{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,7]],"date-time":"2026-01-07T23:00:49Z","timestamp":1767826849215,"version":"3.49.0"},"reference-count":51,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,4,10]],"date-time":"2024-04-10T00:00:00Z","timestamp":1712707200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,4,10]],"date-time":"2024-04-10T00:00:00Z","timestamp":1712707200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Ministry of Education, Culture, Research and Technology, The Republic of Indonesia","award":["1482\/PKS\/ITS\/2022"],"award-info":[{"award-number":["1482\/PKS\/ITS\/2022"]}]},{"name":"Ministry of Education, Culture, Research and Technology, The Republic of Indonesia","award":["1482\/PKS\/ITS\/2022"],"award-info":[{"award-number":["1482\/PKS\/ITS\/2022"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Big Data"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Threats on computer networks have been increasing rapidly, and irresponsible parties are always trying to exploit vulnerabilities in the network to do various dangerous things. One way to exploit vulnerabilities in a computer network is by employing malware. Botnets are a type of malware that infects and attacks targets in groups. Botnets develop quickly; the characteristics of initially sporadic attacks have grown into periodic and simultaneous. This rapid development has proved that the botnet is advanced and requires more attention and proper handling. Many studies have introduced detection models for botnet attack activity on computer networks. Apart from detecting the presence of botnet attacks, those studies have attempted to explore the characteristics of botnets, such as attack intensity, relationships between activities, and time segment analysis. However, there has been no research that explicitly detects those characteristics. On the other hand, each botnet characteristic requires different handling, while recognizing the characteristics of the botnet can help network administrators make appropriate decisions. Based on these reasons, this research builds a detection model that can recognize botnet characteristics using sequential traffic mining and similarity analysis. The proposed method consists of two main processes. The first is training to build a knowledge base, and the second is testing to detect botnet activity and attack characteristics. It involves dynamic thresholds to improve the model sensitivity in recognizing attack characteristics through similarity analysis. The novelty includes developing and combining analytical techniques of sequential traffic mining, similarity analysis, and dynamic threshold to detect and recognize the characteristics of botnet attacks explicitly on actual behavior in network traffic. Extensive experiments have been conducted for the evaluation using three different datasets whose results show better performance than others.<\/jats:p>","DOI":"10.1186\/s40537-024-00900-1","type":"journal-article","created":{"date-parts":[[2024,4,10]],"date-time":"2024-04-10T12:02:15Z","timestamp":1712750535000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":14,"title":["B-CAT: a model for detecting botnet attacks using deep attack behavior analysis on network traffic flows"],"prefix":"10.1186","volume":"11","author":[{"given":"Muhammad Aidiel Rachman","family":"Putra","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Tohari","family":"Ahmad","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dandy Pramana","family":"Hostiadi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2024,4,10]]},"reference":[{"key":"900_CR1","unstructured":"Malware. AV-TEST\u2014Indep. IT-Security Inst; 2022. https:\/\/www.av-test.org\/en\/statistics\/malware\/. Accessed 15 Nov 2022."},{"key":"900_CR2","doi-asserted-by":"publisher","DOI":"10.1016\/j.clsr.2021.105652","volume":"45","author":"L B\u00f6ck","year":"2022","unstructured":"B\u00f6ck L, Fejrskov M, Demetzou K, Karuppayah S, M\u00fchlh\u00e4user M, Vasilomanolakis E. Processing of botnet tracking data under the GDPR. Comput Law Secur Rev. 2022;45: 105652.","journal-title":"Comput Law Secur Rev"},{"key":"900_CR3","doi-asserted-by":"crossref","unstructured":"Melo R, Macedo D, Dantas M, Bona LC. A novel immune detection approach enhanced by attack graph based correlation. In: IEEE symposium on computers and communications; 2019. p. 1\u20136.","DOI":"10.1109\/ISCC47284.2019.8969772"},{"key":"900_CR4","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1016\/j.procs.2021.11.082","volume":"196","author":"R Abrantes","year":"2022","unstructured":"Abrantes R, Mestre P, Cunha A. Exploring dataset manipulation via machine learning for botnet traffic. Procedia Comput Sci. 2022;196:133\u201341.","journal-title":"Procedia Comput Sci"},{"key":"900_CR5","first-page":"66","volume":"14","author":"E Krishna","year":"2021","unstructured":"Krishna E, Arunkumar T. Hybrid Particle swarm and gray wolf optimization algorithm for IoT intrusion detection system. Int J Intell Eng Syst. 2021;14:66\u201376.","journal-title":"Int J Intell Eng Syst"},{"key":"900_CR6","first-page":"825","volume":"34","author":"R Priyadarshini","year":"2022","unstructured":"Priyadarshini R, Barik RK. A deep learning based intelligent framework to mitigate DDoS attack in fog environment. J King Saud Univ Comput Inf Sci. 2022;34:825\u201331.","journal-title":"J King Saud Univ Comput Inf Sci"},{"key":"900_CR7","first-page":"6872","volume":"34","author":"C Joshi","year":"2021","unstructured":"Joshi C, Ranjan RK, Bharti V. A Fuzzy Logic based feature engineering approach for Botnet detection using ANN. J King Saud Univ Comput Inf Sci. 2021;34:6872\u201382.","journal-title":"J King Saud Univ Comput Inf Sci"},{"key":"900_CR8","doi-asserted-by":"publisher","first-page":"43","DOI":"10.3390\/fi10050043","volume":"10","author":"XD Hoang","year":"2018","unstructured":"Hoang XD, Nguyen QC. Botnet detection based on machine learning techniques using DNS query data. Futur Internet. 2018;10:43.","journal-title":"Futur Internet"},{"key":"900_CR9","doi-asserted-by":"publisher","first-page":"4501","DOI":"10.3390\/s20164501","volume":"20","author":"KS Huancayo Ramos","year":"2020","unstructured":"Huancayo Ramos KS, Sotelo Monge MA, Maestre Vidal J. Benchmark-based reference model for evaluating botnet detection tools driven by traffic-flow analytics. Sensors. 2020;20:4501.","journal-title":"Sensors"},{"key":"900_CR10","doi-asserted-by":"publisher","first-page":"284","DOI":"10.1016\/j.ins.2019.09.024","volume":"511","author":"W Wang","year":"2020","unstructured":"Wang W, Shang Y, He Y, Li Y, Liu J. BotMark: automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors. Inf Sci (Ny). 2020;511:284\u201396.","journal-title":"Inf Sci (Ny)"},{"key":"900_CR11","unstructured":"Zeidanloo H, Tabatabaei F, Vahdani Amoli P, Tajpour A. All about malwares (malicious codes). Secur Manag. 2010."},{"key":"900_CR12","doi-asserted-by":"crossref","unstructured":"Shetu SF, Saifuzzaman M, Moon NN, Nur FN. A survey of botnet in cyber security. In: 2nd international conference intelligent communication and computational techniques ICCT; 2019. p. 174\u20137.","DOI":"10.1109\/ICCT46177.2019.8969048"},{"key":"900_CR13","volume":"55","author":"FF Daneshgar","year":"2020","unstructured":"Daneshgar FF, Abbaspour M. A two-phase sequential pattern mining framework to detect stealthy P2P botnets. J Inf Secur Appl. 2020;55: 102645.","journal-title":"J Inf Secur Appl"},{"key":"900_CR14","doi-asserted-by":"crossref","unstructured":"Muhammad A, Asad M, Javed AR. Robust early stage botnet detection using machine learning. In: International conference on cyber warfare and security; 2020. p. 1\u20136.","DOI":"10.1109\/ICCWS48432.2020.9292395"},{"key":"900_CR15","doi-asserted-by":"publisher","first-page":"56","DOI":"10.1186\/s40537-022-00616-0","volume":"9","author":"K Kumari","year":"2022","unstructured":"Kumari K, Mrunalini M. Detecting denial of service attacks using machine learning algorithms. J Big Data. 2022;9:56.","journal-title":"J Big Data"},{"key":"900_CR16","first-page":"4219","volume":"34","author":"DP Hostiadi","year":"2022","unstructured":"Hostiadi DP, Ahmad T. Hybrid model for bot group activity detection using similarity and correlation approaches based on network traffic flows analysis. J King Saud Univ Comput Inf Sci. 2022;34:4219\u201332.","journal-title":"J King Saud Univ Comput Inf Sci"},{"key":"900_CR17","doi-asserted-by":"publisher","DOI":"10.22266\/ijies2022.0831.48","author":"MAR Putra","year":"2022","unstructured":"Putra MAR, Ahmad T, Hostiadi DP. Analysis of botnet attack communication pattern behavior on computer networks. Int J Intell Eng Syst. 2022. https:\/\/doi.org\/10.22266\/ijies2022.0831.48.","journal-title":"Int J Intell Eng Syst"},{"key":"900_CR18","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1186\/s40537-017-0074-7","volume":"4","author":"S Chowdhury","year":"2017","unstructured":"Chowdhury S, Khanzadeh M, Akula R, Zhang F, Zhang S, Medal H, Marufuzzaman M, Bian L. Botnet detection using graph-based feature clustering. J Big Data. 2017;4:14.","journal-title":"J Big Data"},{"key":"900_CR19","doi-asserted-by":"crossref","unstructured":"Gaonkar S, Dessai NF, Costa J, Borkar A, Aswale S, Shetgaonkar P. A Survey on Botnet Detection Techniques. In: International conference on emerging trends in information technology and engineering; 2020. p. 1\u20136.","DOI":"10.1109\/ic-ETITE47903.2020.Id-70"},{"key":"900_CR20","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102549","volume":"113","author":"TA Tuan","year":"2022","unstructured":"Tuan TA, Long HV, Taniar D. On detecting and classifying DGA botnets and their families. Comput Secur. 2022;113: 102549.","journal-title":"Comput Secur"},{"key":"900_CR21","doi-asserted-by":"crossref","unstructured":"Choi H, Lee H, Lee H, Kim H. Botnet detection by monitoring group activities in DNS traffic. In: 7th IEEE international conference on computer and information technology. Institute of Electrical and Electronics Engineers (IEEE); 2008. p. 715\u201320.","DOI":"10.1109\/CIT.2007.90"},{"key":"900_CR22","doi-asserted-by":"crossref","unstructured":"Zeidanloo HR, Manaf AB, Vahdani P, Tabatabaei F, Zamani M. Botnet detection based on traffic monitoring. In: International conference on networking and information technology; 2010. p. 97\u2013101.","DOI":"10.1109\/ICNIT.2010.5508552"},{"key":"900_CR23","doi-asserted-by":"publisher","first-page":"2375","DOI":"10.3390\/app9112375","volume":"9","author":"RU Khan","year":"2019","unstructured":"Khan RU, Zhang X, Kumar R, Sharif A, Golilarz NA, Alazab M. An adaptive multi-layer botnet detection technique using machine learning classifiers. Appl Sci. 2019;9:2375.","journal-title":"Appl Sci"},{"key":"900_CR24","doi-asserted-by":"crossref","unstructured":"Kwon J, Kim J, Lee J, Lee H, Perrig A. PsyBoG: Power spectral density analysis for detecting botnet groups. In: Proceedings of the 9th international conference on malicious and unwanted software: the Americas; 2014. p. 85\u201392.","DOI":"10.1109\/MALWARE.2014.6999414"},{"key":"900_CR25","doi-asserted-by":"publisher","DOI":"10.1016\/j.dib.2021.107334","volume":"38","author":"DP Hostiadi","year":"2021","unstructured":"Hostiadi DP, Ahmad T. Dataset for Botnet group activity with adaptive generator. Data Br. 2021;38: 107334.","journal-title":"Data Br"},{"key":"900_CR26","doi-asserted-by":"crossref","unstructured":"Choi H, Lee H, Kim H. BotGAD: Detecting botnets by capturing group activities in network traffic. In: 4th international ICST conference on COMmunication System softWAre and middleware; 2009. p. 1\u20138.","DOI":"10.1145\/1621890.1621893"},{"key":"900_CR27","doi-asserted-by":"publisher","DOI":"10.1016\/j.dib.2022.108628","volume":"45","author":"MAR Putra","year":"2022","unstructured":"Putra MAR, Hostiadi DP, Ahmad T. Botnet dataset with simultaneous attack activity. Data Br. 2022;45: 108628.","journal-title":"Data Br"},{"key":"900_CR28","doi-asserted-by":"publisher","first-page":"100","DOI":"10.1016\/j.cose.2014.05.011","volume":"45","author":"S Garc\u00eda","year":"2014","unstructured":"Garc\u00eda S, Grill M, Stiborek J, Zunino A. An empirical comparison of botnet detection methods. Comput Secur Elsevier Ltd. 2014;45:100\u201323.","journal-title":"Comput Secur Elsevier Ltd"},{"key":"900_CR29","doi-asserted-by":"crossref","unstructured":"Yahyazadeh M, Abadi M. BotCatch: Botnet detection based on coordinated group activities of compromised hosts. In: 7th international symposium on telecommunications; 2014. p. 941\u20135.","DOI":"10.1109\/ISTEL.2014.7000838"},{"key":"900_CR30","doi-asserted-by":"publisher","first-page":"95","DOI":"10.1016\/j.future.2020.01.055","volume":"107","author":"M Asadi","year":"2020","unstructured":"Asadi M, Jabraeil Jamali MA, Parsa S, Majidnezhad V. Detecting botnet by using particle swarm optimization algorithm based on voting system. Futur Gener Comput Syst. 2020;107:95\u2013111.","journal-title":"Futur Gener Comput Syst"},{"key":"900_CR31","first-page":"137","volume":"70","author":"S Homayoun","year":"2018","unstructured":"Homayoun S, Ahmadzadeh M, Hashemi S, Dehghantanha A, Khayami R. BoTShark: a deep learning approach for botnet traffic detection. Adv Inf Secur. 2018;70:137\u201353.","journal-title":"Adv Inf Secur"},{"key":"900_CR32","first-page":"4176","volume":"14","author":"DP Hostiadi","year":"2020","unstructured":"Hostiadi DP, Wibisono W, Ahmad T. B-corr model for bot group activity detection based on network flows traffic analysis. KSII Trans Internet Inf Syst. 2020;14:4176\u201397.","journal-title":"KSII Trans Internet Inf Syst"},{"key":"900_CR33","doi-asserted-by":"crossref","unstructured":"Khodadadi R, Akbari B. Ichnaea: Effective P2P botnet detection approach based on analysis of network flows. In: International symposium on telecommunications; 2014. p. 934\u201340.","DOI":"10.1109\/ISTEL.2014.7000837"},{"key":"900_CR34","first-page":"205","volume":"14","author":"H El-Sofany","year":"2020","unstructured":"El-Sofany H. A new cybersecurity approach for protecting cloud services against DDoS attacks. Int J Intell Eng Syst. 2020;14:205\u201315.","journal-title":"Int J Intell Eng Syst"},{"key":"900_CR35","first-page":"73","volume":"32","author":"KM Prasad","year":"2020","unstructured":"Prasad KM, Reddy ARM, Rao KV. BARTD: Bio-inspired anomaly based real time detection of under rated App-DDoS attack on web. J King Saud Univ Comput Inf Sci. 2020;32:73\u201387.","journal-title":"J King Saud Univ Comput Inf Sci"},{"key":"900_CR36","doi-asserted-by":"crossref","unstructured":"Hostiadi DP, Ahmad T. Sliding time analysis in traffic segmentation for botnet activity detection. In: 5th international conference on computing and informatics; 2022. p. 286\u201391.","DOI":"10.1109\/ICCI54321.2022.9756077"},{"key":"900_CR37","doi-asserted-by":"crossref","unstructured":"Alejandre FV, Cort\u00e9s NC, Anaya EA. Feature selection to detect botnets using machine learning algorithms. In: International conference on electronics, communications and computers; 2017.","DOI":"10.1109\/CONIELECOMP.2017.7891834"},{"key":"900_CR38","doi-asserted-by":"publisher","first-page":"881","DOI":"10.1109\/TLA.2020.9082916","volume":"18","author":"LF Bueno Silva","year":"2020","unstructured":"Bueno Silva LF, Nunes Utimura L, Pontara Da Costa KA, Aparecida Zanoli Meira E Silva M, Das Gracas Domingues S. Study on machine learning techniques for botnet detection. IEEE Lat Am Trans. 2020;18:881\u20138.","journal-title":"IEEE Lat Am Trans"},{"key":"900_CR39","doi-asserted-by":"crossref","unstructured":"Hostiadi DP, Ahmad T, Wibisono W. A new approach to detecting bot attack activity scenario. Adv Intell Syst Comput. 2021;1383 AISC:823\u201335.","DOI":"10.1007\/978-3-030-73689-7_78"},{"key":"900_CR40","doi-asserted-by":"crossref","unstructured":"Al-Hakbani MM, Dahshan MH. Avoiding honeypot detection in peer-to-peer botnets. In: IEEE international conference on engineering and technology; 2015. p. 1\u20137.","DOI":"10.1109\/ICETECH.2015.7275017"},{"key":"900_CR41","doi-asserted-by":"publisher","first-page":"175","DOI":"10.1016\/j.comnet.2018.08.014","volume":"145","author":"CY Wang","year":"2018","unstructured":"Wang CY, Ou CL, Zhang YE, Cho FM, Chen PH, Chang JB, Shieh CK. BotCluster: A session-based P2P botnet clustering system on NetFlow. Comput Networks Elsevier. 2018;145:175\u201389.","journal-title":"Comput Networks Elsevier"},{"key":"900_CR42","first-page":"27","volume":"10","author":"RF Mohd Dollah","year":"2018","unstructured":"Mohd Dollah RF, Faizal MA, Arif F, Masud MZ, Xin LK. Machine learning for HTTP botnet detection using classifier algorithms. J Telecommun Electron Comput Eng. 2018;10:27\u201330.","journal-title":"J Telecommun Electron Comput Eng."},{"key":"900_CR43","doi-asserted-by":"publisher","DOI":"10.1002\/ett.3999","volume":"32","author":"X Dong","year":"2021","unstructured":"Dong X, Dong C, Chen Z, Cheng Y, Chen B. BotDetector: an extreme learning machine-based Internet of Things botnet detection model. Trans Emerg Telecommun Technol. 2021;32: e3999.","journal-title":"Trans Emerg Telecommun Technol"},{"key":"900_CR44","doi-asserted-by":"crossref","unstructured":"Alomari E, Manickam S, Gupta BB, Singh P, Anbar M. Design, deployment and use of HTTP-based botnet (HBB) testbed. In: 16th international conference on advanced communications technology; 2014. p. 1265\u20139.","DOI":"10.1109\/ICACT.2014.6779162"},{"key":"900_CR45","doi-asserted-by":"crossref","unstructured":"Alzahrani AJ, Ghorbani AA. Real-time signature-based detection approach for SMS botnet. In: 2015 13th annual conference on privacy, security trust; 2015. p. 157\u201364.","DOI":"10.1109\/PST.2015.7232968"},{"key":"900_CR46","doi-asserted-by":"publisher","first-page":"545","DOI":"10.1080\/17517575.2019.1644673","volume":"15","author":"K Alieyan","year":"2021","unstructured":"Alieyan K, Almomani A, Anbar M, Alauthman M, Abdullah R, Gupta BB. DNS rule-based schema to botnet detection. Enterp Inf Syst. 2021;15:545\u201364.","journal-title":"Enterp Inf Syst"},{"key":"900_CR47","first-page":"313","volume":"24","author":"FE Ayo","year":"2023","unstructured":"Ayo FE, Awotunde JB, Folorunso SO, Adigun MO, Ajagbe SA. A genomic rule-based KNN model for fast flux botnet detection. Egypt Inf J. 2023;24:313\u201325.","journal-title":"Egypt Inf J"},{"key":"900_CR48","doi-asserted-by":"publisher","first-page":"2843","DOI":"10.1109\/TNET.2018.2874896","volume":"26","author":"A Wang","year":"2018","unstructured":"Wang A, Chang W, Chen S, Mohaisen A. Delving into internet DDoS attacks by botnets: characterization and analysis. IEEE\/ACM Trans Netw. 2018;26:2843\u201355.","journal-title":"IEEE\/ACM Trans Netw"},{"key":"900_CR49","first-page":"257","volume":"9","author":"T Ahmad","year":"2018","unstructured":"Ahmad T, Hasbiya T, Ijtihadie R, Wibisono W. Detecting malicious activities in a computer cluster for developing dynamic honeypot. ICIC Express Lett Part B Appl. 2018;9:257\u201364.","journal-title":"ICIC Express Lett Part B Appl"},{"key":"900_CR50","doi-asserted-by":"crossref","unstructured":"Marnerides AK, Mauthe AU. Analysis and characterisation of botnet scan traffic. In: International conference on computing, networking and communications; 2016. p. 1\u20137.","DOI":"10.1109\/ICCNC.2016.7440627"},{"key":"900_CR51","first-page":"113","volume":"14","author":"MG Karthik","year":"2021","unstructured":"Karthik MG, Krishnan MBM. Securing an internet of things from distributed denial of service and mirai botnet attacks using a novel hybrid detection and mitigation mechanism. Int J Intell Eng Syst. 2021;14:113\u201323.","journal-title":"Int J Intell Eng Syst"}],"container-title":["Journal of Big Data"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s40537-024-00900-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s40537-024-00900-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s40537-024-00900-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,4,10]],"date-time":"2024-04-10T12:08:44Z","timestamp":1712750924000},"score":1,"resource":{"primary":{"URL":"https:\/\/journalofbigdata.springeropen.com\/articles\/10.1186\/s40537-024-00900-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,10]]},"references-count":51,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["900"],"URL":"https:\/\/doi.org\/10.1186\/s40537-024-00900-1","relation":{},"ISSN":["2196-1115"],"issn-type":[{"value":"2196-1115","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,4,10]]},"assertion":[{"value":"18 November 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"6 March 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"10 April 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"49"}}