|
| Papers | Mechanism | Algorithm/model | Dataset | Advantage | Drawback |
|
| PSI [83] | High-order subgraph features based on PSI were extracted from malicious code, combined the classifier to detect the Internet of Things botnet | SVM, RF, Bagging, DT, kNN | IoTPOT [92]; VirusShare [93] | (i) Extracted the PSI subgraph from malicious code
(ii) The detection accuracy is greater than 97% | (i) It is difficult to capture malicious samples |
| BotGraph [84] | For Large Scale Spamming botnet, a large user graph was constructed to reveal the correlation between botnet activities and bots were detected through abnormal behavior | MapReduce; Exponential Weighted Moving Average (EWMA) | Hotmail registration log | (i) Proposed a novel graph-based method to detect new Web account abuse attacks
(ii) A new distributed programming model, MapReduce, for building and analyzing large images | (i) The topology of the graph is large
(ii) The message cannot be detected before transmission |
| XIONG [88] | In view of the anonymity of the zombie, according to the DNS query response, the mapping relationship between the domain name and IP was extracted by DNSmap tool, and the DNS correlation map was constructed | DNSmap | CTU | (i) DNS traffic is small, detect early | (i) For P2P botnets that do not conduct DNS query, the effect is not good |
| Light GBM algorithm is used to complete the classification of graph components | Light GBM | ISCX-bot | (ii) High-speed flow detection |
| PeerHunter [89] | First, P2P traffic was filtered, MCG was constructed, and the community was mined through the community mining algorithm. Then, detection is carried out according to the statistical characteristics of the community | MapReduce | Collected P2P data itself | (i) An early approach to community behavior analysis | (i) Need to manually adjust the community statistics |
| Louvain | (ii) Good elasticity | (ii) Does not work well against deep latency botnets |
| [91] | According to the traffic, histogram and graph method were used to extract the key abnormal nodes, and then social association graph (SCG) was constructed, and community detection idea was used to detect robots | SCG | CTU-13 | (i) Key nodes were identified and community similarity analysis is carried out | (i) Not suitable for small-scale graph |
| Louvain | CAIDA [94] xml | (ii) The modularity measure function was optimized |
|
