Proposing the application of a deep learning model to detect the malicious IP address of botnet in the computer network


  • Tong Anh Tuan
  • Nguyen Ngoc Cuong
  • Nguyen Viet Anh
  • Hoang Viet Long


DGA Botnet, deep learning, malicious IPs

Tóm tắt

Abstract Malware in general and botnets in particular are big threats to cybersecurity. They have many sophisticated methods to bypass security systems to infect computers and perform attacks, sabotage, or spying activities. Botnet detection solutions are always focused on and solved by scientists and cybersecurity specialists. The DGA botnet is a group of common botnet families that share the same mechanism of needing to connect back to the C&C server via DNS to receive commands to operate. Many studies that propose algorithms for detecting and classifying DGA botnets have been proposed and tested with high results. In this study, we approach by using the above solutions to detect malicious IP addresses and botnet malware families. First, we evaluate the efficiency of two deep learning models LA_Bin07 and LA_Mul07 on a new specialized dataset, UTL_DGA22. Next, we extended the experiment with the ISCX-Bot-2014 dataset. The results show that LA_Bin07 and LA_Mul07 models both get high accuracy on the new dataset, with 0.98 and 0.86 correspondingly. Experimenting on the reality dataset also gives positive results, helping network administrators to localize malicious IP addresses for deeper investigation. The proposed solution is effective enough to be applied as a module in cybersecurity solutions such as firewalls, intrusion detection, and prevention systems or unified thread management - UTM.


Download data is not yet available.


R. Vishwakarma and A. K. Jain, “A honeypot with machine learning based detection framework for defending IoT based botnet DDoS attacks,” Proc. Int. Conf. Trends Electron. Informatics, ICOEI 2019, pp. 1019–1024, 2019, doi: 10.1109/ICOEI.2019.8862720.

D. T. Son, N. T. K. Tram, and T. T. Thu, “Machine learning approach detects DDoS attacks,” J. Sci. Technol. Inf. Secur., vol. 1, no. 15, pp. 102–108, 2022, doi: 10.54654/isj.v1i15.850.

P. Wang, L. Wu, R. Cunningham, and C. C. Zou, “Honeypot detection in advanced botnet attacks,” Int. J. Inf. Comput. Secur., vol. 4, no. 1, pp. 30–51, 2010, doi: 10.1504/IJICS.2010.031858.

A. Ramachandran, N. Feamster, and D. Dagon, “Revealing botnet membership using DNSBL counter-intelligence,” 2nd Work. Steps to Reducing Unwanted Traffic Internet, SRUTI 2006, pp. 49–54, 2006.

N. Kheir, F. Tran, P. Caron, and N. Deschamps, “Mentor: Positive DNS reputation to skim-off benign domains in botnet C&C blacklists,” IFIP Adv. Inf. Commun. Technol., vol. 428, 2014, doi: 10.1007/978-3-642-55415-5_1.

J. Wang and I. C. Paschalidis, “Botnet Detection Based on Anomaly and Community Detection,” IEEE Trans. Control Netw. Syst., vol. 4, no. 2, pp. 392–404, 2017, doi: 10.1109/TCNS.2016.2532804.

S. Arshad, M. Abbaspour, M. Kharrazi, and H. Sanatkar, “An anomaly-based botnet detection approach for identifying stealthy botnets,” ICCAIE 2011 - 2011 IEEE Conf. Comput. Appl. Ind. Electron., pp. 564–569, 2011, doi: 10.1109/ICCAIE.2011.6162198.

K. Wang, C. Y. Huang, S. J. Lin, and Y. D. Lin, “A fuzzy pattern-based filtering algorithm for botnet detection,” Comput. Networks, vol. 55, no. 15, pp. 3275–3286, 2011, doi: 10.1016/j.comnet.2011.05.026.

Z. Ahmed, S. M. Danish, H. K. Qureshi, and M. Lestas, “Protecting IoTs from mirai botnet attacks using blockchains,” IEEE Int. Work. Comput. Aided Model. Des. Commun. Links Networks, CAMAD, vol. 2019-Septe, 2019, doi: 10.1109/CAMAD.2019.8858484.

L. Bilge, S. Sen, D. Balzarotti, E. Kirda, and C. Kruegel, “EXPOSURE: A passive DNS analysis service to detect and report malicious domains,” ACM Trans. Inf. Syst. Secur., vol. 16, no. 4, 2014, doi: 10.1145/2584679.

T. A. Tuan, H. V. Long, and D. Taniar, “On Detecting and Classifying DGA Botnets and their Families,” Comput. Secur., vol. 113, 2022, doi: 10.1016/j.cose.2021.102549.

T. A. Tuan, N. V. Anh, T. T. Luong, and H. V. Long, “UTL_DGA22 - a dataset for DGA botnet detection and classification,” Comput. Networks, vol. 221, 2023, doi: 10.1016/j.comnet.2022.109508.

360NetLab, “DGA - Netlab OpenData Project,” Qihoo 360 Technology, 2022. (accessed Mar. 09, 2021).

M. Zago, M. Gil Pérez, and G. Martínez Pérez, “UMUDGA: A dataset for profiling DGA-based botnet,” Comput. Secur., vol. 92, 2020, doi: 10.1016/j.cose.2020.101719.

D. Gonzalez-Cuautle et al., “Synthetic minority oversampling technique for optimizing classification tasks in botnet and intrusion-detection-system datasets,” Appl. Sci., vol. 10, no. 3, 2020, doi: 10.3390/app10030794.


Abstract views: 67 / PDF downloads: 24



How to Cite

Tuan, T. A., Cuong, N. N., Anh, N. V., & Long, H. V. . (2023). Proposing the application of a deep learning model to detect the malicious IP address of botnet in the computer network. Journal of Science and Technology on Information Security, 3(17), 43-52. Retrieved from