Machine learning and metaheuristic optimization algorithms for feature selection and botnet attack detection

• Published in: Knowledge and information systems Vol. 67; no. 4; pp. 3549 - 3597
• Main Authors: Maazalahi, Mahdieh, Hosseini, Soodeh
• Format: Journal Article
• Language: English
• Published: London Springer London 01.04.2025; Springer Nature B.V
• Subjects: Access control; Algorithms; Artificial intelligence; Computer Science; Data Mining and Knowledge Discovery; Database Management; Datasets; Feature selection; Heuristic methods; Information Storage and Retrieval; Information Systems and Communication Service; Information Systems Applications (incl.Internet); Intelligence gathering; Intrusion detection systems; IT in Business; Machine learning; Malware; Neural networks; Particle swarm optimization; Regular Paper; Threat evaluation; Traffic analysis; K-means; Botnet; SailFish Optimizer Algorithm (SFO); Machine learning Algorithms (ML); Particle swarm algorithm (PSO); Whale Optimization Algorithm (WOA); Intrusion Detection System (IDS)
• ISSN: 0219-1377; 0219-3116
• DOI: 10.1007/s10115-024-02322-0

Botnet attacks are done using a set of vulnerable systems called bots and managed by an administrator called botmaster that they carry out attacks on a large scale. Various methods are used to detect such attacks, such as (1) traffic analysis (2) behavior analysis (3) behavior-based detection (4) intrusion detection systems (IDS) (5) honeypot and honeynets (6) DNS query analysis (7) common threat intelligence (8) artificial intelligence algorithms (9) login analysis (10) endpoint protection. In this paper, a new hybrid IDS based on machine learning and meta-heuristic algorithms is proposed based on three steps: (1) pre-processing, (2) feature selection, and (3) attack detection. In the pre-processing stage, including 3 stages of numericalization, normalization, and removal of outliers, the K-Nearest Neighbor (K-NN) is used. In the feature selection stage, the combined SFO-WOA method is used. First, redundant features are removed using SailFish Optimizer (SFO), and a set of features is provided to the Whale Optimization Algorithm (WOA) as an initial population, and this algorithm selects the best features. In the attack detection stage, the PSO-K-means combined method is used. In this method, the particle swarm algorithm (PSO) is used to detect attacks, and then K-means is used to manage the boundaries of the search space. The proposed hybrid method is called SFO-WOA-PSO-K-means. Its performance is compared using machine learning methods such as Tree Ensemble (TE), Chi-squared Automatic Interaction Detection (CHAID), Iterative DiChaudomiser 3 (ID3), Fuzzy Rules, Probabilistic Neural Network (PNN). The proposed method is evaluated using the BOT-IOT dataset, UNSW-NB15. The results have shown that the proposed SFO-WOA-PSO-K-means method has the maximum detection accuracy of 0.998 and 0.995 with the lowest execution time (training and testing) of 65.02 s and 112.33 s and was able to detect attacks. Also, the BOT-IOT dataset has obtained more optimal results.