Nowadays, botnets have become one of the major threats to cyber security. The characteristics of botnets are mainly reflected in bots network behavior and their intercommunication relationships. Existing botnet detection methods use flow features or topological features of the communication graph individually and overlook the other type of feature, which affects model performance. In this paper, we propose a botnet detection model which uses graph convolutional network (GCN) to deeply fuse flow features and topological features for the first time. We construct communication graphs from network traffic and represent nodes with flow features. Due to the imbalance of existing public traffic flow datasets, it is impossible to train a GCN model on these datasets. Therefore, we use a balanced public communication graph dataset to pretrain a GCN model, thereby guaranteeing its capacity for recognizing topological features. We then feed the communication graph with flow features into the pretrained GCN. The output from the last hidden layer is treated as the fusion of flow and topological features. Additionally, by adjusting the number of layers in the GCN network, the model can effectively detect botnets operating under both C2 and P2P structures. Validated on the public ISCX2014 dataset, our approach achieves a remarkable accuracy of 98.85% and a recall rate of 92.90% for C2 botnets, alongside an accuracy of 99.10% and a recall rate of 94.66% for P2P botnets. These results not only demonstrate the efficacy of our method, but also surpass the performance of the currently leading detection models.

翻译：当前，僵尸网络已成为网络安全的主要威胁之一。僵尸网络的特征主要反映在僵尸主机的网络行为及其相互通信关系上。现有僵尸网络检测方法单独使用通信图的流特征或拓扑特征，忽略了另一类特征，从而影响模型性能。本文首次提出一种利用图卷积网络（GCN）深度融合流特征与拓扑特征的僵尸网络检测模型。我们从网络流量中构建通信图，并以流特征表示节点。由于现有公开流量数据集的类别不平衡，无法基于这些数据集训练GCN模型。为此，我们采用平衡的公开通信图数据集预训练GCN模型，从而保证其对拓扑特征的识别能力。随后将携带流特征的通信图输入预训练GCN，以其最后一个隐藏层的输出作为流特征与拓扑特征的融合结果。此外，通过调整GCN网络层数，该模型可有效检测在C2和P2P两种结构下运行的僵尸网络。在公开的ISCX2014数据集上的验证结果显示，该方法对C2僵尸网络的准确率达98.85%，召回率达92.90%；对P2P僵尸网络的准确率达99.10%，召回率达94.66%。这些结果不仅证明了所提方法的有效性，而且其性能超越了当前领先的检测模型。