<!DOCTYPE article PUBLIC "-//NLM//DTD JATS (Z39.96) Journal Archiving and Interchange DTD v1.0 20120330//EN" "JATS-archivearticle1.dtd">
<article xmlns:xlink="http://www.w3.org/1999/xlink">
  <front>
    <journal-meta />
    <article-meta>
      <title-group>
        <article-title>Botnet Detection Approach Based on DNS</article-title>
      </title-group>
      <contrib-group>
        <contrib contrib-type="author">
          <string-name>Sergii Lysenko</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Kira Bobrovnikova</string-name>
          <email>bobrovnikova.kira@gmail.com</email>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Bohdan Savenko</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Piotr Gaj</string-name>
          <email>piotr.gaj@polsl.pl</email>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
          <xref ref-type="aff" rid="aff3">3</xref>
        </contrib>
        <contrib contrib-type="author">
          <string-name>Oleg Savenko</string-name>
          <xref ref-type="aff" rid="aff0">0</xref>
          <xref ref-type="aff" rid="aff1">1</xref>
          <xref ref-type="aff" rid="aff2">2</xref>
        </contrib>
        <aff id="aff0">
          <label>0</label>
          <institution>DNS</institution>
          ,
          <addr-line>Botnet, Cyberattack, Computer Network, Cybersecurity, Computer system, Malware</addr-line>
        </aff>
        <aff id="aff1">
          <label>1</label>
          <institution>Khmelnitsky National University</institution>
          ,
          <addr-line>Khmelnitsky</addr-line>
          ,
          <country country="UA">Ukraine</country>
        </aff>
        <aff id="aff2">
          <label>2</label>
          <institution>Malicious traffic</institution>
          ,
          <addr-line>Botnet Detection, AdaBoost, Decision Tree</addr-line>
        </aff>
        <aff id="aff3">
          <label>3</label>
          <institution>Silesian University of Technology</institution>
          ,
          <addr-line>Gliwice</addr-line>
          ,
          <country country="PL">Poland</country>
        </aff>
      </contrib-group>
      <abstract>
        <p>Botnets that use DNS technology are a serious threat on the Internet today. The potential of botnets is very large, from the spread of malware, ransomware, spam mailings to the theft of confidential information and money from bank accounts. Analysis of known methods and means of identification of botnets that use DNS has demonstrated the insufficient level of detection capacity of this type of botnets. Therefore, it is necessary to improve the method of botnets detection. The paper presents botnet detection approach based on DNS. The paper proposes a method of identifying botnets that use DNS based on the Decision Tree classifier with the application of the AdaBoost algorithm. The method allows you to ensure the detection of botnets that use DNS based on the characteristics of this technology of malicious software. The Decision Tree application algorithm is argued by the fact that it is a powerful tool for classification and prediction, and to strengthen the work of the above classifier, the AdaBoost algorithm was used in the study.</p>
      </abstract>
    </article-meta>
  </front>
  <body>
    <sec id="sec-1">
      <title>1. Introduction</title>
      <p>2022 Copyright for this paper by its authors.
3. Develop an appropriate model of the botnet, taking into account the domain name
system, the DNS traffic model and the model of the process of identification of the "domain flux"
evasion technology based on the analysis of DNS traffic.</p>
      <p>4. Develop an improved method of identifying botnets that use "domain flux" technology
by filtering DNS traffic using an accumulated database of whitelists, using the method of frequency
lexical analysis of domain names, collecting signs of DNS traffic and analyzing them based on the</p>
      <sec id="sec-1-1">
        <title>Decision Tree classifier with the application of the AdaBoost algorithm.</title>
        <p>Develop a botnet identification system that will improve the reliability and efficiency of the process
of detecting botnets that use the "domain flux" technology.</p>
        <p>The object of research is the process of identifying botnets that use the "domain flux" technology,
based on the analysis of DNS traffic.</p>
        <p>The subject of research is models, methods and software tools for identifying botnets using "domain
flux" technology, based on the analysis of DNS traffic.</p>
        <p>The aim of the work is to increase the reliability of the process of identification of botnets using the
technology of "domain flux".</p>
        <p>Scientific novelty of the obtained results. As a result of the study, the method of identification of
botnets using the "domain flux" technology has been improved, based on the analysis of DNS traffic,
which, unlike the well-known ones, uses complex analysis of DNS traffic using the Decision Tree
classifier and the AdaBoost algorithm.</p>
        <p>The practical significance of the results is the developed system of identification of botnets using
the technology of "domain flux", based on a comprehensive analysis of DNS traffic with high reliability
and efficiency based on the use of the RapidMiner platform, which is able to detect botnets with high
reliability.</p>
      </sec>
    </sec>
    <sec id="sec-2">
      <title>2. Related works</title>
    </sec>
    <sec id="sec-3">
      <title>2.1. Botnets and DNS</title>
      <p>Botnets play an important role in the spread of malware, and they are widely used to spread malicious
activity on the Internet. The study of the literature shows that a large subgroup of botnets uses DNS to
spread malicious actions and that there are different methods for detecting them using DNS queries.
The Domain Name System (DNS) is a system that establishes a correspondence between the IP address
and the domain name (and vice versa), and is designed to respond to DNS queries using the
corresponding protocol [6].</p>
      <p>Botnet is a computer network that includes a finite number of hosts that works with standalone
software – running bots. Typically, a bot as part of a botnet is a program that is installed hidden on the
victim's computer and allows the attacker to access the resources of the infected computer [7] and
perform certain actions. Most often used for illegal activities – sending spam emails, collecting
passwords on a remote system, organizing denial of service attacks, having access to personal
information about users, theft of credit card numbers and access passwords [8]. "Domain flux" is a
method of ensuring malicious activity of the botnet by constantly changing the domain name of the
C&amp;C server. Domain names are replaced in time based on the application of an algorithm that is known
only to an attacker (botmaster). This makes it impossible to detect malicious traffic generated by the
botnet.</p>
      <p>Modern botnets such as Zeus (Zbot, PRG, Wsnpoem, Gorhax, Kneber, Chthonic, Panda), Torpig,
Kraken, Conficker (DownUp, DownAndUp, DownAdUp, Kido), Mirai, "Star Wars" Twitter, Satori
IoT, Trickbot, Emotet, usually use technology called "domain flux" and domain generation algorithm
(DGA) [9] to generate a large number of pseudo-random domain names to dynamically manage network
operator bots and their bots.</p>
      <p>Typically, botnets generate a large number of DNS queries registered to the same IP address, and
they often generate many failures in DNS traffic. Failed DNS queries may indicate the presence of bots
on clients, while successful queries that occur in time next to unsuccessful ones are likely related to
benign user.</p>
      <p>In addition, the botnet can quickly transmit messages to all bots, which is one of the main advantages.
DNS traffic monitoring is an important task and helps to detect botnets that use the DNS analysis [10].
Identifying domain names generated algorithmically through DNS traffic analysis has different
advantages.</p>
      <p>For example, DNS includes only a small amount of traffic throughout the network, making it
appropriate for analysis even on large large-scale networks. Additionally, DNS traffic is typically
cached, which reduces network load. Moreover, the analysis of DNS queries helps to detect attacks in
the early stages or even before they occur.
2.2.</p>
    </sec>
    <sec id="sec-4">
      <title>Related works</title>
      <p>Today, the scientific community has developed a large number of methods for solving the problem
of identification of botnets using the technology of "domain flux".</p>
      <p>In particular, [11] describes a method that is based on the analysis of DNS queries, determines the
correlation of various logs and error messages, diagnoses based on the history of suspicious activity,
detects the activities of botnets based on DNS traffic failure and diagnoses based on DNS group activity,
and analyzes group activity on the network.</p>
      <sec id="sec-4-1">
        <title>In [12] a method is proposed to identify DGA based on the dictionary using graph theory.</title>
        <p>The article [13] describes the method of detecting bot modes using frequency analysis of character
distribution and weighted domain name scores.</p>
        <p>Paper [14] presents a method for detecting botnets by classifying text strings of domain names based
on  -grams.</p>
        <p>The paper [15] provides a method for detecting botnets based on the analysis of DNS traffic
functions. This method passively captures all DNS traffic from the gateway network, and then extracts
key functions to identify pseudo-random domain names.</p>
        <p>The anomaly detection and passive DNS analysis approach for botnet detection are presented in
[16, 17]. In [18] Identifying legitimate Web users and bots with different traffic profiles - an Information</p>
      </sec>
      <sec id="sec-4-2">
        <title>Bottleneck approach is presented.</title>
        <p>Thus, in contrast to heuristic methods, machine learning-based methods achieve high accuracy in
detecting botnets using "domain flux" technology. Of course, if in the process of generating
pseudorandom domain names, the logic of work changes, as well as certain characteristics change dramatically,
which may significantly reduce the efficiency of detection of botnets of this type.</p>
        <p>The anti-virus tools in question detect all known types of malware using signature databases and
existing heuristic approaches. However, none of the popular anti-virus tools today detect 100% of
botnets that use DNS.
2.3.</p>
      </sec>
    </sec>
    <sec id="sec-5">
      <title>Conclusions and the problem statement</title>
      <p>Known methods of botnets identification that use DNS are the subject to a decrease in the accuracy
of detection of new unknown botnets of this type when using pseudo-random domain names other than
known methods of generating pseudo-random domain names. Also, most methods do not allow
detecting attacks in the early stages or even before they occur.</p>
      <p>Therefore, in order to increase the reliability and efficiency of the process of identifying botnets
that use DNS, it is necessary to develop or improve the method based on a comprehensive analysis of</p>
      <sec id="sec-5-1">
        <title>DNS traffic through the use of machine learning algorithms.</title>
      </sec>
    </sec>
    <sec id="sec-6">
      <title>3. Model of the process of identification of botnets that use DNS 3.1. Process Formalization for the functioning of botnets that use DNS</title>
      <p>Botnets are distributed over the Internet using similar approaches to other SDPs. They can spread
like a worm, or they can disguise themselves as a Trojan executing following operations: the botmaster
issues a command (set of parameters and settings) to the command-and-control center to carry out the
attack; in turn, the command-and-control center sends a message to all bots of the botnet, which
immediately begin to execute the commands of the botmaster.</p>
      <p>Consider the model of a botnet that uses DNS as a control system for infected bots of a computer
system and present it in the form of a tuple:</p>
      <p>= 〈 ,  ,  ,  ,  ,  〉,
where C – a set of command and control servers (C&amp;C) of the botnet;</p>
      <p>– the number of command-controlling servers of the botnet,  = {  } =1   ;
 = {  }3=1 – type of botnet architecture;
 = {  }</p>
      <p>=1
network protocols used by the botnet,</p>
      <p>where   – a set of ports used for commissioning with the botnet, where   
{1. .65535}27];
∈ 
– a set of network protocols used for the functioning of the botnet – the number of
 = {  } =1 – a set of bots of the bot-network,  – the number of bots included in the bot network;
5
 = {  } =1</p>
      <p>– a set of stages of the life cycle of the botnet;
 = {  } =1 – a set of bot functions that can be performed in the corresponding phase of the botnet
life cycle,</p>
      <p>– the number of functions that bots can perform botnets.
3.2.</p>
    </sec>
    <sec id="sec-7">
      <title>Model of attack carried out by a botnet that use DNS</title>
      <p>
        Consider the botnet attack model, which uses DNS as a set of commands to carry out malicious
activities that can be performed by bots of botnets and their possible use scenarios:
(
        <xref ref-type="bibr" rid="ref1">1</xref>
        )
=
(
        <xref ref-type="bibr" rid="ref3">3</xref>
        )
 = { 
,  
,   ℎ ℎ
,   ℎ ℎ
,  
,  
,  
},
(
        <xref ref-type="bibr" rid="ref2">2</xref>
        )
where   – distributed denial of service attack;
  – spam attack;
  ℎ ℎ – phishing attack;
  – espionage;
  – placement of harmful content, such as the placement of content or advertising;
  – carrying out attacks using proxy servers.
      </p>
      <p>Botnets are distributed over the Internet using similar approaches to other malware. They can spread
like a worm, or they can disguise themselves as a Trojan. Let's take a closer look at the model of ways
to spread malware [24] and present it as follows:</p>
      <p>= {  ,   ,   ,   },
where   – distribution due to vulnerabilities in the operating system;
  – distribution through services and services;
  – distribution through applications and applications;
  – Spread through social engineering.
3.3.</p>
    </sec>
    <sec id="sec-8">
      <title>Botnet detection model</title>
      <p>Since the detection of botnets that use DNS is based on the botnet model, taking into account the
domain name system and DNS traffic model, it is an important task to develop a DNS traffic model and
a DNS package.</p>
      <p>Let's present a model of DNS traffic as a tuple:</p>
      <p>– host IP address of the SOURCE of the DNS package;
 
 
 
 
 
where</p>
      <p>is the host MAC address;
– the source port of the DNS package;
  –– header DNS-message section;
  – the time of receipt of the DNS package;
– question DNS message request section;
– answer DNS message section;
  ℎ –authority DNS message section;</p>
      <p>– additional information DNS message section.
presented as a function:</p>
      <p>( ,  ,  ,  ) →  ,
The process of extracting signs from incoming DNS messages for a specific domain name is
respectively;</p>
      <p>where  – a set of DNS messages sent and received from a set of computer systems of the network,

=   ∪   , where   and   – are the set of outgoing and incoming DNS messages in the network,
 – a set of computer systems of the network;
 – a set of DNS servers to which DNS queries and DNS responses were sent and received,
respectively  =   ∪   ,
where   and   – set of local and non-local DNS servers, respectively;
 – a set of requested domain names by a set of hosts of the network,
where  = {  } =1  – the number of different domain names.</p>
      <p>Let us present a model of DNS messages. It has to involve such elements as information concerning
the fields of incoming DNS messages. It enables the detection of the botnet that use DNS. that can be
used to identify botnets that use DNS,</p>
      <p>
        Thus, DNS messages may be presented:
 = 〈 
,  
,  
,   , 〈  ,  
,  
,   ℎ,  
〉〉,
(
        <xref ref-type="bibr" rid="ref5">5</xref>
        )
(
        <xref ref-type="bibr" rid="ref4">4</xref>
        )
(
        <xref ref-type="bibr" rid="ref6">6</xref>
        )
(
        <xref ref-type="bibr" rid="ref7">7</xref>
        )
(
        <xref ref-type="bibr" rid="ref8">8</xref>
        )
elements:
 
 
 
 
 
formula:
 
= true – a successful DNS query);
– TTL-period;
– the length of the domain name;
– number of digits in the domain name;
where  – set of signs that indicate the botnet presence.
      </p>
      <p>The set of signs indicating the activity of the botnet, which use DNS, consists of the following
 = { 
,  
,  
,  
,  
,  
},
where</p>
      <p>is the number of domain names that share an IP address;
– a binary sign of the success of the DNS query (if  
= false – a failed DNS query, and if
– a balanced estimate of the frequency lexical analysis of domain names, determined by the</p>
      <p>= ∑ =0   ,</p>
      <sec id="sec-8-1">
        <title>Where  – the number of letters in the domain name;   – frequency of use i-th letter.</title>
        <p>Let's present a model of the process of identification of botnets that use DNS as follows:
 = 〈  , 

,  
,  
,  
,  
〉,
(9)
where  
– botnet model;</p>
        <p>– DNS traffic model;






(


the network;
(
(
,  ) →  – function of sampling signs from DNS traffic;
,  ,  ) →</p>
        <p>– the function of classification of DNS messages of DNS traffic in
– function of notification of detection of bots of bots.</p>
      </sec>
    </sec>
    <sec id="sec-9">
      <title>4. Botnet Cyberattacks Detection Approach Based on DNS 4.1.</title>
    </sec>
    <sec id="sec-10">
      <title>Method for Botnet Detection Based on Decision Tree Classifier</title>
      <p>The paper proposes a method of identifying botnets that use DNS based on the Decision Tree
classifier with the application of the AdaBoost algorithm. The method allows you to ensure the detection
of botnets that use DNS based on the characteristics of this technology of malicious software.</p>
      <sec id="sec-10-1">
        <title>The Decision Tree application algorithm</title>
        <p>is argued by the fact that it is a powerful tool for
classification and prediction, and to strengthen the work of the above classifier, the AdaBoost algorithm</p>
        <p>The method consists of the following stages: preparation, training of the system and direct detection
was used in the study.
of the activities of the botnet that use DNS.
botnets that use DNS;</p>
      </sec>
      <sec id="sec-10-2">
        <title>The preparation stage includes the following steps:</title>
        <p>collection of test data (network traffic) for training.</p>
        <p>The training stage includes the following steps:
downloading test data (network traffic);
analysis, modeling and identification of key features that will be used to identify
evaluation of the model.</p>
        <p>monitoring of network traffic;
teaching the machine learning model, the necessary data must be pre-processed;
data conversion – in most cases, the available data is not suitable for use directly for
frequency lexical analysis of domain names;
formation of a database of white lists of domain names;
model training –using the Decision classifier and the AdaBoost algorithm, based on the
signs identified at the preparation stage for identifying botnets that use DNS;
The stage of detection of the activities of botnets that use DNS includes the following steps:
1)
2)
1)
2)
3)
4)
5)
6)
1)
2)
3)
4)
5)
6)
7)
domain names;
likely formed algorithmically;
classifier and the AdaBoost algorithm;
formation of conclusions.
filtering DNS traffic that uses weeding out known DNS queries that contain legitimate</p>
      </sec>
      <sec id="sec-10-3">
        <title>Collect all available parameters and features in filtered collected traffic</title>
      </sec>
      <sec id="sec-10-4">
        <title>Identify groups in which the DNS query is unsuccessful. identification of queries in which domain names by statistical analysis method are most</title>
      </sec>
      <sec id="sec-10-5">
        <title>Comparing multiple groups of features and analyzing them using the Decision Tree</title>
      </sec>
      <sec id="sec-10-6">
        <title>To train the model, the Decision Tree classifier was used with the AdaBoost algorithm.</title>
      </sec>
      <sec id="sec-10-7">
        <title>The pseudocode of the AdaBoost algorithm is given below:</title>
        <p>We have: for all (x1, y1),...,(xm, ym ) x  X , yi Y = −1, +1.
i
Initialize D1 (i) =</p>
        <p>, i = 1,..., m.</p>
        <p>For every t = 1,...,T :
1
m
Find
h : X → −1, +1
t
a
classifier that
minimizes
weighted
classification
error:
m
i=1
1
2
et
ht = arg mhjiHnej where ej =  Dt (i)[ yi  hj ( xi )] .</p>
        <p>If the value is , then et  0.5 the stop is performed.</p>
        <sec id="sec-10-7-1">
          <title>Select  t R ,</title>
          <p> t = ln</p>
          <p>1− et where the weighted classifier failed. et ht
where the normalization parameter is Z
t Dt +1  Dt +1 (i) =1(selected so that the probability
distribution is selected, that is).</p>
        </sec>
      </sec>
      <sec id="sec-10-8">
        <title>Build the resulting classifier:</title>
        <p>Dt+1(i) =</p>
        <p>Dt (i)e−t yiht ( xi )</p>
        <p>,
Z</p>
        <p>t
m
i=1
 T
H (x) = sign  t ht (x)  .</p>
        <p>

(10)
(11)
(12)</p>
        <p>The expression to update the distribution must be designed in such a way that the following
condition is met:
e− t yiht ( xi )  1, y(i) = ht (xi ) .</p>
        <p> 1, y(i)  ht (xi )
application of the AdaBoost algorithm.
features for each domain name</p>
        <sec id="sec-10-8-1">
          <title>Thus, after selecting the optimal classifier hi for the distribution D</title>
          <p>t of objects xi that are a
classifier identifies correctly, have weights less than those determined incorrectly.</p>
          <p>In the initial step, DNS traffic is obtained by monitoring the network through the SPAN port of the
network switch (Switched Port Analyzer), which duplicates packets from one or more ports to a separate
port and for each domain name, the value of a weighted estimate of frequency lexical analysis is
determined.</p>
          <p>Weighted estimates of the frequency lexical analysis of DNS domain names are used to further
identify botnets using "domain flux" technology, based on the</p>
        </sec>
      </sec>
      <sec id="sec-10-9">
        <title>AdaBoost algorithm, as one of the signs indicating this application of evasion technology.</title>
      </sec>
      <sec id="sec-10-10">
        <title>Decision Tree classifier and the Then all selected and analyzed data from the filtered DNS traffic are combined into a set of features, which will allow detecting botnets that use DNS, based on the Decision Tree classifier with the</title>
        <p>For all the collected grouped data, the applied conversion and normalization, resulting in a set of

 = { 
, , 
, ,  
, ,  
, ,  
, ,  
, },
where  ∈  ′– the number of collected DNS messages after filtering.</p>
        <p>The last step is to form conclusions based on the analysis of a set of features   for each domain
name by the AdaBoost machine learning algorithm. Since binary classification is used by a machine
learning algorithm, the output obtains a result in accordance with each requested domain name, which
can acquire two values: malicious request from the bot or benign request.</p>
      </sec>
    </sec>
    <sec id="sec-11">
      <title>Implementation of the Botnet Detection system</title>
      <p>In order to verify the effectiveness of the proposed method, a botnet identification system was
implemented, which is based on the use of the RapidMiner open source platform [19].</p>
      <p>RapidMiner is an integrated environment for data processing in large information arrays, machine
learning, text analytics and construction of predictive models, as well as for solving applied and
scientific problems.</p>
      <p>Model of the botnet detection system using designed in a RapidMiner environment is presented in
Figure 1.</p>
      <sec id="sec-11-1">
        <title>Subsystem of application of the AdaBoost algorithm is shown in Figure 2.</title>
        <p>Experimental studies of the effectiveness of the botnet detection
To assess the effectiveness of proposed method of botnets detection, a number of experiments were
carried out. the experimental environment is based on the framework described in [20-23].</p>
      </sec>
      <sec id="sec-11-2">
        <title>To ensure unbiased results at the training stage, the dataset [24] was divided into two parts.</title>
        <p>The first is 75% for training, and the remaining 25% is used to check the correctness of the system.</p>
        <p>A total of 19,500 domain names (components of the training sample) were analyzed, among which
14,625 (75%) were selected for training, and 4,875 (25%) were used to verify correctness.</p>
        <p>There were 9,969 requests for input experiments. There were also requests from bots of the bot
network using the "domain flux" technology.</p>
      </sec>
      <sec id="sec-11-3">
        <title>The total number was 306. Correctly identified 9775 requests, which is 98.05% of the total.</title>
        <p>The total number of correctly and incorrectly identified requests is presented as a result of the system
in Figure 5.</p>
        <p>Thus, the proposed method demonstrated the possibility of identifying botnets using "domain flux"
technology with high reliability (98.05%).</p>
      </sec>
    </sec>
    <sec id="sec-12">
      <title>5. Conclusions</title>
      <p>The method of identification of botnets that use DNS has been developed. The results of the study
obtained such scientific results.</p>
      <p>The peculiarities of the functioning of botnets that use DNS taking into account the domain name
system was investigated. Modern methods and means of identification of botnets based on DNS-traffic
were analyzed in order to determine ways to increase the efficiency of botnet detection.</p>
      <p>The corresponding model of the botnet was developed taking into account the domain name system,
the DNS traffic model and the model of the process of botnet detection on the analysis of DNS traffic.</p>
      <p>An improved method of identification of botnets that use DNS by filtering DNS traffic using the
accumulated database of white lists, collecting signs of DNS traffic and analyzing them based on the
Decision Tree classifier with the application of the AdaBoost algorithm has been developed.</p>
      <p>A system for identifying botnets has been developed that will ensure an increase in the reliability
and efficiency of the process of detecting botnets that use DNS.</p>
      <p>Experimental research demonstrated the ability of the proposed method to identify botnets that use</p>
      <sec id="sec-12-1">
        <title>DNS with high reliability (up to 98.05%).</title>
      </sec>
    </sec>
    <sec id="sec-13">
      <title>6. References</title>
      <p>[9] D.Truong, G.Cheng Detecting domain‐flux botnet based on DNS traffic features in managed
network. Security Comm. Networks. 2016. P. 2338–2347. DOI: 10.1002/sec.1495.
[10] O.Olowoyo, P. Owolawi, Malware Classification using Deep Learning Technique. 2020 2nd
International Multidisciplinary Information Technology and Engineering Conference, IMITEC
2020, 9334071.
[11] C.Nafari, E.Mahdipoor, Sayed Javadi H.Hajj Detection of active botnets based on DNS traffic
analysis. Journal of Advances in Computer Engineering and Technology. 2019, Vol. 5, No. 3. P.
129–142.
[12] M.Pereira, S. Yu B.Coleman, M.D.Cock, A.C. Nascimento. Dictionary Extraction and Detection
of Algorithmically Generated Domain Names in Passive DNS Traffic. 21st International
Symposium : RAID 2018. Heraklion, September 10-12, 2018. DOI:
10.1007/978-3-030-004705_14.
[13] E.Agyepong, W.J.Buchanan, K.Jones. Detection of Algorithmically Generated Malicious Domain
Using Frequency Analysis. International Journal of Computer Science and Information
Technology. 2018. P. 91–111 DOI: 10.5121/ijcsit.2018.10306.
[14] T.Wang, L.C.Seidenberg. Detecting Algorithmically Generated Domains Using Data
Visualization and N-Grams Methods. Proceedings of Student-Faculty Research Day, CSIS, Pace</p>
      <sec id="sec-13-1">
        <title>University, May 5, 2017.</title>
        <p>[15] J.Spooren, D.Preuveneers, L.Desmet, P.Janssen, W.Joosen. Detection of algorithmically generated
domain names used by botnets: a dual arms race. SAC '19: Proceedings of the 34th ACM/SIGAPP
Symposium on Applied Computing. 2019. P. 1916–1923. DOI:
https://doi.org/10.1145/3297280.3297467.
[16] H.Qin, J.Yang, X Luo. Z.Li, Q. Guo, Research on DNS anomaly detection technology based on
multiple features. Journal of Shenzhen University Science and Engineering. 2020, 37. pp. 36-43.
[17] X.Guo, Z.Pan, Y.Chen, Application of Passive DNS in Cyber Security. Proceedings of2020 IEEE
International Conference on Power, Intelligent Computing and Systems, CPICS 2020, pp.
2S7259,9202344.
[18] G.Suchacka, J. Iwariski. Identifying legitimate Web users and bots with different traffic profiles
an Information Bottleneck approach. Knowledge-Based Systems, 2020,197,10587S
[19] RapidMiner’s data science platform. https://rapidminer.com/ (accessed on February 1, 2022).
[20] Tomas Sochor, Nadezda Chalupova. Interpersonal Internet Messaging Prospects in Industry 4.0</p>
        <p>Era. In: Recent Advances in Soft Computing and Cybernetics. Springer, Cham, 2021. p. 285-295.
[21] O.Savenko, S.Lysenko, A.Kryschuk Multi-agent based approach of botnet detection in computer
systems. Communications in Computer and Information Science. 2012. Vol. 291. PP.171-180,
ISSN: 1865-0929.
[22] Oleg Savenko, Sergii Lysenko, Andrii Kryshchuk, Yuriu Klots. Botnet detection technique for
corporate area network. Proceedings of the 7-th IEEE International Conference on Intelligent Data
Acquisition and Advanced Computing Systems: Technology and Applications, Berlin (Germany),
September 12–14, 2013. Berlin, 2013. Pp. 363–368. ISBN 978-1-4799-1426-5.
[23] Sergii Lysenko, Kira Bobrovnikova, Serhii Matiukh, Ivan Hurman, Oleg Savenko. Detection of
the botnets’ low-rate DDoS attacks based on self-similarity. International Journal of Electrical and
Computer Engineering. 2020. Vol. 10., №4. PP.3651-3659, ISSN: 2088-8708.
[24] O. Savenko, A. Nicheporuk, I. Hurman, S. Lysenko. Dynamic signature-based malware detection
technique based on API call tracing. CEUR-WS. 2019. Vol. 2393. P.633-643, ISSN: 1613-0073.
[25] Canadian Institute for Cybersecurity. Botnet dataset, https://www.unb.ca/cic/datasets/botnet.html
(accessed 15.01.2022).
[26] IoT dataset. URL: https://github.com/thieu1995 /iot dataset (accessed on 15.01.2022).
[27] IoTPOT dataset. URL:https://ipsr.ynu.ac.jp/iot /index. html# datasets (accessed on 15.01.2022).</p>
      </sec>
    </sec>
  </body>
  <back>
    <ref-list>
      <ref id="ref1">
        <mixed-citation>
          <source>[1] Check point software cyber security report 2022</source>
          . URL: https://www.ntsc.
          <source>org (accessed on February 1</source>
          ,
          <year>2022</year>
          ).
        </mixed-citation>
      </ref>
      <ref id="ref2">
        <mixed-citation>
          [2]
          <string-name>
            <given-names>Wang</given-names>
            <surname>Zishuo</surname>
          </string-name>
          ,
          <string-name>
            <surname>Wang</surname>
            <given-names>Chunyang</given-names>
          </string-name>
          , Ding Lianghua, Wang Zeng, Liang Shuning,
          <article-title>Parameter identification of fractional-order time delay system based on Legendre wavelet</article-title>
          ,
          <source>Mechanical Systems and Signal Processing</source>
          , Volume
          <volume>163</volume>
          ,
          <year>2022</year>
          , 108141, ISSN 0888-3270, https://doi.org/10.1016/j.ymssp.
          <year>2021</year>
          .
          <volume>108141</volume>
          .
        </mixed-citation>
      </ref>
      <ref id="ref3">
        <mixed-citation>
          [3] Zhang,
          <string-name>
            <given-names>Wang</given-names>
            <surname>Huiqin</surname>
          </string-name>
          ,
          <string-name>
            <surname>J Wang Chun</surname>
          </string-name>
          , Meng Xudong Chen,.
          <article-title>Integration of cuckoo search and fuzzy support vector machine for intelligent diagnosis of production process quality</article-title>
          .
          <source>Journal of Industrial &amp; Management Optimization</source>
          .
          <year>2017</year>
          .
          <volume>13</volume>
          . 10.3934/jimo.2020150.
        </mixed-citation>
      </ref>
      <ref id="ref4">
        <mixed-citation>
          [4]
          <string-name>
            <given-names>S.N.</given-names>
            <surname>Thanh</surname>
          </string-name>
          ,
          <string-name>
            <given-names>M.</given-names>
            <surname>Stcgc</surname>
          </string-name>
          ,
          <string-name>
            <given-names>P.I.</given-names>
            <surname>El-Habr</surname>
          </string-name>
          ,
          <string-name>
            <given-names>J.</given-names>
            <surname>Bang</surname>
          </string-name>
          ,
          <string-name>
            <surname>N.Dragoni,</surname>
          </string-name>
          <article-title>Survey on botnets: Incentives, evolution, detection and current trends</article-title>
          .
          <source>Future Internet</source>
          ,
          <year>2021</year>
          ,
          <volume>13</volume>
          (
          <issue>8</issue>
          ),
          <fpage>198</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref5">
        <mixed-citation>
          [5]
          <string-name>
            <given-names>G.</given-names>
            <surname>Suchacka</surname>
          </string-name>
          ,
          <string-name>
            <given-names>A.</given-names>
            <surname>Cabri</surname>
          </string-name>
          ,
          <string-name>
            <given-names>S.</given-names>
            <surname>Rovetta</surname>
          </string-name>
          ,
          <string-name>
            <given-names>F.</given-names>
            <surname>Masulli</surname>
          </string-name>
          ,
          <article-title>Efficient on-the-fly Web bot detection</article-title>
          .
          <source>KnowledgeBased Systems</source>
          ,
          <year>2021</year>
          ,
          <volume>223</volume>
          ,
          <fpage>107074</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref6">
        <mixed-citation>
          <source>[6] RFC 1034</source>
          ,
          <string-name>
            <surname>Domain</surname>
            <given-names>Names</given-names>
          </string-name>
          - Concepts and Facilities.
        </mixed-citation>
      </ref>
      <ref id="ref7">
        <mixed-citation>
          [7]
          <string-name>
            <surname>Lekssays</surname>
            ,
            <given-names>A.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Landa</surname>
            ,
            <given-names>L</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Carminati</surname>
            ,
            <given-names>B.</given-names>
          </string-name>
          ,
          <string-name>
            <surname>Ferrari</surname>
            ,
            <given-names>E.</given-names>
          </string-name>
          <article-title>PAutoBotCatcher: A blockchain-based privacypreserving botnet detector for Internet of Things</article-title>
          .
          <source>Computer Networks</source>
          .
          <year>2021</year>
          ,
          <volume>200</volume>
          ,
          <fpage>108512</fpage>
          .
        </mixed-citation>
      </ref>
      <ref id="ref8">
        <mixed-citation>
          [8]
          <string-name>
            <given-names>J.</given-names>
            <surname>Shi</surname>
          </string-name>
          .,
          <string-name>
            <surname>Y.-B.Leau</surname>
            ,
            <given-names>K.</given-names>
          </string-name>
          <string-name>
            <surname>Li</surname>
            ,
            <given-names>J.H.</given-names>
          </string-name>
          <string-name>
            <surname>Obit</surname>
          </string-name>
          .
          <article-title>A comprehensive review on hybrid network traffic prediction model</article-title>
          .
          <source>International Journal of Electrical and Computer Engineering</source>
          ,
          <year>2021</year>
          ,
          <volume>11</volume>
          (
          <issue>2</issue>
          ), pp.
          <fpage>1450</fpage>
          -
          <lpage>1459</lpage>
          .
        </mixed-citation>
      </ref>
    </ref-list>
  </back>
</article>