Nowadays, botnets have become one of the major threats to cyber security. The characteristics of botnets are mainly reflected in bots network behavior and their intercommunication relationships. Existing botnet detection methods use flow features or topology features individually, which overlook the other type of feature. This affects model performance. In this paper, we propose a botnet detection model which uses graph convolutional network (GCN) to deeply fuse flow features and topology features for the first time. We construct communication graphs from network traffic and represent nodes with flow features. Due to the imbalance of existing public traffic flow datasets, it is impossible to train a GCN model on these datasets. Therefore, we use a balanced public communication graph dataset to pretrain a GCN model, thereby guaranteeing its capacity for identify topology features. We then feed the communication graph with flow features into the pretrained GCN. The output from the last hidden layer is treated as the fusion of flow and topology features. Additionally, by adjusting the number of layers in the GCN network, the model can effectively detect botnets under both C2 and P2P structures. Validated on the public ISCX2014 dataset, our approach achieves a remarkable recall rate 92.90% and F1-score 92.76% for C2 botnets, alongside recall rate 94.66% and F1-score of 92.35% for P2P botnets. These results not only demonstrate the effectiveness of our method, but also outperform the performance of the currently leading detection models.

翻译：当前，僵尸网络已成为网络安全的主要威胁之一。僵尸网络的特征主要体现在僵尸主机的网络行为及其通信关系上。现有检测方法仅单独利用流量特征或拓扑特征，忽视了另一类特征的作用，这影响了模型性能。本文首次提出一种基于图卷积网络（GCN）深度融合流量特征与拓扑特征的僵尸网络检测模型。我们从网络流量中构建通信图，并以流量特征表征节点。由于现有公开流量数据集存在类别不平衡问题，无法直接在这些数据集上训练GCN模型。因此，我们采用平衡的公开通信图数据集对GCN模型进行预训练，从而保证其识别拓扑特征的能力。随后将携带流量特征的通信图输入预训练GCN，取最后一层隐藏层的输出作为流量与拓扑特征的融合结果。此外，通过调节GCN网络层数，该模型能够有效检测C2和P2P两种结构的僵尸网络。在公开ISCX2014数据集上的验证结果表明，针对C2僵尸网络的召回率达92.90%、F1分数达92.76%；针对P2P僵尸网络的召回率达94.66%、F1分数达92.35%。这些结果不仅验证了本方法的有效性，且性能优于当前主流检测模型。