Abstract:
The potential for security breaches has surged amidst the extensive array of intercon-
nected devices within an IoT ecosystem. Many IoT devices driven by imperatives of
efficiency and convenience often lack adequate security measures, making them suscep-
tible to exploitation by cyber-criminals. One such exploitation is botnet attack, where a
network of compromised devices, the bots, carry out coordinated and automated actions
under the control of a remote operator, the botmaster. The actions of bots are hidden
within normal web traffic and comprise 47.4% of all web activity, as revealed by the
2023 Imperva Bad Bot report. Effective network security necessitates meticulous intru-
sion detection. The detection process typically involves scrutinizing the network traffic
using deep packet or stateful protocol inspection techniques incorporating flow tracking,
pattern matching, and statistical analysis. However, manual feature engineering is of-
ten required prior to inspection, which often loses the payload information and leads to
false alarms. In this study, a controlled environment was set up as a testbed to capture
botnet traffic. A detection approach was proposed, which directly extracts five-tuple
information along with payloads from raw NetFlow data, generating IDX format im-
ages. In addition, a hybrid deep learning architecture was designed, integrating VGG19
and GRU structures to learn the spatial and temporal features of images, respectively.
The standalone detection results demonstrate that the performance of the proposed so-
lution achieves 99.614% accuracy and 98.883% TPR, surpassing conventional anomaly
detection techniques. To assess real-time feasibility of this approach, an adaptive sliding
window technique was introduced for live intrusion detection. Through iterative testing
and refinement, a processing time of 0.041ms per image and 0.041/24 = 0.00171ms per
packet was achieved, confirming the lightweight nature of the proposed method.
