based Autoencoder and XGBoost Classifier

The emergence of Internet of Things (IoT)-related services has become a revolutionizing technological development that significantly impacts various aspects of our daily lives. With over ten billion interconnected devices via the Internet, IoT- based application usage is continuously growing in many fields, including healthcare, education, agriculture, transport, and industry [1, 2]. IoT device communication often requires the generation and exchange of a substantial volume of private data. However, hardware limitations and insufficient security arrangements of IoT devices contribute to their vulnerabilities against cyber-attacks and fail to ensure a secure data trans- action [3]. Cyber-attacks are illegitimate actions carried out by an external agent that involve unauthorized attempts to access confidential data or perform malicious actions through an infected device.

IoT botnet cyber-attack are considered a prominent threat to IoT devices [4]. In 2021, the FBI's Internet Crime Complaint Center (IC3) received more than 6.9 billion reports of cybercrime [3]. A botnet is a compromised network utilized by a botnet master to launch attacks or illegal actions [5], causing data loss and even threatening the usability of the entire network. Therefore, the early detection of botnet activity using an intrusion detection system (IDS) is crucial for network security. Existing solutions for botnet detection may be categorized into signature-based and anomaly-based methods. Signature-based methods apply pattern matching of traffic characteristics to a predefined signature [6]. However, those methods required the regular updating of the signature database by a cyber security expert. In addition, it fails to detect zero-day attacks. Anomaly-based intrusion detection systems (IDS) are a recent and efficient countermeasure to tackle botnet attacks [7]. Anomaly-based IDS analyzes network traffic data to classify it as normal or malicious (Figure 1). IDSs aim to detect compromised nodes before any malicious actions are initiated and adopt real-time countermeasures to ensure data integrity and protection [8].

Recently, machine learning (ML) and deep learning (DL) techniques have demonstrated their efficiency and robustness for cyber-attack detection and prevention over IoT networks. Techniques such as convolutional neural networks (CNN) [9], deep neural networks (DNN) [10], long short-term memory (LSTM) [11], extreme gradient boosting (XGBoost) [12], autoencoders [2], multi-layer perceptron (MLP) [13], and random forest (RF) [14]. Anomaly botnet detection models based on machine learning and deep learning are trained to recognize complex patterns in network traffic through the use of learned characteristics. An indication of malicious activity may be detected if a deviation from normal network behavior is detected.

Existing solutions have demonstrated major drawbacks. They have mostly focused on a binary classification problem for discriminating between normal and illegitimate traffic. However, they fail to identify specific attack types, which is a crucial step for network security enhancement and threat prevention. In fact, attack type identification enables the development of effective detection methods and defense mechanisms adjusted to specific attack. Furthermore, the absence of a realistic dataset that considers the nature of botnet attacks as a distributed activity. While it is classified as a distributed or spread activity, existing datasets and solutions don’t consider simultaneous data or parallel detection. Recently, the NCC-2 dataset [15] was released to address the lack of these fundamental characteristics. To overcome these limitations, we propose a LSTM-AE-XGB model that makes use of parallel sensor data to identify the patterns of botnet attack activities. Our approach improves detection accuracy by applying a long-short-term memory base autoencoder (LSTM-AE) algorithm for feature extraction to extract patterns, correlations, and dependencies. within network traffic. Attack type identification is performed through a multi-class classification using the Extreme Gradient Boosting (XGBoost) classifier.

1.png

Figure 1. A network intrusion detection system

We use a long-short-term memory-based autoencoder (AE- LSTM) to extract and generate a new feature set representing attack classes independently of instance numbers; this is essential when dealing with imbalanced data. We train AE-LSTM over data from multiple sensors to extract temporal dependencies and long-term patterns in attack and normal traffic data. Computed latent representation increases the distance over samples derived from dissimilar classes to enhance the classification performance. Based on the computed latent feature representation, we perform a multiclass classification task using the XGBoost Classifier. In this study, we explore LSTM-AE-XGB model performances using the recently released NCC-2 Simultaneous Botnet dataset. In comparison to existing datasets that do not include such valuable information. The dataset includes data from multiple parallel sensors, consisting of both normal traffic and sequential and simultaneous botnet attack activities.

The main contributions of this paper are:

·We propose an efficient and accurate simultaneous botnet attack detection and identification model over combined traffic from multiple sensors.

·LSTM-AE feature selection and extraction approach was used to automate the selection and extraction of latent representations of temporal dependencies, long- term patterns of attack and normal traffic.

·We performed an extensive performance evaluation of the proposed model using the recently released NCC2dataset.

·Experiments reveal that the proposed hybrid model is able to accurately detect and identify various traffic activities.

·We conducted a comparative analysis of feature extraction and parallel botnet detection approaches based on ML and deep learning.

The rest of this paper is organized as follows. In section 2, the recent solutions for IoT botnet attack detection are investigated. Section 3, gives a detailed description of the NCC-2 Dataset. In section 4, proposed methodology for the IoT-Botnet detection and identification is introduced. The experimental results are presented and discussed in section 5. The paper is concluded with future research scope in section 6.

3.1 Problem formulation

Let dataset D, consist of three sub-datasets:

$D=\left\{D_1, D_2, D_3\right\}$           (1)

Each includes data captured from Sensor S1, Sensor S2 or Sensor S3 respectively. Each sub-dataset D_i contains $\sum_{k=1}^{M_i} S_k$ samples, each sample consist of a total of 18 features:

$\begin{array}{r}S_k=\left\{f_{k 1}, f_{k 2}, \ldots, f_{k 15}, \text { ActivityLabel }_k\right.\left.\text { BotnetName }_k, \text { ensorId }_k\right\}\end{array}$       (2)

where, ActivityLabel represents traffic type as botnet or normal. The feature BonetName represents the botnet activity type as Neris, Virut, Rbot, Nsys.ay, Sogo, Murlo,Menti, or Normal. The ensorId feature represents the sensor identifier as 1, 2, or 3. In this paper, we aim to detect the attack type of each traffic sample using the LSTM-AE-XGB model. We intend to use hybrid DL model to address a multiclass classification problem for botnet activity identification over the NCC2 dataset. A long-short-term memory-based autoencoder (LSTM-AE) is utilized to extract and generate a new feature set representing attack classes. The computed latent feature representation captures temporal dependencies and long-term patterns present in traffic data captured simultaneously over parallel sensors. Traffic activities are detected and classified using the XGBoost classifier.

A general overview of the proposed model LSTM-AE-XGB architecture for simultaneous botnet attack detection is given in Figure 2.

2.png

Figure 2. An overview of the LSTM-AE-XGB model for simultaneous botnet attack detection

3.2 The NCC-2 dataset simultaneous botnet dataset

In this paper, the recently released NCC-2 Simultaneous Botnet dataset [15] is used for feature extraction and model training. The dataset includes data from three parallel sensors that capture normal, sequential and simultaneous botnet attack activities. It provides a traffic network taking into consideration the distributed nature of botnet attacks. In this dataset, botnet attack scenarios are simulated based on attacks extracted from the CTU-13 [27] and NCC [28] datasets. The two types of network traffic activities Botnet and normal are simultaneously captured over three sensors. The dataset contains a total of four sub-datasets. Three subsets include traffic data from each sensor S1, S2 and S3 recorded over eight hours. In addition, a sub-dataset incorporates a combination of those subsets.

The sub-dataset contains traffic captured by sensor S1 consists of several botnet activities, including Neris, Rbot, Virut, Sogo and NSIS.ay. Sensor S2 sub-datset includes traffic from four attack activities: Menti, Virut, Rbot and Neris. Traffic data collected from the third sensor S3 includes botnet types: Virut, Rbot, NSIS.ay, Neris, and Murlo botnet attack types. A combination of those three sub-datasets is also provided. Table 1 lists the instance numbers for each botnet attack type captured from different sensors in the NCC2 dataset.

The dataset contains 15 features existing in the CTU-13 and NCC datasets, including StartTime, SrcAddr, Activity time, Dur, DstAddr, Proto, Sport, Dport, Dir, State, dTos, sTos, TotPkts, SrcBytes, TotBytes and Label. In addition, there are three features describing traffic type, botnet activity type, and sensor information.

Table 1. Traffic type distribution for the three sub-datasets of the NCC-2 dataset

3.3 Preprocessing

The NCC2 dataset is initially preprocessed by applying data cleaning, attack selection, and encoding techniques. The used data set consists of three sub-datasets. Each corresponds to network traffic captured by a sensor. Captured data depends on the covered segment of the network. This includes specific criteria such as a defined range of IP addresses, ports, and particular protocols used. Hence, the different sub-datasets are preprocessed separately. Preprocessing involves cleaning, encoding, attack selection, resampling, and normalization. Data is cleaned by removing null values, duplicate rows, and unused features such as the binary classification label ActivityLabel.

The proposed model aims to detect attacks simultaneously captured by all three sensors; each attack class that is not captured in parallel is removed. As a result, the feature BonetName will represent five attack types: Neris, Virut, Rbot, Nsis.ay, and Normal, and the model is used for five class classification task.

Despite the fact that the performances of ML and DL models are strongly affected by imbalanced data, Moreover, the Normal class represents the majority class with 13975083 instances, while the total number of botnet attack instances is significantly lower. We apply majority class undersampling using the Random Undersampling Technique (RUS) to balance normal and attack traffic activities at 50% each.

Finally, the three sub datasets are merged into one dataset, and the Z-score normalization technique is applied to scale the data. The resulting dataset is then split with a ratio of 80% for training and 20% for tests used for classifier training and classification.

3.4 Feature extraction

Relevant features from the dataset are extracted and reduced using LSTM-AE. In fact, efficient feature extraction is crucial for enhancing classification results in high-dimensional datasets.

Autoencoder (AE) is an unsupervised learning artificial neural network. Intended to generate a low-dimensional feature representation of the input data in a nonlinear space [29]. The architecture of an autoencoder consists of three layers: the input layer, the encoder, and the decoder neural network. The encoder processes the input data to produce a learned latent representation that captures key features. In contrast, the decoder aims to precisely reconstruct the input data based on the produced representation.

The LSTM-based autoencoder (LSTM-AE) is widely used for anomaly detection, dimensionality reduction, and significant characteristic extraction from series data [29-31]. In this work, we use the LSTM neural network as the encoder layer. LSTM-AE aims to model temporal dependencies over the traffic sequence and produce an optimal latent representation. We train a one-layer LSTM-based autoencoder using the preprocessed data to generate a latent representation L computed using the following equation:

$L=L S T M(W S+b)$      (3)

where, S is the traffic data sequence from the input layer, W is the weight matrix, and b is the bias vector.

The LSTM-AE consists of one LSTM layer of 32 units and a ReLU activation function, followed by a RepeatVector layer. The Adam optimizer and the Mean Squared Error (MSE) loss function are used for model compilation. The training is performed across 10 epochs with a batch size of 256. Algorithm 1. gives a description of the LSTM-AE-based feature extraction method. The produced latent representation L is considered an optimal feature representation and will be further considered for classifier training and evaluation.

3.5 Attack detection and identification

Extreme Gradient Boosting (XGBoost) is an ensemble learning technique that employs the gradient boosting technique over a set of decision trees. The XGBoost classifier presents strong advantages, including the ability to effectively classify instances by learning from previous mistakes, employ fine-tuning hyperparameters, adopt regularizing techniques, and handle imbalanced data [32].

3.6 Attack detection and identification

Extreme Gradient Boosting (XGBoost) is an ensemble learning technique that employs the gradient boosting technique over a set of decision trees. The XGBoost classifier presents strong advantages, including the ability to effectively classify instances by learning from previous mistakes, employ fine-tuning hyperparameters, adopt regularizing techniques, and handle imbalanced data [32].

3.png

Figure 3. The overall architecture of the used XGBoost classifier

XGBoost aims to reduce prediction errors through the residual aggregation of weak leaner (decision tree) at each step. To ensure low complexity and avoid overfitting, a regulariza- tion technique is employed [18]. It aims to minimize the loss following the equation:

$L(t)=\sum_{k=1}^n l\left(y_k, y_k^{k k-1}+f_t\left(X_i\right)\right)+\theta\left(f_t\right)$          (4)

where, $y_k^{\prime k-1}$ is the prediction of the k example by the increment t and θ(f_t) is a penalty parameter [18].

In this paper, we train the XGBoost classifier using the computed latent representation L. The architecture of the XGboost classifier is given in Figure 3. We aim to accurately detect anomalous activity and identify the exact botnet type.

3.7 Evaluation metrics

Extreme Gradient Boosting (XGBoost) is an ensemble learning technique that employs. In this work, we address a multiclass classification problem using ML and DL techniques. Hence, for the proposed model evaluation, the standard metrics, including accuracy, precision, recall, F1-score and the confusion matrix (CM) are considered. To compute these measures, four parameters are first extracted: true negative (TN), true positive (TP), false negative (FN) and false positive (FP). and false negative (FN). The TP, TN represent traffic type instances correctly identified, and the FP, FN are the miss-classified instances. The following equations are used to compute the following metrics:

$Accuracy=\frac{(T P+T N)}{(T N+T P+F N+F P)}$         (5)

$Precision=\frac{T P}{F P+T P}$            (6)

$Recall =\frac{T P}{F N+T P}$       (7)