XG-BoT: An Explainable Deep Graph Neural Network for Botnet Detection and Forensics
This addresses botnet detection and forensics for network security, with incremental improvements in explainability and performance.
The paper tackles botnet detection by proposing XG-BoT, an explainable deep graph neural network model that detects malicious nodes in large-scale networks and provides automatic forensics, outperforming state-of-the-art approaches in key metrics.
In this paper, we propose XG-BoT, an explainable deep graph neural network model for botnet node detection. The proposed model comprises a botnet detector and an explainer for automatic forensics. The XG-BoT detector can effectively detect malicious botnet nodes in large-scale networks. Specifically, it utilizes a grouped reversible residual connection with a graph isomorphism network to learn expressive node representations from botnet communication graphs. The explainer, based on the GNNExplainer and saliency map in XG-BoT, can perform automatic network forensics by highlighting suspicious network flows and related botnet nodes. We evaluated XG-BoT using real-world, large-scale botnet network graph datasets. Overall, XG-BoT outperforms state-of-the-art approaches in terms of key evaluation metrics. Additionally, we demonstrate that the XG-BoT explainers can generate useful explanations for automatic network forensics.