B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis

Dandy Pramana Hostiadi*, Waskitho Wibisono, Tohari Ahmad

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

13 Citations (Scopus)


Botnet is a type of dangerous malware. Botnet attack with a collection of bots attacking a similar target and activity pattern is called bot group activities. The detection of bot group activities using intrusion detection models can only detect single bot activities but cannot detect bots' behavioral relation on bot group attack. Detection of bot group activities could help network administrators isolate an activity or access a bot group attacks and determine the relations between bots that can measure the correlation. This paper proposed a new model to measure the similarity between bot activities using the intersections-probability concept to define bot group activities called as B-Corr Model. The B-Corr model consisted of several stages, such as extraction feature from bot activity flows, measurement of intersections between bots, and similarity value production. B-Corr model categorizes similar bots with a similar target to specify bot group activities. To achieve a more comprehensive view, the B-Corr model visualizes the similarity values between bots in the form of a similar bot graph. Furthermore, extensive experiments have been conducted using real botnet datasets with high detection accuracy in various scenarios.

Original languageEnglish
Pages (from-to)4176-4197
Number of pages22
JournalKSII Transactions on Internet and Information Systems
Issue number10
Publication statusPublished - 31 Oct 2020


  • Bot activity flows
  • Bot group activity
  • Intrusion detection system
  • Network security
  • Similar intersection


Dive into the research topics of 'B-Corr Model for Bot Group Activity Detection Based on Network Flows Traffic Analysis'. Together they form a unique fingerprint.

Cite this