Adaptive DBSCAN with Grey Wolf Optimizer for Botnet Detection

Abstract

As the number of devices linked to the Internet (IOT devices) has dramatically increased, botnet attacks are becoming one of the most serious threats on the Internet. Many studies have been proposed for botnet detection based on machine learning. However, most of these existing studies focus on offline botnet detection using supervised machine learning methods. Since botnet attacks are committed in real time, they require online detection. Also, classification may not be practical for IOT applications such as botnet detection for many reasons that will be discussed in this paper. In order to overcome this limitation in the existing models, we propose an online botnet detection technique using unsupervised hybrid DBSCAN-GWO architecture. In this model, DBSCAN’s eps parameter is generated automatically for each data stream using grey wolf optimizer which searches for the optimum eps value to give the best clustering quality for each data stream adaptively. After finding clusters in each data stream, a comparison is made between the clusters depending on the difference between their values to find the botnet clusters for each data stream adaptively. This model is evaluated using N_BaIot datasets of six different IOT devices. The results show the efficiency of DBSCAN-GWO model in detecting botnet data in all datasets compared to the regular DBSCAN with 3 different eps values and OPTICS clustering algorithms, as the best accuracy reaches 98%, which is also compared to a number of existing techniques which are the semi-supervised K-means clustering algorithm of 79.60%, DBSCAN clustering algorithm of 80%, and clustering-based semi-supervised machine learning approach of 96.66% for detecting anomalies and DDOS attacks.