The evolving threat landscape of botnets: Comprehensive analysis of detection techniques in the age of artificial intelligence

IF 7.6 3区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Internet of Things Pub Date : 2025-08-13 DOI:10.1016/j.iot.2025.101728

Arash Mahboubi , Khanh Luong , Hamed Aboutorab , Hang Thanh Bui , Seyit Camtepe , Keyvan Ansari , Bazara Barry

{"title":"The evolving threat landscape of botnets: Comprehensive analysis of detection techniques in the age of artificial intelligence","authors":"Arash Mahboubi , Khanh Luong , Hamed Aboutorab , Hang Thanh Bui , Seyit Camtepe , Keyvan Ansari , Bazara Barry","doi":"10.1016/j.iot.2025.101728","DOIUrl":null,"url":null,"abstract":"<div><div>Botnets represent a significant and evolving cybersecurity threat, leveraging networks of compromised devices for various malicious activities, including data exfiltration (e.g., Truebot malware), credential theft, and distributed denial-of-service (DDoS) attacks. heir increasing sophistication includes advanced evasion techniques such as domain generation algorithms (DGAs), encrypted command-and-control (C&C) channels, and peer-to-peer (P2P) architectures. These innovations pose substantial challenges to conventional detection systems. Existing surveys typically examine isolated detection methodologies or specific datasets, failing to address comprehensively the broader landscape, especially regarding adversarial manipulation of machine learning (ML) and artificial intelligence (AI) feature sets. To address this critical gap, this survey introduces the first systematic adversarial-aware analysis of botnet detection strategies. It specifically evaluates how adversaries exploit ML/AI feature manipulation, such as through noise injection and feature perturbation, to evade detection, a perspective that has not been quantitatively addressed in prior literature. A core contribution is our explicit benchmarking of detection model robustness across four quantitative metrics, faithfulness, monotonicity, sensitivity, and complexity, providing novel insights into the resilience of state-of-the-art models under adversarial conditions. Additionally, we highlight persistent practical challenges including limited dataset diversity and dependence on high-quality labeled data, and propose potential mitigation approaches such as synthetic data generation, federated and semi-supervised learning, and lightweight detection architectures tailored for resource-constrained IoT deployments. Finally, we outline key future research directions emphasizing standardized robustness evaluation frameworks, explainable AI to enhance interpretability and trust, and privacy-preserving collaborative data-sharing mechanisms. By integrating this adversarial-aware perspective with a comprehensive and practical evaluation framework, this work contributes to the field’s understanding of botnet detection and supports the design of more robust and resilient cybersecurity solutions through insights relevant to both researchers and practitioners.</div></div>","PeriodicalId":29968,"journal":{"name":"Internet of Things","volume":"33 ","pages":"Article 101728"},"PeriodicalIF":7.6000,"publicationDate":"2025-08-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Internet of Things","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2542660525002422","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Botnets represent a significant and evolving cybersecurity threat, leveraging networks of compromised devices for various malicious activities, including data exfiltration (e.g., Truebot malware), credential theft, and distributed denial-of-service (DDoS) attacks. heir increasing sophistication includes advanced evasion techniques such as domain generation algorithms (DGAs), encrypted command-and-control (C&C) channels, and peer-to-peer (P2P) architectures. These innovations pose substantial challenges to conventional detection systems. Existing surveys typically examine isolated detection methodologies or specific datasets, failing to address comprehensively the broader landscape, especially regarding adversarial manipulation of machine learning (ML) and artificial intelligence (AI) feature sets. To address this critical gap, this survey introduces the first systematic adversarial-aware analysis of botnet detection strategies. It specifically evaluates how adversaries exploit ML/AI feature manipulation, such as through noise injection and feature perturbation, to evade detection, a perspective that has not been quantitatively addressed in prior literature. A core contribution is our explicit benchmarking of detection model robustness across four quantitative metrics, faithfulness, monotonicity, sensitivity, and complexity, providing novel insights into the resilience of state-of-the-art models under adversarial conditions. Additionally, we highlight persistent practical challenges including limited dataset diversity and dependence on high-quality labeled data, and propose potential mitigation approaches such as synthetic data generation, federated and semi-supervised learning, and lightweight detection architectures tailored for resource-constrained IoT deployments. Finally, we outline key future research directions emphasizing standardized robustness evaluation frameworks, explainable AI to enhance interpretability and trust, and privacy-preserving collaborative data-sharing mechanisms. By integrating this adversarial-aware perspective with a comprehensive and practical evaluation framework, this work contributes to the field’s understanding of botnet detection and supports the design of more robust and resilient cybersecurity solutions through insights relevant to both researchers and practitioners.

查看原文本刊更多论文

僵尸网络不断演变的威胁格局：人工智能时代检测技术的综合分析

僵尸网络代表了一种重大且不断发展的网络安全威胁，利用受损设备网络进行各种恶意活动，包括数据泄露（例如Truebot恶意软件）、凭证盗窃和分布式拒绝服务（DDoS）攻击。其日益复杂的技术包括高级规避技术，如域生成算法（DGAs）、加密命令与控制（C&；C）通道和点对点（P2P）架构。这些创新对传统检测系统构成了重大挑战。现有的调查通常检查孤立的检测方法或特定的数据集，未能全面解决更广泛的问题，特别是关于机器学习（ML）和人工智能（AI）功能集的对抗性操作。为了解决这一关键差距，本调查介绍了僵尸网络检测策略的第一个系统的对抗性感知分析。它具体评估了攻击者如何利用ML/AI特征操纵，例如通过噪声注入和特征扰动，以逃避检测，这一观点在先前的文献中尚未定量解决。我们的核心贡献是通过四个定量指标对检测模型的稳健性进行明确的基准测试，即忠实度、单调性、灵敏度和复杂性，为最先进的模型在对抗条件下的弹性提供了新的见解。此外，我们强调了持续存在的实际挑战，包括有限的数据集多样性和对高质量标记数据的依赖，并提出了潜在的缓解方法，如合成数据生成、联邦和半监督学习，以及为资源受限的物联网部署量身定制的轻量级检测架构。最后，我们概述了未来的关键研究方向，强调标准化的鲁棒性评估框架，可解释的人工智能以增强可解释性和信任，以及保护隐私的协作数据共享机制。通过将这种对抗性感知视角与全面实用的评估框架相结合，这项工作有助于该领域对僵尸网络检测的理解，并通过与研究人员和从业人员相关的见解支持设计更强大、更有弹性的网络安全解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Internet of Things Multiple-

CiteScore

3.60

自引率

5.10%

发文量

115

审稿时长

37 days

期刊介绍： Internet of Things; Engineering Cyber Physical Human Systems is a comprehensive journal encouraging cross collaboration between researchers, engineers and practitioners in the field of IoT & Cyber Physical Human Systems. The journal offers a unique platform to exchange scientific information on the entire breadth of technology, science, and societal applications of the IoT. The journal will place a high priority on timely publication, and provide a home for high quality. Furthermore, IOT is interested in publishing topical Special Issues on any aspect of IOT.