Evaluating traditional botnet detection applied to contemporary threats from the internet of things

Date of Award


Document Type



Edith Cowan University

Degree Name

Doctor of Philosophy


School of Science

First Supervisor

Michael Johnstone

Second Supervisor

Paul Haskell-Dowland

Third Supervisor

Peter Hannay


The Internet of Things (IoT) is a technological concept where many low powered devices are interconnected in order to enhance the services they provide. A botnet is a collection of compromised devices used by a malicious actor to conduct various cyberattacks. Traditional botnets had been typically made-up of ordinary computers. Contemporary botnet threats have been seen to infect IoT devices, leveraging their numerosity, constant operation, and insecurity.

This research examined various traditional botnet detection techniques in the literature and aimed to establish their capabilities for IoT-based botnet detection. The research question created and answered in order to achieve this goal was “Can botnet detection techniques designed to detect traditional botnets detect IoT-based botnets”? In particular, three botnet detection techniques were examined; BotMiner, BotProbe, and BotHunter.

Botnet detection techniques were acquired or re-constructed based on the literature for a set of experiments. Simulations and datasets of both traditional and IoT-based botnets were developed and acquired respectively to test the botnet detection techniques. The simulations included novel approaches towards representing background and botnet traffic in a contained environment, the results of which were further validated by experiments on externally acquired datasets.

The findings of the experiments demonstrated that some of the traditional botnet detection techniques are capable of detecting IoT-based bots, but also appear to exhibit limitations that may impact their usage. BotMiner was able to detect all bots in the experimental environments but rendered false positives when faced with aberrant non-bot activities. BotProbe can only operate on IRC-based botnets and failed to detect bots under certain conditions but did not produce any false positives. BotHunter was unable to detect any bots present in the simulations and external datasets. The weaknesses of the techniques appear to be mostly derived from a particular focus on the IRC protocol and over-reliance on IDS alert signatures.

The results demonstrate that older botnet detection techniques are capable of detecting contemporary threats but may require some further development to produce more accurate and reliable results.



Access Note

Access to this thesis is embargoed until 10th November 2024.

Access to this thesis is restricted. Please see the Access Note below for access details.