Improving spam botnet detection through convolutional model and geolocation feature enhancement in a novel three-class classification task

Botnet detection remains a critical and challenging area in the field of information security, primarily due to the intricate architectures and sophisticated attack mechanisms employed by botnets. The significant influence of botnets on spam traffic is well-documented; however, much of the existing literature predominantly focuses on binary classification, distinguishing only between botnet and non-botnet traffic. This paper introduces a novel approach aimed at addressing this limitation by implementing an IP mapping mechanism leveraging geolocation data to enhance the quality of botnet datasets. These enriched datasets are subsequently utilized within a Convolutional Neural Network (CNN) framework to facilitate three-class classification. The proposed model differentiates among non-botnet traffic, spam botnets, and non-spam botnets, with the distinction between botnet classes driven by the substantial impact of spam botnets. The experimental results demonstrate that the proposed model achieves an average accuracy of 97.89%, along with a precision of 80.72%, recall of 72.40%, and F1-score of 73.71% across various scenarios using three distinct datasets.