Enhanced Peer-to-Peer Botnet Detection Using Differential Evolution for Optimized Feature Selection

Abstract

With the growing prevalence of cybercrime, botnets have emerged as a significant threat, infiltrating an increasing number of legitimate computers annually. Challenges arising for organizations, educational institutions, and individuals as a result of botnet attacks include distributed denial of service (DDoS) attacks, phishing attacks, and extortion attacks, generation of spam, and identity theft. The stealthy nature of botnets, characterized by constant alterations in network structures, attack methodologies, and data transmission patterns, poses a growing difficulty in their detection. This paper introduces an innovative strategy for mitigating botnet threats. Employing differential evolution, we propose a feature selection approach that enhances the ability to discern peer-to-peer (P2P) botnet traffic amidst evolving cyber threats. Differential evolution is a population-based meta-heuristic technique which can be applied to nonlinear and non-differentiable optimization problems owing to its fast convergence and use of few control parameters. Apart from that, an ensemble learning algorithm is also employed to support and enhance the detection phase, providing a robust defense against the dynamic and sophisticated nature of modern P2P botnets. The results demonstrate that our model achieves 99.99% accuracy, 99.49% precision, 98.98% recall, and 99.23% F1-score, which outperform the state-of-the-art P2P detection approaches.

1. Introduction

Botnets persist as a significant threat to computing resources worldwide. They are one of the most hazardous types of malware, efficiently used by cyber criminals as a platform to launch various malicious activities such as distributed denial of service (DDoS) attacks, identity theft, sending spam, phishing attacks, etc. [1]. The term “botnet” came from a combination of the two words “robot network” [2]. It is a large network of compromised computers which are interconnected via the internet and controlled by one attacker known as the botmaster [3]. Since the botmaster has large computing resources at their disposal, botnet attacks can be massive. In fact, cybersecurity threats are one of the major challenges for countries worldwide after digitization. According to a report [4], over 3800 major corporations worldwide encountered data breaches in 2019, leading to significant repercussions. Another study [5] reveals a sharp surge in botnet attacks during the first half of 2021, with their frequency increasing by 41%. Concurrently, a separate report [5] highlights a substantial rise in the percentage of organizations detecting botnet activity, increasing from 35% to 51% during a similar time frame. Since organizations worldwide are negatively influenced by botnet attacks, there is a vital need to detect such activities. Hence, there is a necessity to develop an enhanced botnet detection framework.

Botnets are classified as centralized and decentralized botnets [6]. Centralized botnets operate through a specific Command and Control (C&C) server. The botmaster utilizes this centralized hub to communicate with all the bots under their influence. Centralized botnets basically use IRC and HTTP protocols for communication. This architecture offers many advantages to the botmaster. It offers consistent control and coordination between the botmaster and the bots, simplifying monitoring for the botmaster. Nevertheless, it comes with a vulnerability—a single point of failure. Detecting and blocking the C&C server exposes a critical weakness. With the server blocked, the botmaster loses communication with the other bots, leading to the collapse of the entire botnet. On the other hand, decentralized botnets, also known as peer-to-peer (P2P), do not have a designated C&C server. Initially, a single bot receives the message from the C&C server. This bot then takes on the responsibility of relaying the message to peer bots, creating a chain of transmission across the network. Various communication protocols, such as Overnet, Kademlia, etc., are employed for this purpose [6,7].

For botnet detection, researchers are mainly focusing on machine-learning-based botnet detection models because of their high effectiveness [8,9]. Most of these detection models rely on feature selection, where distinct feature sets are derived from the existing high-dimensional dataset. A high-dimensional real-world dataset consists of a large number of features. But all of the features may not be essential or beneficial. Some features might be redundant and irrelevant. Feature selection removes redundant, irrelevant, and misleading features in order to obtain the most critical subset representing the best solution, thereby increasing the overall performance, accuracy, and learning speed of any machine-learning model [10]. Hence, feature selection becomes crucial. The underlying concept of feature selection is to thoughtfully choose a relevant subset of features from the initial dataset. This reduces the dimensionality of the dataset, enhancing the overall efficiency of the learning model.

Feature selection is a combinatorial optimization problem. Combinatorial optimization problems involve a finite set of potential solutions. An optimal solution to such problems is typically found by examining all feasible solutions within the search space. However, this exhaustive approach is often impractical, particularly when dealing with a vast search space. Consequently, numerous metaheuristic algorithms have been developed and adapted to address these challenges [11]. Metaheuristic algorithms are stochastic optimization methods designed to enhance the effectiveness of underlying heuristic techniques. These approaches effectively address the challenge of local optima and have proven successful in solving a diverse range of optimization problems [11,12]. While metaheuristic-based feature selection plays a crucial role in the development of various machine-learning models, it has received comparatively less attention in the literature on botnet detection.

This paper introduces an enhanced P2P botnet detection model using differential evolution-based feature selection and supervised machine-learning algorithms including ensemble learning, which can efficiently identify P2P bot communications by considering the following key questions:

(1)

How to enhance feature selection using evolutionary metaheuristic algorithm such as differential evolution.

(2)

How to design an enhanced learning model for P2P botnet detection using various supervised machine-learning algorithms.

(3)

How to enhance the performance of the proposed model by using the majority voting ensemble learning algorithm.

(4)

How to validate the proposed model in a dataset containing real-world botnet flows.

(5)

How to evaluate the performance of the proposed model using metrics such as accuracy, precision, recall, F1-score, and confusion matrix.

The rest of this paper is arranged as follows: Section 2 covers the related work, Section 3 covers the proposed approach, Section 4 contains the experiment discussions, Section 5 contains results, Section 6 contains comparison, and Section 7 contains conclusions and scope for future research.

2. Related Work

Some related works that have used metaheuristic-based techniques for feature selection (FS) and machine-learning-based botnet detection are presented in this section. Based on the category of feature selection algorithms applied, we group all the state-of -the-art research works into four categories. In the first group, we discuss research works that have used swarm- and evolution-based metaheuristics for FS. In the second group, we discuss those research works that have used evolution-based metaheuristics for FS. In the third group, we discuss research works that have used human-behavior-based metaheuristics for FS. In the fourth group, we discuss those research works that have used filter methods for FS.

Lin et al. [13] proposed a botnet detection method combining the Artificial Fish Swarm Algorithm (AFSA) for feature selection and Support Vector Machine (SVM) for classification. They compared this model with a GA-SVM system and found that AFSA yielded a superior performance, achieving 100% detection under a 10-fold cross-validation scheme. However, their experiments were conducted in a simulated LAN environment, which limits applicability to real-world, diverse network conditions. Moreover, their work does not target P2P botnets specifically, nor does it incorporate ensemble learning, which can enhance generalization. In contrast, our work focuses on detecting P2P botnets using differential evolution for feature selection and a majority voting ensemble of classifiers, applied on a real-world botnet dataset (CTU-13). Liao et al. [14] investigated botnet detection using two metaheuristic algorithms—Particle Swarm Optimization (PSO) and Genetic Algorithm (GA)—for feature selection, combined with a backpropagation neural network for classification. Their model achieved an average detection accuracy of 95.09%. The authors also introduced a custom feature based on packet transmission regularity. While the work highlights the effectiveness of metaheuristic-driven feature selection, it lacks clarity on the dataset used and does not target P2P botnets, which are harder to detect due to their decentralized architecture. Additionally, the use of a single neural network classifier may limit generalization. In contrast, our approach employs differential evolution for feature selection and integrates six supervised classifiers in a majority voting ensemble, evaluated on a real-world P2P botnet dataset, thereby offering improved robustness and relevance. Asadi et al. [15] proposed a hybrid botnet detection system, BD-PSO-V, that integrates Particle Swarm Optimization (PSO) for feature selection with an ensemble voting-based classification system comprising a Deep Neural Network (DNN), Support Vector Machine (SVM), and decision tree. Their model was evaluated on the ISOT and Bot-IoT datasets and achieved a high accuracy (up to 99.63%). While their work effectively demonstrates the advantage of hybrid ensemble approaches, it focuses primarily on IoT botnets and does not specifically address the detection of P2P botnets, which have more complex and decentralized architectures. Moreover, the computational demands of PSO and the limited scope of classifier diversity may constrain generalizability. In contrast, our proposed method used differential evolution (DE) for efficient feature selection and employed a broader ensemble of six classifiers under a majority voting system, specifically targeting P2P botnet detection using a real-world dataset (CTU-13 Scenario 12).

Alejandre et al. [16] proposed a botnet detection framework focused on identifying connections during the Command and Control (C&C) phase of botnet activity. They employed a Genetic Algorithm (GA) for selecting optimal features and used a C4.5 decision tree classifier to distinguish botnet traffic. Their model achieved a high detection rate (up to 99.46%) using datasets from ISOT and ISCX. While their focus on C&C traffic is important, the work does not address P2P botnets, which do not have centralized control structure and are inherently more difficult to detect. Additionally, the use of a single classifier may limit adaptability to varying network patterns. In contrast, our work focuses on detecting P2P botnets using differential evolution (DE) for efficient feature selection and a diverse ensemble of classifiers under a majority voting strategy, validated on real-world botnet data (CTU-13 Scenario 12). Alhijaj et al. [8] proposed a botnet detection model that integrates the Genetic Algorithm (GA) for feature selection with a decision tree classifier for traffic classification. Their approach aimed to find the optimal feature subset that enhances classification performance. Using the UNSW-NB15 and CICIDS2017 datasets, they demonstrated improved results over standard decision tree models across metrics such as precision, F1-score, and detection rate. However, their study does not address the detection of P2P botnets, which are decentralized and more elusive than conventional botnets or intrusions. Furthermore, the use of only one classifier may limit adaptability in real-world environments. In contrast, our work uses differential evolution for more efficient feature selection and applies a majority voting ensemble with six diverse classifiers, evaluated on a real-world P2P botnet dataset (CTU-13) to improve both accuracy and robustness.

Nejad et al. [17] presented a real-time botnet detection model that utilizes the World Competitive Contests (WCC) algorithm for feature selection and Support Vector Machine (SVM) for classification. Their approach achieved an accuracy of 95%, outperforming other comparative methods. While the focus on real-time detection is commendable, the study does not specify the type of botnet traffic, and it relies on a single classifier, which may limit robustness. Additionally, the novel WCC algorithm is not extensively benchmarked against more established metaheuristics. In contrast, our work focuses on the detection of P2P botnets, a more evasive and challenging class, using differential evolution (DE) for efficient feature selection and a majority voting ensemble of six classifiers, which collectively improve accuracy and resilience under real-world conditions.

Yallamanda et al. [18] proposed a machine-learning-based model for detecting both botnet and DDoS attacks using Support Vector Machine (SVM) and Naïve Bayes (NB) classifiers. Evaluated on the CICIDS2017 dataset, the results indicated that SVM performed better than NB. However, their approach lacks a feature selection component and focuses solely on traditional classifiers, which may limit performance on more complex and stealthy threats. Additionally, their study does not address P2P botnets, nor does it explore ensemble learning or comprehensive performance metrics. In contrast, our work focuses on P2P botnet detection using differential evolution for feature selection and a diverse ensemble of classifiers, validated with detailed performance analysis on real-world traffic. Joshi et al. [19] conducted an empirical study using five filter-based feature selection techniques—Univariate Selection, RFE, PCA, Correlation Matrix, and Feature Importance—combined with four classifiers including SVM, Logistic Regression, KNN, and decision trees. Their experiments, conducted on the CTU-13 dataset, found that KNN consistently outperformed other classifiers across different FS techniques. While their work offers useful insights into the interaction between feature selection and classifier performance, it is limited to filter methods, which do not consider feature interdependencies. The study does not explore metaheuristic or optimization-based FS techniques, nor does it address P2P botnet detection, which presents more complex detection challenges. Our work addresses these gaps by using differential evolution (DE) for feature selection and a majority voting ensemble of six classifiers, specifically tailored for P2P botnet detection on CTU-13 Scenario 12. Ismail et al. [20] proposed the BADS framework for botnet detection over encrypted channels using a structured six-phase methodology. They employed Information Gain as a filter-based feature selection method and used the NIMS and MCFP datasets for experimentation. While the study is notable for addressing encrypted traffic and presenting a modular detection pipeline, it relies on a single FS approach and classifier, limiting its adaptability to more dynamic and evasive botnets such as those with P2P architectures. In contrast, our work focuses on P2P botnet detection using a differential evolution-based feature selection strategy and a majority voting ensemble of six classifiers, enhancing detection performance and robustness in decentralized botnet scenarios. Muhammad et al. [21] proposed an early-stage botnet detection model that utilizes filter-based feature selection methods (such as PCA and Information Gain) and evaluates the classification performance using Logistic Regression, Multilayer Perceptron, Support Vector Machine, and Random Forest. Using the Cyber Clean Centre (CCC) dataset, which contains IRC and HTTP-based botnet traces, their model achieved a detection accuracy of 99%. While the focus on early detection is valuable, the approach does not address the challenges posed by P2P botnets, which lack centralized control and are harder to detect. Moreover, the use of filter-based FS methods may overlook critical feature dependencies. In contrast, our study targets P2P botnet detection using differential evolution (DE) for feature selection and a majority voting ensemble of six classifiers, tested on real-world decentralized botnet traffic (CTU-13 Scenario 12) for enhanced robustness and relevance. Joshi et al. [22] proposed a multiclass botnet detection framework using Artificial Neural Networks (ANNs), trained on a dataset comprising seven different botnet classes. Their study employed various filter-based feature selection techniques and evaluated the model on the MCFP dataset, achieving a classification accuracy of 99.04%. While the shift toward multiclass detection is noteworthy, this study does not clearly address P2P botnets, which are more difficult to detect due to their decentralized nature. Additionally, the exclusive reliance on ANN and filter-based FS methods may limit adaptability to unseen or complex attack patterns. In contrast, our study specifically targets P2P botnets using a differential evolution-based feature selection strategy and a majority voting ensemble of six classifiers, evaluated on the real-world CTU-13 Scenario 12 dataset, offering both higher robustness and practical relevance.

To summarize, while prior works have contributed significantly to botnet detection using various filter-based and metaheuristic feature selection techniques alongside diverse classifiers, several critical gaps remain unaddressed. The comprehensive summary of existing work on machine learning based botnet detection with their advantages and disadvantages are presented in

Table 1. Comprehensive summary of existing work on ML-based botnet detection with their advantages and disadvantages.

Sl. No.	Author	Botnet Type Detected	Dataset Used	Category of FS Algorithm	FS Algorithm Used	Classification Algorithm	Performance Matrix	Disadvantage	Advantage
1	[13]	IRC	Testbed	Swarm- and evolution-based MH	AFSA, GA	SVM	Acc—100%	IRC botnet is used. Only accuracy is calculated for performance evaluation.	Metaheuristic algorithm is used for FS.
2	[14]	IRC	Testbed	Swarm- and evolution-based MH	PSO, GA	BPN	Acc—95.09%	IRC botnet is used. Only accuracy is calculated for performance evaluation.	Metaheuristic algorithm is used for FS.
3	[15]	P2P	ISOT	Swarm intelligence-based MH	PSO	Majority voting	Acc—99.64%, Re—99.82%	Precision and F1 are not calculated.	Metaheuristic algorithm is used for FS.
4	[16]	P2P and IRC	ISOT and ISCX	Evolution-based MH	GA	Decision tree (C4.5)	Re—99.46%	Accuracy, precision, and F1 are not calculated.	Metaheuristic algorithm is used for FS.
5	[8]	Not mentioned	UNSW—NB15 and CICIDS2017	Evolution-based MH	GA	Decision tree	Pre—99.17%, Re—96.85%	Botnet type detected is not mentioned. Accuracy and F1 values are not provided.	Metaheuristic algorithm is used for FS.
6	[17]	Not mentioned	N-BaIoT	Human-behavior-based MH	WCC	SVM	Acc—95%, Pre—95%, Re—95%	IRC botnet is detected.	Metaheuristic algorithm is used for FS.
7	[18]	Not mentioned	CCIDS2017	Filter method	PCA, LDA	NB, SVM	Acc—99.68%	Detection performed for centralized or decentralized botnet is not known.	High accuracy.
8	[19]	P2P	CTU-13	Filter method	PCA, Univariate Selection, RFE, Feature Importance, Correlation Heat Map	SVM, logistic regression, KNN, decision tree	Acc—99%, AUC—99%, AR—99%	Lots of FS algorithms are compared but all belong to the filter methods.	High accuracy. P2P detection is performed.
9	[20]	P2P	ISOT, MCFP and NIMS	Filter method	Information Gain	SVM, Naïve Bayes, K-Nearest Neighbor, Bayesian Network, Ada Boost, Random Forest, J48, PART and Ripper	Not mentioned	Information about evaluation matrices is not given.	FS is conducted and three different datasets are used.
10	[21]	Not mentioned	Cyber Clean Center (CCC) dataset	Filter method	PCA and Information Gain	Logistic Regression, SVM, Random Forest and Multilayer Perceptron	Acc—97.8% TPR—97% FPR—0.7%	Detection conducted for centralized or decentralized botnet is not known.	High accuracy.
11	[22]	P2P	MCPF	Filter method	Recursive Feature Selection, PCA, Correlation Matrix, Univariate Selection, Feature Importance	ANN	Acc—99.04% Pre—99.35% Re—99.35% F1—99.21%	Lots of FS algorithms are compared but all belong to the same category.	High accuracy. P2P detection is conducted.

. Most studies focus on centralized botnet types and rely on limited classifier diversity or simulated environments. Moreover, filter-based feature selection dominates the landscape, often overlooking feature interdependencies and the adaptability required for detecting more elusive peer-to-peer (P2P) botnets. In contrast, our proposed approach introduces differential evolution (DE) as an efficient evolutionary strategy for feature selection, which better captures complex feature interactions. Furthermore, we enhance robustness by employing a majority voting ensemble of six diverse supervised classifiers. Most importantly, our method is specifically tailored for P2P botnet detection and is rigorously evaluated using the real-world CTU-13 Scenario 12 dataset, thereby offering a novel, scalable, and practical solution that addresses the limitations found in the existing literature.

3. Proposed Approach

This section discusses the proposed approach for the classification and detection of P2P botnet flows and also discusses their theoretical description.

3.1. Model Construction

Often, it has been seen that in a network, communication among the bot nodes is less than the benign nodes. The bot nodes communicate infrequently to evade detection. Thus, if we use network packet passing through a router of a network, our method has to execute a large volume of data to detect bot node communication. This is not feasible in a real-world network scenario. Therefore, we use network flow data in our method to detect bot nodes in a network.

Network flow data aim to identify botnet flows based on the information extracted from network conversations between hosts. Flow data, as described by Kemp et al. [23], encapsulate IP traffic details in the form of features. A flow summarizes the communication between hosts and is characterized primarily by a quintuple attribute set, including the source IP, destination IP, source port, destination port, and transport protocol. In addition to these essential attributes, flow data may encompass various other features like flow duration, flow direction, total bytes transferred, and more. The advantage of using flow data lies in their capability to be analyzed efficiently using machine-learning techniques to detect botnet flows. Notably, the analysis of flow data does not involve the inspection of the payload or content of the data. As a result, detection can occur even when the data are encrypted. Furthermore, flow data analysis remains independent of structure and protocol, enhancing its versatility in botnet detection procedures [6].

This network flow data are parsed as input into our proposed detection approach. The detection approach starts with feature selection in the input dataset. Here, the differential evolution (DE) algorithm is implemented to select the optimal feature set from the input. Selected feature sets are then applied to six machine-learning models (base learners) which are as follows: Gaussian Naïve Bayes (NB), K-Nearest Neighbors (KNN), Linear Discriminant Analysis (LDA), decision tree (DT), Random Forest (RF), and Support Vector Machine (SVM). To enhance the results produced by the classification models, we have used the majority voting ensemble learning algorithm. The system workflow of our proposed botnet detection approach is shown in Figure 1.

3.2. Feature Selection

Feature selection is the process of identifying the most relevant subset of features from a given dataset [24]. In today’s context, real-world datasets are often abundant, containing a large number of features. However, the sheer quantity of features does not imply that every feature is essential or beneficial. Some features may be redundant or irrelevant. A dataset containing noisy, redundant, and irrelevant information can lead to overfitting, diminishing the overall performance, accuracy, and learning speed of any machine-learning model [10]. Feature selection reduces the computational cost by reducing the dimensionality of data. Therefore, feature selection is crucial. Feature selection involves choosing a subset of features from the original set without modifying them, thus preserving the original features’ meaningful interpretations. Traditionally, feature selection techniques are categorized into three categories: filter method, wrapper method, and embedded methods [24]. Apart from these algorithms, metaheuristic algorithms can also be used for feature selection. Metaheuristic algorithms are inspired by natural phenomena and are crafted to tackle intricate optimization problems [25]. They belong to a category of optimization algorithms crafted to discover approximate solutions for challenging optimization problems. These algorithms prove especially beneficial when addressing complex problems where obtaining exact solutions is either impractical or computationally demanding. Serving as high-level strategies, metaheuristics direct the exploration and exploitation of solution spaces, enabling efficient searches for near-optimal solutions. In our proposed work, we have employed a differential evolution algorithm for feature selection, which is an evolutionary based metaheuristic algorithm [26,27]. Evolutionary algorithms are based on Darwin’s theory of evolution. Some algorithms of this category are Genetic Algorithm (GA), Evolutionary Programming (EP), Evolution Strategies (ESs), Genetic Programming (GP), and differential evolution (DE). Previous studies have shown that differential evolution (DE) achieves a better performance than traditional FS approaches in other fields [28,29,30].

Differential Evolution

Differential evolution (DE) is a metaheuristic algorithm used for solving various optimization problems where the objective function may be nonlinear, non-differentiable, or noisy. Feature selection is a combinatorial optimization problem. DE is a metaheuristic algorithm based on populations, designed to locate the global minimum of a multivariate function. This evolutionary computing algorithm initiates with an initial set of candidate solutions and systematically updates them through iterations [27]. DE is applied to multidimensional real-valued functions without relying on the gradient of the optimization problem. This lack of dependence on gradients distinguishes DE from classical optimization methods like gradient descent and quasi-Newton methods, which necessitate differentiability. Consequently, DE is suitable for optimization problems that are non-differentiable, non-continuous, noisy, subject to changes over time, and various other challenging scenarios [27]. DE is a stochastic direct search method that explores the solution space without relying on derivative information, making it well suited for optimization tasks [28]. It draws inspiration from Darwin’s theory of evolution and natural selection. Demonstrating its effectiveness across diverse domains, the DE algorithm orchestrates the evolution of a population of candidate solutions through iterative processes of mutation, crossover, and selection. This ongoing evolution, transitioning from one generation to the next, guarantees that individuals with superior qualities persist within the population, while weaker ones are systematically phased out in each iteration [29].

Based on the reviews [28,29,30,31,32], the advantages of DE for feature selection are described below:

• DE is simple, straightforward, and easy to implement compared to other evolutionary algorithms.
• Despite its simplicity, DE exhibits a better performance.
• The number of control parameters in DE is much lower.
• DE is known for its fast convergence and efficient exploitation of the search space.
• DE can be used for nonlinear and non-differentiable optimization problems.

The workings of the DE algorithm are depicted by the following flow chart (Figure 2) and Algorithm 1.

Algorithm 1. The operation of the differential evolution algorithm.

1. Initialize: Generate an initial random population of individuals across the entire search space. 2. Repeat until the maximum number of generations is reached:    For each individual in the population:       (i) Perform mutation: Create a mutant vector.       (ii) Perform recombination (crossover): Combine the mutant vector with the target vector to create a trial vector.       (iii) Perform selection: Compare the trial vector with the target vector and select the one with the better fitness. 3. Return the best individual found.

DE has three basic operators: mutation, crossover, and selection.

Mutation: DE generates new candidate solutions by perturbing the existing population. This is typically achieved by selecting three distinct individuals (parents) from the current population and combining them to create a new solution (offspring). During this process, an offspring or mutant vector is generated for every target vector using the following Equation (1):

$${\mathrm{V}}_{\mathrm{i},\mathrm{g}+1}={\mathrm{X}}_{\mathrm{r}1,\mathrm{g}}+\mathrm{F}\ast \left({\mathrm{X}}_{\mathrm{r}2,\mathrm{g}}-{\mathrm{X}}_{\mathrm{r}3,\mathrm{g}}\right)$$

(1)

where g represents the generation or iteration, $V_i$ is the new solution vector or mutant vector (i = 1, 2, 3, …., NP), and r1, r2, and r3 are three distinct individuals selected randomly from the population such that r1, r2, r3 ϵ [1, NP] and r1 ≠ r2 ≠ r3 ≠ i. NP is the population size. F is a user-defined scaling factor or mutation parameter that amplifies the difference vector and lies within [0, 1]. This process of generating a new individual is known as mutation.

Crossover: In order to enhance the diversity of the perturbed population, a crossover or recombination operator is used. During this phase, a crossover operator is applied between the parent vector or target vector $X_i$ and the corresponding mutant vector $V_i$ to generate a trial vector $W_{ij}$ as in the following Equation (2):

$${\mathrm{W}}_{\mathrm{i}\mathrm{j}}=\left\{\begin{array}{c}{\mathrm{V}}_{\mathrm{i}\mathrm{j}} \mathrm{if} \left(\mathrm{r}\mathrm{a}\mathrm{n}\mathrm{d}\le \mathrm{C}\mathrm{R}\right) \mathrm{or} \mathrm{j}=\mathrm{jr} \mathrm{and}\\ {\mathrm{X}}_{\mathrm{i}\mathrm{j}} \mathrm{otherwise}\end{array}\right.$$

(2)

where i ϵ (1, 2,…,NP), j ϵ (1, 2,…,D), rand () is a uniformly distributed random number ϵ [0, 1], CR is the crossover rate ϵ [0, 1], and jr and is a randomly chosen index to ensure that at least one component from the mutant vector is copied to the trial vector.

Selection: In the selection phase, a decision is taken as to whether to include the trial vector w_ij in the next generation g + 1. The trial vector w_ij is compared with the target vector x_ij using a greedy criterion. If the trial vector has a better fitness value than the target, it replaces the target in the population. This step ensures that the population evolves over generations towards better solutions.

3.3. Supervised Machine-Learning Classifiers

The six supervised machine-learning algorithms and ensemble learning algorithm used in our experiments are discussed below.

3.3.1. Gaussian Naïve Bayes (NB)

The Gaussian Naïve Bayes algorithm is a supervised ML algorithm which is based on the Bayes theorem. It is simple, computationally efficient, and suitable for high-dimensional datasets.

It is an intuitive classification approach which measures the likelihood of an event based on prior knowledge of the conditions that facilitated the occurrence of such an event [11]. In the sphere of machine learning, the Naïve Bayesian method works under the principle that every feature contributes independently to the occurrence of an event. To be precise, the Naïve Bayes classifier estimates the probabilities for all classes (values) associated with a target feature and selects the one with the highest probability. The algorithm can be expressed as Equation (3):

$$\mathrm{P}(\mathrm{A}/\mathrm{B})=\left(\mathrm{P}\right(\mathrm{B}/\mathrm{A}\left)\mathrm{P}\right(\mathrm{A}\left)\right)/\left(\mathrm{P}\right(\mathrm{B}\left)\right)$$

(3)

where A and B are occurrences and P(B) ≠ 0.

• P(A/B) is the proportion of instances of a specified class given the observed features.
• P(B/A) is the likelihood of observing the features given the class.
• P(A) is the prior probability of the class.
• P(B) is the probability of observing the features.

3.3.2. K-Nearest Neighbors (KNN)

KNN is very easily understood by beginners and very simple to implement. KNN is a supervised machine-learning algorithm based on classification as well as regression. KNN works well for complex and non-linear datasets. It is a non-parametric and instance-based algorithm, which is based on the fact that it does not impose any stringent assumptions on the data distribution and rather utilizes the similarity of the instances to make predictions [33]. KNN utilizes a distance metric such as a Euclidean distance measure to measure the similarity between data points [6]. However, distance metrics such as Manhattan or Minkowski may also be utilized. To make a prediction for a new data point, KNN identifies the K-nearest neighbors in the training set based on the chosen distance metric. It operates by computing the Euclidean distance (or any other chosen metric) between data points. The categorization of an object is determined by the majority vote among its K-nearest neighbors, considering entities from various classes [7]. The Euclidean distance between two points (A, B) in Euclidean n-space can be expressed as Equation (4):

$$\mathrm{d}\left(\mathrm{A},\mathrm{B}\right)=\sqrt{\sum _{\mathrm{x}=1}^{\mathrm{n}}{({\mathrm{B}}_{\mathrm{x}}-{\mathrm{A}}_{\mathrm{x}})}^2}$$

(4)

3.3.3. Linear Discriminant Analysis (LDA)

LDA is a type of supervised and classification-based machine-learning algorithm. It is particularly advantageous in scenarios where the objective is to identify a linear combination of features for the optimal separation of two or more classes. LDA is most effective when the aim is to increase class separability, especially when the classes have similar covariance. The reason for its popularity in many fields can be related to the fact that it is straightforward and easy to understand. LDA works under two assumptions: first, the features are always normally distributed; second, the feature-covariance matrices are identical across all of the classes. The approach seeks to establish a hyperplane that separates the classes as far away as possible while at the same time minimizing the intra-class variance [34].

3.3.4. Decision Tree (DT)

The DT classifier is one well-known supervised machine-learning method used for regression and classification. It is favored due to its great performance and simplicity, especially in a highly interpretable scenario. The method builds a hierarchical structure that looks like a tree such that every non-leaf node represents a decision based on a particular feature, every branch represents the outcome of this decision, and every terminal node represents the final classification label or value [33]. A decision tree is constructed by partitioning the training data into sub-samples based on the most distinguishing feature. As new data come in, the data attributes are traced from the root of the tree, progressing through various nodes, until reaching a leaf node that signifies the classification of the data [35]. In particular, decision trees are easy to understand and use, rendering them valuable for elucidating decision-making processes. On top of that, they are able to model complex nonlinear relationships in the data, and they operate without imposing assumptions about the underlying data distribution.

3.3.5. Random Forest (RF)

The Random Forest classifier is essentially an ensemble classifier which attempts to utilize a large number of decision trees in order to predict with greater accuracy. This method can be used for both classification and regression purposes and is considered to be robust, versatile, and efficient for dealing with complex datasets. It is applied in different fields where accuracy in predictions holds paramount importance. An RF consists of a number of decision trees, in which every tree is trained on a random sample of the training data [6]. Using a technique called bagging, this method trains each tree on a new sample of the data (with replacement) taken from the original dataset. At each DT node, a random subset of features is considered for splitting, introducing diversity among the individual trees. In classification tasks, the ultimate prediction is determined through a majority vote among the predictions generated by individual trees. Through this ensemble approach, Random Forest effectively mitigates overfitting concerns often associated with standalone decision trees.

3.3.6. Support Vector Machine (SVM)

The Support Vector Machine (SVM) is a very popular supervised machine-learning algorithm that can be used for both regression and classification tasks. The SVM is acknowledged as being flexible and effective to do linear and non-linear classification. This algorithm is considered to be quite useful, particularly when working in high dimensional spaces, resulting in its application in many fields. The main strength of SVM is that it can find the optimal hyperplane that separates the data sample of different classes in the feature space. Whether in two dimensions where it manifests as a line or in higher dimensions as a hyperplane, SVM’s proficiency extends to handling non-linear relationships. By utilizing kernel functions such as polynomial or radial basis functions, SVM employs the kernel to transform the input space into a higher-dimensional space, facilitating the identification of linear separation within that space [33].

3.4. Ensemble Learning Algorithm (Majority Voting)

Ensemble learning is a machine-learning approach where predictions made by multiple models are utilized to improve overall performance and generalization. The core concept is to leverage the diversity inherent to individual models, thereby generating predictions that are not only robust but also more accurate. The effectiveness of ensemble methods lies in the diversity among constituent models. Diverse models, even if individually weak, can collectively provide a more accurate and stable prediction [11]. Majority voting is a simple yet powerful ensemble algorithm used in classification tasks. Majority voting requires multiple base models, each trained on a subset of the data. Each individual model in the ensemble independently makes a classification decision for a given input. The final prediction is determined by a majority vote among the individual models. The class that receives the most votes is chosen as the ensemble’s prediction [6,36,37,38].

4. Experiments

This section describes the dataset used, parameter tuning of DE, all classification algorithms, and the majority voting algorithm. This section also explains all of the the evaluation matrices used in this work.

4.1. Dataset

Our experiments utilized the CTU-13 botnet dataset, which is a collection of botnet traffic that was assembled by CTU University, Czech Republic, in 2011. This is a publicly available dataset which contains 13 botnet scenarios or captures of different botnet samples summarized in 13 bidirectional NetFlow files, which comprises actual botnet traffic, offering a valuable resource for scrutinizing real botnet behavior and gaining insights into the diverse strategies employed by botnet operators [39]. Out of these 13 bidirectional NetFlow files, we have selected the 12th scenario for our experiments because only the 12th scenario contains P2P bot nodes’ communication as well as benign nodes’ communication. The first reason for selecting this dataset is that it is publicly available, whereas there are some datasets which are not publicly accessible. Another reason is that there are certain datasets that comprise bot flows originating from a single bot node, while others feature multiple bot nodes without inter-node communication. However, the CTU-13 (Scenario 12) dataset contains three P2P bot nodes along with benign nodes and also incorporates the communication flow among bot nodes.

While the CTU-13 Scenario 12 dataset originates from 2011, it continues to serve as a valuable benchmark for botnet research—particularly in the context of P2P botnet detection. This scenario is among the few publicly available datasets that include real-world P2P botnet communication with multiple infected hosts and inter-bot interactions. These characteristics are essential for studying decentralized botnet behavior. Nevertheless, we acknowledge that botnet communication patterns evolve, and future work will involve validating the proposed feature selection and classification framework on newer datasets or real-time traffic to further assess generalizability and resilience to emerging threats.

The features related to the network traffic for Scenario 12 are shown in

Table 2. Network traffic details of Scenario 12 of CTU-13 dataset.

Scenario	Duration (hrs)	Number of Packets	Number of NetFlow Records	Size (GB)	Bot Family	Number of Bot
12	1.21	13,212,268	1,262,790	8.3	NSIS.ay	3

. Table 2 represents information like size, duration, number of packets, number of flows, number of bots, and bot family [35].

This dataset is labelled and comprises bidirectional NetFlows. NetFlow is a network protocol developed by Cisco that facilitates the collection and monitoring of IP traffic information. The CTU-13 (Scenario 12) dataset is specifically a bidirectional NetFlow file and is characterized by 15 features [6].

Table 3. Feature descriptions of Scenario 12 of the CTU-13 dataset.

Feature Number	Feature Name	Description
F1	StartTime	Date of the flow start (from 2011/08/10 10:02:43 to 2011/08/19 11:45:43)
F2	Dur	Duration of the communication in seconds
F3	Proto	Transport protocol used
F4	SrcAddr	IP address of the source
F5	Sport	Source port
F6	Dir	Direction of the flow
F7	DstAddr	IP address of the destination
F8	Dport	Destination port
F9	State	Transaction state
F10	sTos	Source TOS byte value
F11	dTos	Destination TOS byte value
F12	TotPkts	Total number of transaction packets
F13	TotBytes	Total number of transaction bytes
F14	SrcBytes	Total number of transaction bytes from the source
F15	Label/target	Label made of “flow=” followed by a short description (source/destination-malware/application)

describes various features of the dataset used in our experiments.

4.2. Parameter Tuning

This section discusses the experiments performed for parameter tuning of all of the algorithms used.

4.2.1. Parameter Tuning of Differential Evolution Algorithm

DE is an evolutionary metaheuristic optimization algorithm, with multiple parameters that influence its performance. The selection of these parameters plays a crucial role in determining the algorithm’s efficiency and convergence speed. These parameters can be optimized using methodologies such as grid search, random search, or by using some advanced optimization techniques to discover values that effectively address the specifics of the optimization problem at hand. Python (version 3.12) offers a range of libraries for implementing evolutionary algorithms such as SciPy, DEAP, etc. In our experiments, we have used python’s DEAP (Distributed Evolutionary Algorithms in Python) library. DEAP is a multi-purpose library for evolution strategies, and it has a number of modules adapted to various kinds of evolutionary strategies including DE. This library offers a high degree of customization and flexibility, making it a preferred choice if we wish to tailor our evolutionary algorithms to specific needs or experiment with different aspects of the algorithm’s behavior [40]. DEAP is a powerful library for building custom evolutionary strategies for specific purposes. In our studies, however, the DE parameters [41] that were used according to DEAP’s Simple function are as follows: “ngen”, “popsize”, “cxpb”, and “mutpb”.

Number of generations (“ngen”) is a controlling factor used to determine how many generations or iterations to carry out within the algorithm.

Population size (“popsize”) is a controlling factor used to control the number of the candidate solutions that are maintained in each generation.

Crossover probability (“cxpb”) is a control parameter that determines the likelihood of performing crossover (recombination) operations on the individuals in the population.

Mutation probability (“mutpb”) is also a control parameter that governs the chances of mutations happening in individual candidate solutions within the population.

In order to find the best value for these parameters, we have experimented with a random search algorithm. We have taken 10 values (V1 to V10) for each parameter as shown in

Table 4. Values for differential evolution parameters used in the experiments for peer-to-peer botnet detection system.

Parameter Name	V1	V2	V3	V4	V5	V6	V7	V8	V9	V10
ngen	20	30	40	50	60	70	80	90	100	120
popsize	20	30	40	50	60	70	80	90	100	120
cxpb	0.1	0.2	0.3	0.4	0.5	0.6	0.7	0.8	0.9	1.0
mutpb	0.03	0.04	0.05	0.06	0.07	0.08	0.09	0.1	0.2	0.3

.

To make a selection for the most optimal values of the DE parameters, a random search algorithm was run 50 times.

Table 5. Count of selected “ngen” value for the experiments of peer-to-peer botnet detection system.

Count of Selected “ngen” Value
V1	V2	V3	V4	V5	V6	V7	V8	V9	V10
2	4	4	5	5	6	4	9	4	7

shows the fluctuations of “ngen” selected values during 50 runs. Table 5 reveals that V8 (90) is the value that was mostly selected for the parameter “ngen”.

Table 6. Count of selected “popsize” value for the experiments of botnet detection system.

Count of Selected “Popsize” Value
V1	V2	V3	V4	V5	V6	V7	V8	V9	V10
2	5	6	6	6	6	5	3	7	4

shows the fluctuations of “popsize” values selected during 50 runs. Table 6 reveals that V9 (100) is the value that was mostly selected for the parameter “popsize”.

Table 7. Count of selected “cxpb” value for the experiments of peer-to-peer botnet detection.

Count of Selected “cxpb” Value
V1	V2	V3	V4	V5	V6	V7	V8	V9	V10
10	3	4	4	4	6	8	3	6	2

shows the fluctuations of “cxpb” values selected during 50 runs. Table 7 reveals that V1 (0.1) is the value that was mostly selected for the parameter “cxpb”.

Table 8. Count of selected “mutpb” value for the experiments of peer-to-peer botnet detection.

Count of Selected “mutpb” Value
V1	V2	V3	V4	V5	V6	V7	V8	V9	V10
7	4	7	2	3	5	7	8	2	9

shows the fluctuations of selected “mutpb” value. Table 8 reveals that V10 (0.3) is the value that was mostly selected for the parameter “mutpb”.

The selected parameters of DE that are used for feature selection are given in

Table 9. Optimal values of differential evolution parameters for the experiments of botnet detection.

Parameter Name	Optimal Value
Ngen	90
Popsize	100
Cxpb	0.1
Mutpb	0.3

.

4.2.2. Parameter Tuning of Classification Algorithms

For our experiments, we have used six classification algorithms, namely NB, LDA, SVM, KNN, DT, and RF. To implement these algorithms, we used the Scikit-learn python library. To select the best values for the parameters of these algorithms, we used the randomSearchCV algorithm.

Table 10. Key parameters and optimal values of Gaussian Naïve Bayes algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
var_smoothing	0.1
priors	None

,

Table 11. Key parameters and optimal values of KNN algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
weights	Distance
p	1 (manhattan_distance)
n_neighbors	3
algorithm	Auto

,

Table 12. Key parameters and optimal values of LDA algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
tol	0.001
store_covariance	True
solver	Eigen
shrinkage	0.1
priors	None
n_components	1

,

Table 13. Key parameters and optimal values of DT algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
splitter	Best
random_state	42
min_samples_split	7
min_samples_leaf	9
max_features	None
max_depth	10
criterion	Entropy

,

Table 14. Key parameters and optimal values of RF algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
n_estimators	50
min_samples_split	5
min_samples_leaf	6
max_features	Sqrt
max_depth	15
bootstrap	True

and

Table 15. Key parameters and optimal values of SVM algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
tol	0.0001
random_state	42
shrinking	True
probability	False
max_iter	100
kernel	Linear
gamma	1000.0
degree	1
oef0	0.19999999996
class_weight	None
C	100.0

present the key parameters along with their optimal values for various classification algorithms. Specifically, Table 10 details the parameters for the Gaussian Naïve Bayes algorithm [42], Table 11 for the K-Nearest Neighbors (KNN) algorithm [43], Table 12 for the Linear Discriminant Analysis (LDA) algorithm [44], Table 13 for the decision tree (DT) algorithm [45], Table 14 for the Random Forest (RF) algorithm [46], and Table 15 for the Support Vector Machine (SVM) algorithm [47].

4.2.3. Parameter Tuning of Majority Voting Ensemble Learning Algorithm

Table 16. Key parameters and optimal values of majority voting algorithm for peer-to-peer botnet detection system.

Parameter Name	Optimal Value
Estimator	lda, knn, dt, rf, nb, svm
Voting	Soft
Weights	[1, 2, 2, 2, 1, 1]

presents the key parameters and their optimal values for the majority voting ensemble algorithm [48], which combines multiple base classifiers to improve the overall predictive performance. The algorithm utilizes six individual estimators—LDA, KNN, DT, RF, NB, and SVM—as the constituent models. The voting strategy employed is soft voting, which considers the predicted class probabilities from each model rather than just the final class labels. Additionally, the weights assigned to each estimator are specified as [1, 2, 2, 2, 1, 1], indicating a higher influence of KNN, DT, and RF in the final ensemble decision, thereby reflecting their stronger individual performance or contribution in the ensemble framework.

The weights [1, 2, 2, 2, 1, 1] assigned to LDA, KNN, DT, RF, NB, and SVM, respectively, were obtained using RandomizedSearchCV, which explored multiple combinations of weights across five-fold cross-validation to identify the configuration with the best predictive performance. This ensures a systematic, data-driven approach to weighting rather than relying on heuristic assumptions.

4.3. Evaluation Metrics

The following evaluation matrices have been used in our experiments:

Confusion Matrix: A confusion matrix is a very useful tool for evaluating classification models. It is particularly beneficial for handling imbalanced datasets and provides a more comprehensive evaluation than accuracy alone. It offers a comprehensive analysis of a classification algorithm’s performance by presenting a detailed summary of true positive, true negative, false positive, and false negative predictions. The key components of a confusion matrix are as follows:

True Positive (TP): TPs are occurrences that are correctly predicted as positive by the classification model.

True Negative (TN): TNs are occurrences that are correctly predicted as negative by the classification model.

False Positive (FP): FPs are occurrences that are incorrectly predicted as positive by the classification model.

False Negative (FN): FNs are occurrences that are incorrectly predicted as negative by the classification model.

Accuracy: Accuracy is a fundamental performance metric that measures the overall correctness of predictions made by a classification model. It is the ratio of correctly classified instances, both positive and negative, to the total number of instances in the dataset. It is calculated as Equation (5):

$$Accuracy={\displaystyle \frac{(TP+TN)}{(TP+TN+FP+FN) }}$$

(5)

Precision: Precision is a performance metric that measures the accuracy of the positive predictions made by a classification model. In other words, it is the ratio of true positive instances, among all instances predicted as positive. It is calculated as Equation (6):

$$Precision={\displaystyle \frac{TP}{\left(TP+FP\right) }}$$

(6)

Recall (Sensitivity): Recall is also known as sensitivity or the true positive rate. This performance metric measures the ability of a classification model to correctly identify all relevant instances from a dataset. In other words, it is the ratio of true positive instances among all actual positive instances. It is calculated as Equation (7):

$$Recall={\displaystyle \frac{TP}{\left(TP+FN\right) }}$$

(7)

F1-Score: The F1-score is a performance metric that combines both precision and recall into a single value. It is the harmonic mean of precision and recall and provides a balanced measure of performance of a classification model. It is particularly useful when there is an uneven class distribution or when the cost of false positives and false negatives needs to be balanced. It is calculated as Equation (8):

$$F1=2 \ast {\displaystyle \frac{\left(Precison\ast Recall\right)}{\left(Precison+Recall\right) }}$$

(8)

5. Results

To reduce the dimensionality of the dataset, one of the state-of-the-art evolutionary algorithms known as differential evolution (DE) is used. Due to the inherent nature of stochastic optimization algorithms like DE, it produces different results each time it is run. This algorithm involves an element of randomness, and this stochastic nature can yield diverse outcomes in separate runs, even under optimal functioning conditions. The factors given below describes variations observed in the results of stochastic optimization algorithms like DE.

• DE starts with a randomly generated initial population of candidate solutions. The variations among these initial solutions can influence diverse paths in the optimization process.
• DE involves stochastic operations such as mutation and crossover. These stochastic processes can result in different offspring or solutions at each generation.
• With each generation, the mutation operation introduces random perturbations to the solutions. The unpredictability in these perturbations can lead the optimization process to explore diverse regions of the search space in each iteration.
• DE employs heuristics to direct the search, and the interaction of these heuristics with randomness can result in varied decisions across different runs.

Therefore, to mitigate the effects of randomness and to determine the most optimal features, we run the algorithm 50 times. In each run, the DE algorithm produces a diverse set of optimal features. If the number of times a feature is selected is high, that means the particular feature is very important and very relevant for classification. Thus, those features with high counts are deemed critical for effective botnet detection. The 12th scenario of the CTU-13 dataset consists of 14 features (F1 to F14), excluding the target or label, as described in Table 3.

Table 17. Count of selected features for peer-to-peer botnet detection system.

Count of Selected Features for Peer-to-Peer Botnet Detection System
F1	F2	F3	F4	F5	F6	F7	F8	F9	F10	F11	F12	F13	F14
4	2	7	18	11	4	9	3	3	2	2	10	6	4

shows the count of all of the features that were selected during 50 runs, where it is possible that more than one feature is selected in each run. Table 17 reveals that feature 4 (SrcAddr) was the mostly selected feature.

The repeated use of SrcAddr (source IP address) shows how useful it is in classifying P2P botnet traffic. In networks infected with botnets, compromised hosts (bots) participate in recurrent and decentralized peer-to-peer communication. This leads to anomalous behavior where specific source IPs initiate an excessive number of connections, sometimes to different destinations or within very short intervals. These patterns can significantly differ from typical host behavior in legitimate traffic, making SrcAddr a valuable feature for distinguishing infected nodes.

Sport (source port) was the second most frequently selected feature in DE runs due to its operational significance. Botnet communications may involve the use of non-standard or fixed source ports for consistent peer discovery or command exchange. The appearance of uncommon or repetitive source ports across different flows can signal the presence of malware or automated behavior. From a domain perspective, both SrcAddr and Sport provide granular, connection-level insights that are highly effective for detecting distributed and stealthy P2P botnet activities.

In the experiments, it has been found that all of the classifiers and the ensemble learning algorithm exhibit different levels of performance when different feature subsets are applied. In order to find out the optimal result, the proposed approach was tested with different feature subsets. The initial subset encompasses the two most optimal features, followed by the gradual creation of subsequent subsets through the incremental addition of less significant features, up to the incorporation of the least significant one.

Table 18. Majority voting ensemble result using all feature subsets for peer-to-peer botnet detection.

No. of Features	Accuracy	Precision	Recall	F1-Score	TP	TN	FP	FN
2	99.99	99.49	98.98	99.23	2132	322,752	11	22
3	99.99	99.30	98.60	98.95	2124	322,748	15	30
4	99.98	99.62	96.80	98.19	2085	322,755	8	69
5	99.98	99.56	96.80	98.16	2085	322,754	9	69
6	99.97	99.52	96.15	97.80	2071	322,753	10	83
7	99.97	99.56	95.54	97.51	2058	322,754	9	96
8	99.97	99.57	95.68	97.59	2061	322,754	9	93
9	99.98	99.57	96.84	98.19	2086	322,754	9	68
10	99.98	99.34	96.84	98.1	2086	322,750	13	68
11	99.98	99.48	96.80	98.12	2085	322,752	11	69
12	99.97	99.33	96.56	97.93	2080	322,749	14	74
13	99.97	99.33	96.43	97.86	2077	322,749	14	77
14	99.97	99.38	96.61	97.98	2081	322,750	13	73

demonstrates the results of the majority voting ensemble algorithm using all of the feature subsets.

By analyzing the table above, we can draw the following conclusions:

• Accuracy is consistently high across all feature sets, ranging between 99.97% and 99.99%. The accuracy remains nearly unchanged, even as the number of features increases.
• Precision is a key metric that measures the proportion of true positives out of all positive predictions. A feature set with two features gives the highest precision at 99.49, which decreases slightly as more features are included but generally remains high.
• Recall measures how well the model identifies true positives out of all actual positives. The recall is highest with the two-feature set (98.98%) and tends to decrease as more features are added, bottoming out at 95.54% with seven features.
• The F1-score balances precision and recall, and its values are high across all feature sets. The highest F1-score (99.23%) is observed with two features, which balances both precision and recall well.
• The true positives are highest with feature sets ranging from 9 to 10 features (2086 TPs).
• The false negatives (missed detections) are lowest when using two features (22 FNs), which is desirable as it indicates fewer missed detections of positive cases.
• The false positives (incorrect positive classifications) are slightly higher with feature sets that have fewer features (such as 2 features with 11 FPs) but remain very close across most feature sets.

Based on the F1-score (which balances precision and recall), two features appear to represent the optimal feature set, as this provides the highest F1-score (99.23%); the highest recall (98.98%), which means the model identifies more true positives; the highest precision (99.49%), reducing the number of false positives; and the lowest number of false negatives (22 FNs). Thus, using two features gives the best balance between precision and recall, making it the most efficient feature set for this task.

The following table (

Table 19. Accuracy matrix of the model using all feature subsets for peer-to-peer botnet detection.

	Number of Features
Model	2	3	4	5	6	7	8	9	10	11	12	13	14
LDA	99.34	99.34	99.28	99.12	99.12	99.33	99.32	99.32	99.30	99.25	99.26	99.26	99.26
KNN	99.98	99.97	99.94	99.94	99.88	99.88	99.88	99.88	99.84	99.84	99.84	99.84	99.84
DT	99.98	99.98	99.98	99.98	99.98	99.97	99.97	99.97	99.97	99.97	99.97	99.97	99.97
RF	99.99	99.99	99.99	99.99	99.99	99.99	99.98	99.99	99.99	99.99	99.98	99.98	99.98
NB	99.38	99.34	94.26	94.41	88.52	86.99	86.99	43.84	51.65	52.69	53.02	53.02	53.00
SVM	99.34	99.38	99.60	99.60	99.34	99.34	99.34	99.34	99.34	99.34	99.34	99.34	99.34
MV	99.99	99.99	99.98	99.98	99.97	99.97	99.97	99.98	99.98	99.98	99.97	99.97	99.97

) demonstrates the accuracy matrix of the model using all of the feature subsets.

The below figures (Figure 3 and Figure 4) display the accuracy and precision of the six classification algorithms and majority voting ensemble learning algorithm. The following table (

Table 20. Precision matrix of the model using all feature subsets.

	Number of Features
Model	2	3	4	5	6	7	8	9	10	11	12	13	14
LDA	0	0	0.51	0.99	0.99	2.41	4.17	4.17	9.09	6.42	5.57	5.56	5.56
KNN	97.31	97.08	94.77	94.77	90.60	91.12	91.11	91.22	87.45	87.45	87.37	87.37	87.37
DT	98.12	97.98	98.02	97.88	97.83	97.61	97.70	97.83	97.43	97.39	97.26	97.03	97.39
RF	99.53	99.30	99.58	99.58	99.67	99.67	99.76	99.81	99.81	99.76	99.86	99.76	99.81
NB	0	0	2.90	4.05	4.07	3.61	3.61	1.16	1.34	1.37	1.38	1.38	1.38
SVM	0	0	79.27	78.89	0	0	0	0	0	0	0	0	0
MV	99.49	99.30	99.62	99.56	99.52	99.56	99.57	99.57	99.34	99.48	99.33	99.33	99.38

) demonstrates the precision matrix of the model using all of the feature subsets.

The following table (

Table 21. Recall matrix of the model using all feature subsets for peer-to-peer botnet detection.

	Number of Features
Model	2	3	4	5	6	7	8	9	10	11	12	13	14
LDA	0	0	0.05	0.32	0.32	0.05	0.09	0.09	0.60	0.97	0.74	0.74	0.74
KNN	99.30	98.70	95.82	95.82	91.32	90.95	90.95	91.18	88.30	88.30	88.02	88.02	88.02
DT	99.30	99.21	98.80	98.79	98.48	98.51	98.47	98.33	98.56	98.56	98.70	98.70	98.70
RF	99.30	99.21	98.98	98.65	98.65	98.19	97.68	98.24	97.96	98.14	97.63	97.63	97.73
NB	0	0	23.54	32.73	72.28	72.56	72.56	99.03	99.07	99.12	99.07	99.07	99.07
SVM	0	0	54.69	54.83	0	0	0	0	0	0	0	0	0
MV	98.98	98.60	96.80	96.80	96.15	95.54	95.68	96.84	96.84	96.80	96.56	96.43	96.61

) demonstrates the recall matrix of the model using all of the feature subsets.

Figure 5 shows the recall vs. number of features for different models for a peer-to-peer botnet detection system.

The following table (

Table 22. F1-score matrix of the different models using all feature subsets for peer-to-peer botnet detection system.

	Number of Features
Model	2	3	4	5	6	7	8	9	10	11	12	13	14
LDA	0	0	0.09	0.49	0.49	0.09	0.18	0.18	1.13	1.69	1.31	1.31	1.31
KNN	98.30	97.89	95.29	95.29	90.96	91.03	91.03	91.20	87.87	87.87	87.70	87.70	87.70
DT	98.70	98.59	98.40	98.34	98.15	98.06	98.08	98.08	97.99	97.97	97.97	97.86	98.04
RF	99.41	99.26	99.28	99.11	99.16	98.92	98.71	99.02	98.88	98.94	98.73	98.69	98.76
NB	0	0	5.16	7.21	7.70	6.89	6.89	2.28	2.64	2.70	2.72	2.72	2.72
SVM	0	0	64.73	64.69	0	0	0	0	0	0	0	0	0
MV	99.23	98.95	98.19	98.16	97.80	97.51	97.59	98.19	98.1	98.12	97.93	97.86	97.98

) demonstrates the F1-score matrix of the model using all of the feature subsets.

The figures above (Figure 3, Figure 4, Figure 5 and Figure 6) illustrate the performance of six classification algorithms (NB, KNN, DT, LDA, RF, and SVM) and the ensemble learning algorithm (mv) across all of the feature subsets.

In order to enhance the performance of the proposed method, we employed the majority voting algorithm. This involved taking the results obtained from the base classifiers mentioned earlier (as detailed in Table 18) and utilizing them as input for the majority voting algorithm. The output of this ensemble approach, depicted in Table 18, represents the final result of our methodology.

Our method attained an accuracy of 99.99% (

Table 23. Result of the proposed approach for peer-to-peer botnet detection system.

Accuracy (%)	Precision (%)	Recall (%)	F1-Score (%)	TP	TN	FP	FN
99.99	99.49	98.98	99.23	2132	322,752	11	22

), indicating that the overall predictions made by the classification model are highly accurate. While accuracy is crucial, especially in balanced datasets, it may not fully represent model performance in imbalanced class distributions. Therefore, we also evaluated our model using precision, recall, and F1-score metrics and we generated a confusion matrix as well. Our method achieved a precision of 99.49%, ensuring that a large proportion of instances predicted as positive are indeed relevant. With a recall value of 98.98%, our model effectively minimizes false negatives, correctly identifying a significant portion of positive instances. Furthermore, the F1-score, at 99.23%, signifies a strong balance between precision and recall, highlighting the robustness of our model’s performance.

6. Comparison

In this section, we present a comparison of results of our approach with the approaches described in the Related Work Section.

Table 24. Comparison of our approach with the approaches presented in related work.

Sl. No.	Author	Botnet Type Detected	Accuracy	Precision	Recall	F1
1	[13]	IRC	100%	Not mentioned	Not mentioned	Not mentioned
2	[14]	IRC	95.09%	Not mentioned	Not mentioned	Not mentioned
3	[15]	P2P	99.64%	Not mentioned	99.82%	Not mentioned
4	[16]	P2P and IRC	Not mentioned	Not mentioned	99.46%	Not mentioned
5	[8]	Not mentioned	Not mentioned	99.17%	96.85%	Not mentioned
6	[17]	Not mentioned	95%	95%	95%	Not mentioned
7	[18]	Not mentioned	99.68%	Not mentioned	Not mentioned	Not mentioned
8	[19]	P2P	99%	Not mentioned	Not mentioned	Not mentioned
9	[20]	P2P	Not mentioned	Not mentioned	Not mentioned	Not mentioned
10	[21]	Not mentioned	97.8%	Not mentioned	97%	Not mentioned
11	[22]	P2P	99.04%	99.35%	99.35%	99.21%
12	Our approach	P2P	99.99%	99.49%	98.98%	99.23%

shows a comparison of our approach with the approaches discussed in the related work.

As shown in the above table (Table 24), no other work has displayed their result using accuracy, precision, recall, and F1-score, except Joshi et al. [22]. Some methods have displayed their result using only an accuracy performance metric, which is not enough to check the performance of a method. Some methods did not mention whether their dataset contained P2P bots or not. Some methods use IRC datasets, where P2P bot communication is not available. But our method is validated on a publicly available P2P benchmark dataset and it outperforms all other methods by achieving 99.99% acc, 99.49% pre, 98.98% rec (slightly less than other methods), and 99.23% F1-score.

7. Conclusions and Future Works

This paper introduces a novel botnet detection model leveraging the differential evolution algorithm, which is an evolutionary metaheuristic. Metaheuristic algorithms are general-purpose optimizers which can effectively handle a spectrum of complex problems, across various domains. They excel in tackling problems that are computationally complex and often involve a large solution space. They are particularly valuable for solving NP-hard (non-deterministic polynomial time hard) problems.

Our differential-evolution-based proposed model excels in selecting an optimal subset of features, effectively discerning botnet traffic from normal patterns. The outcomes demonstrate a marked enhancement in accuracy, precision, recall, and F1-score, achieved with a reduced set of features. For future endeavors, refining the model’s scalability and exploring its applicability across diverse datasets stand as promising avenues to further elevate its effectiveness and broaden its utility in real-world scenarios.