Content uploaded by Mahdi Moodi
Author content
All content in this area was uploaded by Mahdi Moodi on Apr 24, 2021
Content may be subject to copyright.
https://doi.org/10.1016/j.knosys.2021.106988
Abstract—In recent years, extensive research has been conducted in the field of detecting Android botnet, but most of the approaches
introduced can provide a good answer to a limited number of these datasets. Now the question is how to introduce an approach that offers
a high detection rate on various Android botnets. To answer this question, we propose a Smart Self-Adaptive Learning Based Particle
Swarm Optimization Support Vector Machine (SSLPSO-SVM) approach to identify Android botnet with high accuracy. The SSLPSO
algorithm simultaneously uses five different strategies for scanning search space, which are based on the PSO algorithm. Instead of choosing
strategies using the Roulette Wheel Selection method, SSLPSO uses a novel method called Smart Selection Strategies (SSS). This method
determines the frequency of implementation and the priority of each strategy based on the number of changes created in the Personal
best(Pbest) and Global best (Gbest) particles, at each stage of the execution. In other words, the strategy that has been able to make more
changes in Pbest and Gbest in the previous step of the implementation; in the next step, not only will it be more priority, but it can update
the particle location more often. As a result, By choosing the best strategies, SSLPSO can obtain the best optimal responses for SVM
parameters (i.e., sigma parameter (), penalty parameter () and the features available in the dataset), therefore that the SVM technique
can accurately detect Android botnet. The results obtained from the SSLPSO-SVM approach showed the superiority of this technique not
only in four different measures of Sensitivity, Specificity, Precision, and Accuracy but also at the time of implementation of the proposed
model in comparison with the other three methods. Finally, the top 20 features of Android botnet are introduced using the best results from
the 28 Android Botnet dataset outputs.
Keywords: PSO, Mobile Botnet, Android Botnet, SVM, Smart Adaptive-PSO-SVM, Smart Self-Adaptive Learning-based PSO-SVM.
1. INTRODUCTION
Nowadays, with the increasing popularity of smartphones and the development of these portable devices, and the creation of the
appropriate infrastructure for them, the field has become ready for further exploitation. Mobile botnets [1] are one of the most
malicious malware available for smartphones, with the infrastructure of the following elements [2-4]:
1) As a software program, a bot is installed on vulnerable hosts and can do malicious actions. Upon installing the bot
program on a computer, it becomes a bot or zombie;
2) The Command and Control (C&C) server receives commands from the Botmaster and sends them to other bots;
3) Botmaster or bot leader is the person or group of people who control the bots by sending their commands to do illegal
or malicious activities.
Typically, botnets and mobile botnets are detected by extracting their important features [5-7]. Then, machine learning algorithms
such as J48 Decision Tree, Naïve Bayesian, MLP, KNN, Random Forest, SVM, etc. use these features to train the detecting system
[2, 5-7] and finally to identify botnets (or mobile botnets). However, the selected features can be useful in identifying botnets and
mobile botnets only when any feature can reveal important connections between the Botmaster, the botnets, and also correlation
between them be as high as possible [7]. One way to find the important features of the botnets is through their two observed
practical behaviors. These behaviors include first the response time of the botnets which is immediately after receiving the orders
from the Botmaster; however, the response time for the normal traffic is not the same (with some delay in response) and second
that the botnets have pre-programmed activities based on the commands of the administrators, and all the botnets may be
synchronized [7].
Based on the type of smartphone operating system, mobile botnets can be categorized into Android botnet, iOS botnet, Symbian
botnet, and Windows Phone botnet. The android operating system has both the largest number of users among other smartphone
operating system [1]; also it is an open-source operating system that allows attackers more comfortable to exploit their bugs. In
most botnet detection papers, security researchers are trying to increase the detection rate of botnets by using machine learning
techniques and selecting important botnet features [2, 5-7]. Unfortunately, botnet detection methods in most papers use simple
machine learning approaches and, therefore, for a small number of a dataset, the detection rate is high. However, if their approach
is applied to other datasets, it will not lead to high detection rates. Because in these papers, the main parameters of machine learning
A hybrid Intelligent Approach to detect Android Botnet using Smart Self-
Adaptive Learning-based PSO-SVM
Mahdi Moodi1*, Mahdieh Ghazvini2, and Hossein Moodi3
1,2Computer Engineering Department, Shahid
Bahonar University of Kerman, Kerman, Iran
3 Computer Engineering Department, Birjand University of Technology, Birjand, Iran.
1 mahdi.moodi.72@gmail.com, 2mghazvini@uk.ac.ir, 3hmoodi@birjandut.ac.ir,
*Corresponding author: Mahdi Moodi
are usually set manually, and as a result, these parameters cannot produce similar results for different dataset types. But in this
article, we want to achieve the maximum rate of detection by challenging our proposed method by using 28 different Android
botnets dataset [1], in addition to proving the effectiveness of the proposed method.
1.1. Support Vector Machine (SVM)
In this paper, the proposed model is trained by using the SVM technique to accurately detect mobile botnets. SVM is an effective
supervised approach to solving regression and classification problems [8]. It uses a set of mathematical functions that are defined
as the kernel. The kernel function takes data as input and converts it into the required form. Different SVM algorithms use different
types of kernel functions including linear, nonlinear, polynomial, radial basis function (RBF), and sigmoid. If there are many
features in the dataset, with the help of the kernel function, the dimensions of the feature space can be expanded infinitely. [9].
Here, the RBF-Kernel function is used. However, the RBF core has a parameter that must be selected by the user. SVM, on the
other hand, has another parameter called Penalty () that its value should be specified by the user [8]. Therefore, the correct choice
of these parameters (SVM technique) can lead to accurate identification of the mobile botnets. In this article, we will use the
Particle Swarm Optimization (PSO) algorithm to set these parameters. The main goal of PSO is to improve the performance of
SVM in the training of Android botnet detection system, which can accurately detect Android botnets [10].
1.2. Particle Swarm Optimization (PSO)
Particle Swarm Optimization (PSO) was introduced by James Kennedy as a general approach to optimization techniques [11].
This method solves optimization problems based on how birds and fish invasions behave [12, 13]. The advantages of this algorithm
include its fast convergence at the global best point, simple execution, low number of adjustable parameters and better
computational efficiency (i.e. less memory space required and lower CPU speed) of this algorithm [10]. In addition to finding the
optimal solution for continuous [11] and discrete [14] mathematical problems, this algorithm can provide an optimal solution to
complex engineering problems [10]. As a result, the purpose of using PSO is to optimize the main SVM parameters (i.e., sigma
parameter (), penalty parameter () and the features available in the dataset) so that this method can identify Android botnets with
high accuracy on different datasets.
The main challenge in this paper is to achieve the maximum accuracy of detecting Android botnets in 28 Android botnet datasets
(28-SABD). So, we propose to introduce a new approach for detecting Android botnets with high accuracy and based on the
following contributions:
1) The SSLPSO algorithm optimizes both the two main parameters of the SVM approach (i.e., sigma parameter () and
penalty parameter ()) along with the selection of their important features and in accordance with all the conditions that a
particle can experience during its execution, simultaneously and dynamically. Therefore, if these factors are optimized
simultaneously and as well as possible, the output of the proposed model would be equivalent to the exact identification
of Android botnets.
2) The SSLPSO algorithm simultaneously uses five different strategies for scanning search space, which are based on the
PSO algorithm. Instead of choosing strategies using the Roulette Wheel Selection method, SSLPSO uses a novel method called Smart
Selection Strategies (SSS). This method selects the strategies expressed based on the number of times each strategy can
change the values of its Personal best (Pbest) and Global best (Gbest) particles in the previous implementation step. That
is, the priority of a strategy is greater than other strategies if and only if this strategy can allocate a higher percentage of
the number of times the Pbest and Gbest particles which have changed in the previous implementation step. On the other
hand, the priority of each strategy has a direct impact on the frequency of implementation of that strategy at the same
stage of implementation.
3) With this approach, the opportunity to update particles at each stage of the implementation is given to an algorithm that
has performed better in the previous stage of execution. In other words, the algorithm that has been able to make more
changes to Pbest and Gbest; in the next step, they can update the "velocity" and "location" of more particles. Because, in
this case, the probability that this algorithm will be able to drag the particles to a more optimal position in the search space
will be more; therefore, more particles should be allocated to this algorithm.
4) Finally, the SSLPSO algorithm provides an optimal output for the SVM technique. Given the parameters of the SVM
approach and the selected important features of the dataset by the SSLPSO algorithm, the output from the proposed model
is the accurate identification of the Android botnet.
The rest of the article includes section 2 that provides a summary of the related works on the mobile botnet. Section 3 introduces
the proposed method and the experimental results are reported in section 4. Section 5 discusses the potentials of the proposed
approach. Finally, section 6 concludes the study, and further lines of studies are also introduced.
2. RELATED WORKS
In 2009, security researchers were able to identify mobile botnet on smartphones for the first time. In that year (2009), mobile
botnets SymbOS.Exy.A and iKee.B, which exploited Symbian OS and iOS, respectively, were detected [15, 16]. Then, with the
proliferation of Android smartphones in 2010, Genimi Android botnet [17] was first identified by security researchers and to this
day, with the increasing use of smartphones in most societies, we have seen the increasing development of mobile botnets by
Botmasters. Botmasters usually create mobile botnets for different purposes, which are as follows:
1) Collect and steal key information: Mobile botnets can collect sensitive and necessary information about people's credit
card numbers and bank account numbers, usernames and passwords of various social networks and websites, the user's
contacts list, and the user's location. Genimi, TigerBot, Wroba, and SMSHowU. Mobile botnets are designed for this
purpose [3, 15-19].
2) Cyber fraud: Mobile botnets are also used to perform cyber fraud. One of these frauds is phishing. Phishing attracts the
attention of website visitors to activities that, if users are aware of the consequences of those activities; They never do
them. Smishing.D is an example of this type of mobile botnet [3, 18]. Another example is the Geost botnet, which was
identified in 2020 [20]. Researchers estimate that more than 800,000 Russian citizens' Android phones have been infected
with the malware. As a result, attackers have the potential to gain access to millions of euros in victims' bank accounts
[20].
3) Sending SMS spam messages: Mobile botnets can infect users' smartphones by distributing malicious programs in SMS.
botnets can also enter into users' phones and steal their information by directing users to click on attractive links. Spamsold
is an example of this type of mobile botnet [3, 18].
4) Executing attacks: Mobile botnets can launch a variety of attacks after infiltrating the phone. For example, the Zitmo and
Tascudap mobile botnets have been implemented for banking and DDOS attacks, respectively [3, 15-19].
By recognizing the goals of mobile botnets, the question arises as to what is the life cycle of a mobile botnet? To answer this
question, we will address this issue in the next section.
2.1. Life cycle of a botnet (mobile botnet)
For a vulnerable host to become a bot and part of a botnet, it must go through a cycle of steps. These steps are referred to as the
botnet life cycle [1]. The life cycle of mobile botnet is shown in Figure (1).
Formation Command & Control Attack Post-Attack
Figure (1): The life cycle of a mobile botnet
1) Formation: In the first step, the attacker exploits the vulnerability in the target phone and uses access to install the
malicious program. After installing the malicious program, the victim's smartphone runs the program and becomes a bot.
According to the operating system of smartphones, mobile botnets can be divided into categories of Android botnet, iOS
botnet, Symbian botnet, Windows Phone botnet, etc.
2) Command & Control (C&C): In the command and control stage, bots try to communicate with their command and control
server and connect to the mobile botnets through the created connection. One of the differences between mobile botnets
and regular botnets is the use of SMS and Bluetooth as command and control channels. Now, if we want to deal with the
most important C&C channels in mobile botnets; We can mention the following:
Bluetooth: The advantages of this channel are: (1) The popularity of Bluetooth around the world. (2) to be
economical. (3) Transmitting information at an acceptable speed. (4) Available on most smartphones, tablets,
and laptops today. (5) Weak detection capability by security researchers. (6) Finally, we can mention the
possibility of eavesdropping and forging identities. The following are some of the disadvantages of the Bluetooth
command and control channel: (1) Geographical restriction of command and control channel activity. (2) Reduce
the battery charge of infected devices, which makes users suspicious [21, 22].
SMS and MMS: The benefits of this channel are as follows: (1) The SMS is available in all parts of the world
and can be sent to all parts of the world. (2) The SMS channel can be used when smartphones do not have access
to the Internet and send instructions to botnets via SMS. (3) The contents of malicious commands can be sent to
an infected smartphone in the form of a text message without the user noticing. Finally, it can be acknowledged
that the disadvantage of this command and control channel is the high cost of a mobile phone bill. For example,
Zitmo is a type of botnet that causes infected users to pay high bills [23, 24].
Web/Internet: The benefits of this channel are as follows: (1) HTTP and IRC protocols are widely used as C&C
channels. (2) Utilizing standard web-based services and protocols help bots conceal communication flow in
normal web traffic and become stealthier and difficult to be detected. (3) allowed usage of web-based protocols
in various places such as schools, universities, corporations, and organizations motivates Botmasters to use these
protocols and exploit different targets [25, 26].
Social Online Networks: With the expansion of social online networks, the attention of Botmasters to use this
appropriate platform has also been increased. Because the volume of data transferred in this platform is very
large, mobile botnets can hide their communications with the command and control server and prevent them
from being detected [27, 28].
3) Attack: After the mobile botnets communicate with the command and control server, the attack phase begins. Mobile
botnets receive commands from Botmaster through the command and control channel and perform malicious activities
based on received commands. Most of the attacks carried out by Botmasters, are based on the same goals mentioned
earlier [1].
4) Post-Attack: At this point, the Botmaster may update the bot program to improve capabilities or some other changes. It
may also use new methods to keep bots hidden and prevent them from being detected [1].
Now that we are familiar with the mobile botnets' life cycle, the question arises as to how security researchers identify mobile
botnets? This issue is covered in the next section.
2.2. Mobile Botnet Detection
Mobile botnet identification methods can be divided into three main categories: static, dynamic, and hybrid. We will explain
them in the following [29]:
Static-based: The complexity of this approach is easier than the dynamics-based method [4, 30-33] and can detect mobile
botnet faster. In this method, by directly analyzing the source code of the software, a set is obtained of characteristics and
features that, in addition to identifying the mobile botnet, these features can be used against other malware in this area [34].
The disadvantages of the static-based method are [34]:
1) It cannot detect mobile botnets that have been updated by Botmaster.
2) It cannot detect mobile botnets that have not yet been identified.
3) Sometimes this method considers benign applications as malware.
4) This approach requires high power and memory to analyze source code.
Dynamic-based: In this method, malicious applications are run on the smartphone and the traffic generated by them is recorded.
However, to prevent smartphone damage, security researchers usually execute mobile botnets in a sandbox. [4, 30, 33, 35,
36]. The disadvantages of the dynamic-based method include:
1) This method is not suitable for real-time analysis.
2) And also, it consumes a lot of resources such as CPU, RAM, and memory.
On the other hand, the benefits of this method are as follows[37]:
1) It can detect mobile botnets that have not yet been identified.
2) If the C&C communication traffic of mobile botnets is encrypted; Security researchers can use other features of
mobile botnets to identify them.
3) This approach can detect updated versions of mobile botnets based on some common features of their previous
version that can be seen in their network traffic.
Hybrid-Based: This method detects mobile botnets based on the combination of the two static-based and dynamics-based
methods [38, 39]. In this way, the application is executed in a controlled environment or on a smartphone and identifies mobile
botnets based on the traffic generated by the mobile device. However, botnets use the Domain Generation Algorithm [40]
feature to generate a list of domain names for themselves to prevent their detection. Therefore, in this case, security researchers
try to use static analysis [31, 34, 41] and application features to detect not only botnet traffic with high accuracy, but also to
allow traffic generated by mobile botnets from the benign traffic detect.
Based on the above, it can be acknowledged that the dynamics-based method and hybrid-based method in most cases perform
better than static methods. In this article, for the following reasons, we use the dynamic method in our method:
1) The hybrid approach consumes more resources than the dynamic approach; because it uses both static and dynamic
approaches.
2) The response time of this method is more than the dynamic method; because the output response is a combination of two
static and dynamic methods.
2.3. Impact of mobile botnets on IoT and ways to detect it
Due to the increasing use of IoT equipment and the desire of users to use these smart devices through smartphones, there is a
good opportunity to abuse this equipment. For example, mobile botnets disrupt the operation of these devices after they have
complete control over smartphones by controlling IoT devices [1]. Also, research conducted in 2020 has shown that more than 50
billion IoT devices are in use worldwide [42]. For this reason, IoT can become one of the most dangerous platforms in the future,
because it seems that a suitable security platform for protecting these devices is not yet well provided. Therefore, D. McDermott
and colleagues have done some good research in this area to identify botnets. In this paper [42], first by collecting a large database
in the field of IoT and labeling all its data, botnets were identified in the "packet-level" for the first time with the help of the LSTM-
RNN technique. The results published by the researchers indicate that they were able to achieve a detection rate of over 98% [42].
2.4. Impact of Peer to Peer (P2P) mobile botnets and ways to detect it
One way to spread mobile botnets is to use a Bluetooth channel to infiltrate victims' phones. In this method of transmission,
the infected phone penetrates the victim's phone by turning on Bluetooth and transmits the botnet mobile phone to the victim's
phone. However, this approach suffers from the geographical restriction of Bluetooth, and if the distance between the mobile botnet
and the victim is large, it is not possible to transfer the mobile botnet. Due to this limitation of Bluetooth, the best example of
using this type of mobile botnet are places where large numbers of people are gathered in a limited space. In this case, the attacker
can collect the information of all infected phones by infecting each phone to mobile botnets through a Bluetooth channel. To
identify this type of botnet, Zhuang and colleagues introduced an approach called Enhanced PeerHunter that can detect this type
of botnet with 100% accuracy by analyzing the network flow behavior [43].
In the next section, we will introduce in detail a comprehensive approach to identifying Android botnets.
3. PROPOSED METHOD
To identify Android botnets, with the maximum detection rate, we need to look for approaches to optimize SVM parameters in
the best way. However, why should we optimize these parameters?
1) Because mobile botnets can behave similarly to a usual user. For this reason, if the SVM parameters are set manually,
the chances of achieving a high rate of detection are reduced.
2) Mobile botnets can encrypt important features such as their sent messages and prevent their identification by generating
various domains. So if we don't use optimization techniques, we can't get a relationship between the mobile botnets'
features. In other words, with the help of optimization techniques, we can choose the best features from among the
mobile botnets' features to bring us closer to the maximum detection rate.
As a result, in this section, two appropriate approaches are introduced that can best optimize the SVM technique parameters. But
before addressing these two approaches, let's take a brief look at our proposed approach (SSLPSO-SVM).
3.1. Overview of the proposed method
Figure (2) shows a summary of the proposed method. First, the training data is initially given to the SSLPSO algorithm to
optimize the main parameters of the SVM method and select the most important features of the training data. Therefore, the
algorithm uses five different strategies to update the particle velocity, one of which is the SAPSO algorithm, and four other
algorithms are presented in [44-47]. The velocity update strategies are chosen quite intelligently and according to the conditions
that have occurred for the particles during the execution. After updating the velocity, the location of the particle is specified. Then,
in the next step, the new location of the particle is sent to the Fitness function, and if the SSLPSO algorithm has been able to
optimize the main parameters of the SVM and specify the most important features of the training data, the algorithm ends.
Otherwise, this cycle will be repeated so that the required conditions are met.
SAPSOEbVDbV CLPSO PSO-CL-
Pbest
Smart Select ion
Velocity Updati ng
Strategies
Fitness
New position fo r particlei
Optimize SV M parameters along with
Feature Selecti on
Stop condition f or
SSLPSO
YES
Training Dataset
NO
Start
NO
Figure (2): Proposed method (SSLPSO-SVM)
3.2. Self-Adaptive Learning based PSO (SLPSO)
the SLPSO algorithm is a hybrid approach that uses several methods for velocity updating. In this approach, at each stage of the
implementation, the roulette wheel selection method determines what algorithm can update the particles in the search space. On
the other hand, the mechanism of the roulette wheel selection algorithm is that it selects strategies with the help of a random
function. As a result, it is possible that at each stage of the implementation, appropriate strategies will not be selected with that
stage, and consequently, the SLPSO output response will not be appropriate. (Note that in roulette wheel selection, it is possible
to select fewer priorities than more.)
In SLPSO, four strategies for velocity updating are introduced. Each of these four strategies is introduced below.
1) Strategy -1:
This method, known as Difference-based Velocity (DBV) [47], can prevent sudden changes in velocity [44, 45]. This strategy
updates particle velocity based on different information from the search space, resulting in each particle looking for a larger space
for its update. According to Table (1),
and
are the d-th dimension of two locations of particles which were randomly
selected from the set of particles (are two random variables.) and is the normal random distribution between the interval [0,1].
Table (1): Five velocity update formulas with two new position formulas for all strategies
Velocity Formula
Name
Strategy
DbV[44, 45, 47]
Strategy-1
CLPSO[44-46]
Strategy-2
PSO-CL-
Pbest[44]
Strategy-3
EbV [44]
Strategy-4
Smart Adaptive
PSO
Strategy-5
(1) New position for all strategies
(2) New position for Feature
Selection by using BPSO
[14]
2) Strategy -2:
Comprehensive Learning PSO (CLPSO) is a good strategy for updating velocity on multi-modal issues [44-46]. In this strategy,
each particle has the chance to be able to influence the velocity of each particle through Pbest. Therefore, each dimension of the i-
th particle may be affected by its Pbest particle or other particles, which is randomly selected for all dimensions of the i-th particle.
According to Table (1),
is the d-th dimension of the best personal (Pbest) experience of the k-th particle that the k value is
chosen randomly. is the random distribution normalized between the interval [0,1] and is a random function distributed
uniformly in the interval [0,1].
3) Strategy -3:
Following the study in [45], the domain of exploration in CLPSO is high for all issues, and hence its convergence velocity will be
lower. Therefore, to solve this problem, Wang and his associates [44] developed research that sought a more limited space and, as
a result, particle converges at an optimum point faster than CLPSO [46]. This strategy is known as PSO-CL-Pbest [44]. To reduce
the complexity of the algorithm, selecting Pbest for all particles in all dimensions is random. According to Table (1),
is the
d-th dimension of the best personal (Pbest) experience of the k-th particle that the k value is chosen randomly. the normal random
distribution is between the interval [0,1].
4) Strategy -4:
The main feature of the PSO's main algorithm is its high convergence rate. The quality of this algorithm is very good at first, but
after a few steps, the particles are trapped in local optimal points and lose their efficiency. Therefore, Wang and his colleagues
[44] introduced an algorithm for speed upgrades for complex multi-modal issues which, in addition to the high convergence
velocity, prevented particles from being trapped quickly into local optimal points. By combining Cauchy and Gaussian probabilistic
models, this method led to a compromise between population diversity and convergence rates. According to Table (1), is
the mean of best 20% particles’ positions;
is the d-th dimension of the best personal (Pbest) experience of the k-th particle that
the k value is chosen randomly. The value of c is the result of the combination of Gaussian and Cauchy distribution, whose values
are and , respectively.
With the strategies outlined, SVM parameters (i.e., sigma parameter () and penalty parameter ()) can be optimized to identify
Android botnet at a high rate. However, the Smart Adaptive PSO (SAPSO) technique is introduced below, which has been able to
offer a high rate on 28 datasets of Android Botnet [10].
3.3. Smart Adaptive PSO (Strategy -5: SAPSO)
The SAPSO algorithm, our previous work [10], is considered as the fifth strategy for particle velocity update. in this paper, we
have used this algorithm as the fifth strategy for particle velocity update in the SSLPSO algorithm.
This algorithm selects the main parameters of the velocity formula (, and ) dynamically and under the conditions that a
particle can experience during the execution. This method, to obtain , initially calculates the distance of each particle from other
points in the search space. Then, according to the distances obtained from each particle, the maximum distance (), the
minimum distance (), and the distance of the particles from the global optimal point are also measured. Thus, the distance
from the global optimal point () is calculated. By using formula (1) [10, 13], the distance between the particles can be obtained.
here, N and D are the populations of particles and the number of dimensions of each particle, respectively. Then, using formula
(1), the values of , , and are calculated for the function , which is called the new evolutionary factor (formula
(2)).
In formula (2), |. | is the absolute which makes the output of the function to be always positive. , and are the
particle distances relative to their best personal experience, the best global experience, the maximum distance, and the minimum
distance, respectively. is a variable and its value is between [0,1]. This value can be determined in two ways: 1) the user himself
specifies this value. 2) changes based on the changes in the best personal experience (Pbest) and the best general experience
(Gbest) of the particle in the previous execution step. In this case, the value of changes based on the three created states. These
states are shown in Table (2) (In this study, the value of is considered to be 0.1).
Table (2): The strategy for setting α [10]
Change Global Best
Change Local Best
Number
1
Yes
Yes
1
0.3
No
Yes
2
1
No
No
3
In the SAPSO algorithm [10], we used formulas (1) and (4) to calculate the value of the particles evolution factor (). Then,
formula (3) [13], which was the result of the sigmoid mapping , was used to calculate the inertia weight.
The characteristic of formula (3) is the production of throughout the interval [0.4.0.9]. In the next step, the state of each of the
particles should be specified accurately. To achieve this, we can use the function (formula (2)) or the function (formula (3)).
In our proposed method, we used intervals to determine the particle states. Table (3) shows the state of each particle based on
the intervals and . Table (3): Four states of each particle based on the interval [10]
State
[0.4 , 0.5926]
[0 , 0.3]
Convergence
[0.5286 , 0.7603]
[0.2 , 0.6]
Exploitation
[0.6535 , 0.8422]
[0.4,0.8]
Exploration
[0.8045 , 0.9]
[0.7,1.0]
Jumping-Out
According to Table (3), the collision can be observed in a series of intervals (or ). Therefore, to solve this problem, the SAPSO
algorithm has used a strategy that accurately has specified the state of each particle in the next implementation step [10]. All the
stated points for solving the collision problem are given in Table (4).
Table (4): conflict resolution strategy intervals [10]
State
Change Global Best
Change Local Best
Exploitation
YES/NO
YES
Convergence
NO
NO
Exploitation
YES
YES
Exploration
NO
YES/NO
Exploration
YES
YES
Jumping-Out
NO
YES/NO
According to the content expressed for solving the collision problem of intervals , it can be easily determined that each particle
in each stage of the implementation of the algorithm is in what state.
Based on Table (4), particles may be placed in one of the four possible states during the execution of the algorithm that these states
are based on , therefore, the values and must be in the same state as . So, if the range of changes and is selected
between [1.5, 2.5], Table (5) shows the strategy of determining the values of and according to the state of each particle.
Table (5): The strategy of choosing values and [10]
Formula
Acceleration
Coefficient
changes intervals
based on States
States
changes
intervals
Strategy
[0.6535,0.8422]
Exploration
[0.6535,0.9]
Increase
[0.8045,0.9]
Jumping-Out
[0.4 ,0.5926]
Convergence
[0.4, 0.7603]
Increase
Slightly
[0.5286 ,0.7603]
Exploitation
[0.6535,0.8422]
Exploration
[0.6535,0.9]
Decrease
[0.8045,0.9]
Jumping-Out
[0.5286 ,0.7603]
Exploitation
[0.5286 ,0.7603]
Decrease
Slightly
Using the 5 strategies introduced above, we can only optimize the two main SVM parameters (i.e., sigma parameter () and penalty
parameter ()), however, we can't extract the main features of Android botnet. So the question is how to identify the important
features of Android botnet? To answer this question, the Binary PSO (BPSO) approach is introduced in this section to answer the
stated goal.
3.4. FEATURE SELECTION (Binary PSO)
Mobile botnets encrypt their main features to prevent them from being detected by security researchers, so most of the time
their behavior is similar to a normal application [10]. As a result, the question is how to access the key features of mobile botnets
that are not encrypted first, and secondly, with the help of these features, mobile botnets can be identified at a high rate?
To answer this question, we need to improve the SVM technique learning process using the feature selection technique so that the
model trained by the SVM technique can show the best results on the test data. In other words, the feature selection method, in
addition to reducing the runtime and increasing the efficiency of the algorithm, reveals the relationship between features by
eliminating unrelated features and choosing the effective ones in implementing the algorithm. The Binary PSO (BPSO) technique
[14] is one of the renowned methods used for feature selection. This technique is similar to the PSO [12], with the difference that
the way of updating the new location of each particle is different in the BPSO. According to Table (1), in BPSO, each particle in
the selection of the feature is faced with two states: 1) Selecting the feature (1). 2) Lack of selecting the feature (0).
3.4.1. How to update particle velocity and position in BPSO technique?
Feature selection is one of the most important parts of this study, and if the features are selected correctly, the proposed model
will be better trained and its ability to predict test data will increase. In the BPSO algorithm, In the first step, the particle velocity
in BPSO must be updated according to one of the five velocity update strategies listed in Table 1. The particle location is then
updated based on the BPSO formula given in Table 1 and using the BPSO [14], the feature is either not selected or selected.
In the next section, the various approaches used by security investigators to identify botnets are presented.
3.5. Summary of what was said
As mentioned above, mobile botnets can encrypt their important features so that they can behave similarly to regular users
and prevent themselves from identifying. The question now is how to optimize the main parameters of the SVM (i.e., sigma
parameter (), penalty parameter () and the features available in the dataset) technique so that mobile botnets can be identified at
a high rate?
In this paper, we introduce the SSLPSO-SVM approach, which can optimize the main SVM parameters in the best possible
way with the help of 5 strategies expressed in the related works section. As a result, the SVM technique, with the help of the
SSLPSO algorithm, will be able to train a model to accurately identify mobile botnets.
In the SSLPSO approach, instead of using the Roulette Wheel Selection(RWS) method, we have used a new approach called Smart
Selection Strategies(SSS) to select strategies. With the help of this method, each of the strategies can be selected quite intelligently
and based on their performance at each stage of implementation.
Now the question is, why has the SSS approach replaced the RWS method? As mentioned in Section 3.1, the RWS method assigns
a share to each of the strategies based on their performance, but because this method randomly selects the strategies, it is possible
that the strategy that has the worst performance among the strategies, at each stage of the implementation, selected and the results
do not change. That's why in this paper we introduce the SSS method for intelligent selection of strategies by the latest changes in
the search space.
3.6. Smart Selection Strategies (SSS)
The purpose of SSS is to select the best optimization algorithm from the 5 strategies described in Section (2-3). For example,
suppose the SAPSO and CLPSO approaches performed best in the previous implementation phase; That is, with the help of these
two approaches, the largest number of changes have been made in Pbest and Gbest. In this case, the SSS approach provides more
particles to SAPSO and CLPSO at the current stage of execution, and the other three approaches, SLPSO, DbV, and PSO-CL-Pbest,
will have fewer particles at this stage of execution. However, in the Roulette Wheel Selection (RWS) method, it is possible for the
optimization algorithm that has shown the best performance in the previous execution phase to have the lowest number of particles
in the current execution phase; Because this method (Roulette Wheel Selection) uses a random function to select optimization
algorithms (5 strategies). Therefore, to intelligently select the velocity update strategy, the following steps should be taken:
1) For each strategy, assign the same priority to the first stage of the execution (
). This makes each strategy
have the chance to change the location of particles in equal terms with other strategies.
2) The frequency of implementation of each strategy is equal to:
The frequency of implementation of each strategy is determined according to formula (4) and is the priority of
the j-th strategy to update the velocity.
3) If the program is in the first stage of implementation (Iteration = 1), each strategy must be selected by the roulette wheel
selection. Otherwise, (Iteration> 1) execution priority is with a strategy whose priority is higher than other strategies.
4) Calculate the number of times each strategy can change any particle’s Pbest during its execution. Also, calculate the total
number of times that Pbest has changed for all particles at one stage of implementation.
5) Calculate the number of times each strategy can change Gbest during its execution. Also, calculate the total number of
times that Gbest has changed for all particles at one stage of implementation.
6) After completing each stage of implementation, the priority of each strategy is calculated according to formula (5).
In formula (5), is a value between [0,1] whose value is specified by the user. and is equal to the number
of times the j-th strategy has been able to change the value of Pbest and Gbest particles. If Gbest does not change for any
particles, in this case, β = 1.
7) The number of times each strategy should be executed is calculated from formula (4). If the total number of times the
implementation of strategies increases the number of particles in the entire search space, the discrepancy should be
reduced by the strategy that has the highest number of runs (more significant strategy). If the total number of times the
implementation of strategies reduces the number of particles in the entire search space, the discrepancy should be added
to the strategy that has the highest number of runs. For example, suppose there are 10 particles in a search space, and if
SAPSO has the highest priority among the other four strategies; Now, if an exception occurs and SAPSO has seven
particles to execute and other strategies to have four particles to execute; In this case, because the number of particles is
more than ten; The number of SAPSO particles should be reduced to six.
8) If the priority of all strategies is zero, again the priority of each strategy is 0.2 and use the roulette wheel selection method
to select the desired strategy. This mode occurs when none of the Pbest and Gbest values change during runtime.
9) If the number of times the SSLPSO algorithm implementation is not completed, the algorithm returns to step (2).
One of the special situations that may occur during the program is when the priority of two or three strategies is equal to each other
(In this case, all the strategies, their priorities are not the same). For example, if the priority of strategy 2 and 3 are equal to each
other. Because none of these strategies have precedence over the other, they must use a random function that produces a value
between [0,1], so that if the value of the function is less than 0.5, then the selected strategy 2. Otherwise, select strategy 3.
Start
Initialization Function
j = 1
i <= N
SAPSO Function
ACC > Best_Local (i)
Pbest(i) = position(i)
Pbest_Flag(i) = 1
ACC > Best_Global
Gbest = position(i)
Gbest_Flag(i) = 1
i = i + 1
j > Iteration or ACC = 1
j = j + 1
Sigma and Penalty
optimized parameters along
with important features
selected.
YES
Yes
YES
YES
NO NO
Calculate distance using Formula 1
; refer to section 3.3
Calculate new evolutionary factor
using formula (2);
refer to section 3.3
Adaptive inertial selection using
formula (3);
refer to section 3.3
Solve the collision problem of
inertia intervals using Table (4),
Pbest_Flag(i) and
Gbest_Flag(i);
refer to section 3.3
Adaptive acceleration coefficient
selection using Table (5).
refer to section 3.3
Update velocity for Sigma , Penalty
& Features particles using formula
of strategy(j) in Table(1).
refer to section 3.2
Update position for Sigma &
Penalty particles using formula(1)
in Table (1);
refer to section 3.2
Update position for Features
particles using BPSO formula(2) in
Table(1).
refer to section 3.2
Fitness Function
Pbest_Flag (i) = 0
Gbest_Flag (i) = 0
Change Training and Test datasets
based on selected features.
Tr_Result = SVM ( σ, C , Training
datasets)
Evaluation Test dataset based on
Tr_Result
ACC = (TP+TN ( / ) Total Test
Samples)
SSLPSO
Fitness
Function
i = 1; j = 0 ; Best_Global = 0 and
Set N and Iteration
j < 1 NO
Initialize position and velocity for
Sigma, Penalty & Features particles
Fitness Function
Best_LocaL(i) = ACC
Pbest(i) = position(i)
Pbest_Flag(i) = 0
Best_Local(i) = ACC
Gbest = position(i)
ACC > Best_Global
i <= N
YES
YES
YES
NO
Gbest_Flag(i) = 0
i = i + 1
NO
NO
NO
Initializat
-ion
Function
i = 1
Digital
Devices
Network
Capturing
Network
Flow
Feature
Engineering
Supported By Powerful Servers
The output of the SSLPSO-SVM technique creates a powerful detection system
Decision Malicious
Network
Flow
Normal
Network
Flow
Calculate mean of best 20 %
particles’positions(Pbest).
Total changes Pbest = 0 and
Total changes Gbest = 0.
Total changes Pbest = Total changes
Pbest+1.
Number of changes Pbest(j) =
Number of changes Pbest(j) + 1.
Total changes Gbest = Total
changes Gbest+1.
Number of changes Gbest(j) =
Number of changes Gbest(j) + 1.
Calculate the mean best of 20 %
particles ’ positions.
Calculate priority of each strategy,
using steps defined in section 3.2
(Choose steps 6 to 8).
SAPSO
Function
the algorithm does not
specify a strategy
the number of times the
implementation of the jth
strategy has exceeded the
limit
priority(j) = 0
The frequency of repeating the
strategy(j) = 0.
j > 5
j = 1
Number_Implementation(i,j) =
Calculate the number of jth strategy
implementation
j = j + 1
Select the jth strategy, using the
steps defined in section 3.6 (Choose
steps 1 to 3).
Yes
NO
NO
Yes
YES
NO
Next
Location
Function
The frequency of
execution and the
priority of each
strategy have been
determined.
Figure (3): SSLPSO-SVM
3.7. SSLPSO-SVM algorithm
According to the contents of the previous sections of the study, Figure (3) shows the SSLPSO-SVM algorithm. In the SSLPSO
algorithm (Figure 3), three parameters need to be optimized, which include: Sigma, Penalty, and Features. But to simplify the
SSLPSO flowchart, they are generally expressed. That means, all formulas introduced to calculate inertia weight, acceleration
coefficients, and even Pbest, Gbest, Pbest_Flag, Gbest_Flag, Total changes Pbest, Total changes Gbest, Number of changes Pbest,
Number of changes Gbest, , and include this rule (For example, ,
and
(D is the same dimension)). In this flowchart (Figure 3), the dimensions of the Sigma particles
and the Penalty are equal to 1, but the dimensions of the Features particles are equal to the number of dataset features. The SSLPSO
algorithm consists of three main functions, each performing a specific function.
1) Initialization function: This function is responsible for initializing the SSLPSO parameters. In this function, the number
of times the algorithm is executed (Iteration) and the number of particles (N) is determined, and in the next steps, the flag
of all particles is zero (Pbest_Flag = 0 and Gbest_Flag = 0).
2) SAPSO function: The purpose of the SAPSO function is to specify the main parameters of the velocity formula for this
algorithm (i.e., inertial weight and acceleration coefficients). So that if SAPSO is given the opportunity to update the particle
velocity and location in the Next Location function, it can give them these parameters. All formulas and tables expressed in
the SAPSO algorithm are used in this function to determine the parameters of the velocity formula. The purpose of the
first block is to measure the distance between each particle and other particles and by doing this, first, the values of ,
and are obtained. In the next step, in addition to determining the value of for each of the Sigma particles
(), Penalty (), and Features, the particle state is also determined, and ultimately the values of and are specified
for them. Also, by finding the distance between a particle and other particles, it is possible to change the values of ,
and . Therefore, if these values change, they must be updated. Then the values of , and are obtained
for each particle.
3) Next_Location function: In this function, it is first examined which strategy has been selected, whether it has already
been chosen by the algorithm. Then, the number of times this strategy is allowed to be executed is checked and if the
number of times it runs exceeds the limit, it will be entered into the conditional part of the algorithm. The condition runs
when the number of times the implementation of a strategy is exceeded. In this case, the priority and the number of times
the implementation of this strategy should be equal to zero, so that in the next stages of implementation (in this same
iteration), this strategy does not have an opportunity to execute again. Note that in Figure (3), the velocity and location of
the Sigma () and Penalty () particles must ignore the dimensions of those particles by choosing any update strategy
and, consequently, the formulas that update the particle velocity and location without considering their dimensions should
be used. Finally, the number of implementation of each strategy is determined. These values are used to determine the
priority of each strategy in the next stage of execution.
An important feature of Figure (3) is that in comparison with the Self-Adaptive-PSO method presented in [41], except
for the first stage of implementation at other stages, a strategy for velocity update (Smart Selection Strategies (SSS)) is
chosen that first, it has been able to change the locations of Pbest and Gbest points, and second, the implementation
priority is given to a strategy which is more frequent than other strategies that can change its Pbest and Gbest particles
location. But in the method presented in [44], the implementation priority is a strategy that is selected by the Roulette
Wheel Selection. It is possible that the appropriate strategies are not selected at each stage of the implementation;
therefore, the SLPSO output response is not appropriate. (Note that in the Roulette Wheel Selection algorithm, there is a
possibility to select fewer priorities than the other priorities.)
4) Fitness function: In Figure (3), the training and test dataset are changed according to the selected features. Then, the
svmtrain function teaches the model by receiving its parameters. If the selected features, along with the SVM parameters
are correctly selected, the svmclassify function can identify the test data with high precision. Finally, the amount of
detection percentage for test data is sent to the SSLPSO algorithm. Then, in the case of Accuracy ≠ 1, the algorithm looks
for more optimal values. It should be noted here that the fitness function is "".
In the SSLPSO algorithm, when the values of the variables Changes_Local_Best and Changes_Global_Best are equal to "1", it
means that a particle can change its Pbest and Gbest values, respectively. The purpose of using these variables is to determine the
state of each particle at each stage of the execution. In the SSLPSO function, the average of the best 20% particles’ positions will
be obtained. Then, the priority of each strategy is determined for the next stage of implementation.
Finally, the SSLPSO-SVM outputs are: 1) The exact detection of Android botnets. 2) Optimized parameters of SVM technique
and the best features of Android botnet dataset.
3.8. What are the differences between SLPSO and SSLPSO?
In this section, we examine the differences between SLPSO [44] and SSLPSO algorithms.
1. The SLPSO [44] article uses four strategies to update the particles, but this paper uses five strategies.
2. The SLPSO [44] article uses the RWS method to select strategies, but this article uses the SSS approach.
3. In the SLPSO [44] article, it optimizes mathematical functions, but in this paper, the three main SVM parameters are
optimized.
4. In this paper, the feature selection approach (BPSO) is used to find the important features of the dataset, but in the SLPSO
[44] article, the feature selection approach is not used due to the optimization of mathematical functions.
In the next section, we are going to challenge our proposed method and test it on 28 Android botnet data. Then, we compared the
proposed approach with three other methods to determine the performance of the introduced method.
4. SIMULATION RESULTS
All results were obtained using a system with Intel Core i5 and RAM 4G DDR3 characteristics. All algorithms were
also coded in MATLAB.
To detect Android botnet, it is necessary to use a standard dataset. Hence we use the 28 Standard Android Botnet
Dataset (28-SABD) [1] to evaluate the proposed algorithm (Table 6). To create this dataset, we collected more than
14 million packets of network traffic, and with the help of feature engineering techniques, we were able to create the
results obtained from Table (6). There are 336,111 data in this database, each of which contains 85 different features
(336,111 * 85). In 28-SABD, 189,842 data are benign (59.57%) and 146.269 are botnet (40.43%) [1].
Table (6): 28-SABD [1]
To evaluate the performance of the proposed algorithm (SSLPSO), we compared them with three different PSO
algorithms [44, 46] to determine the advantage of the proposed algorithms. The Fitness function of these algorithms
(3 algorithms) is based on Figure (3) and Table (7) shows these algorithms and their characteristics. It should be noted
that none of the algorithms described in Table (7) can select important dataset features, and these algorithms have
Benign
Botnet
Family
EXE
Benign
Botnet
Family
BACK
Percent%
Number
Percent%
Number
Percent%
Number
Percent%
Number
9.23
1,255
90.77
12,337
Anserverbot-Execute
70.96
1,420
29.04
581
Anserverbot-Background
80.54
4,113
19.46
994
Bmaster- Execute
12.76
389
87.24
2,659
Bmaster- Background
25.07
4,261
74.93
12,737
DroidDrream- Execute
12.56
327
87.44
2,276
DroidDrream- Background
86.86
10,208
13.14
1,544
Geinimi- Execute
90.39
3,764
9.61
400
Geinimi- Background
85.94
39,908
14.06
6,529
MisoSMS- Execute
92.39
49,685
7.61
4,092
MisoSMS- Background
46.85
14,624
83.15
16,590
Nickyspy- Execute
4.39
277
95.61
6,039
Nickyspy- Background
50.86
7,503
49.41
7,250
NotCompatible-Execute
84.05
2,007
15.95
381
NotCompatible- Background
42.19
4,296
57.81
5,887
Pjapps- Execute
94.54
3,414
5.46
197
Pjapps- Background
19.48
2,939
80.52
12,150
Pletor- Execute
6.83
270
93.17
3,685
Pletor- Background
44.24
2,529
55.76
3,187
Rootsmart- Execute
9.17
221
90.83
2,188
Rootsmart- Background
43.44
4,956
56.56
6,453
Sandroid- Execute
14.86
510
85.14
2,923
Sandroid- Background
29.97
2,666
70.03
6,229
Tigerbot- Execute
81.13
2,679
18.87
623
Tigerbot- Background
36.28
8,798
63.72
15,451
Worba- Execute
39.96
878
60.04
1,319
Worba- Background
74.28
14,863
25.72
5,147
Zitmo- Execute
14.42
1,082
85.58
6,421
Zitmo- Background
52.22
122,919
47.78
112,485
Total
66.45
66,923
33.55
33,784
Total
been used to optimize mathematical functions in their articles. According to Table (7), for a fair comparison of the
algorithms with each other, it is assumed that the three algorithms presented in Table (7) have the potential to optimize
the two important SVM parameters simultaneously with the selection of important features. In other words, the
difference between the proposed method with the following three algorithms is in the method of updating velocity and
velocity update strategies for each particle. The parameters required for these algorithms are given in Table (7) and
the initialization of the algorithms in Table (7) is based on initialization in their papers [44, 46].
Table (7): Parameters required for comparable algorithms
Acceleration
coefficient
Inertia Weight
Algorithm
Number
---
SLPSO: Self-Adaptive Learning PSO[44]
1
---
CLPSO: Comprehensive Learning PSO [46]
2
---
PSO-CL-Pbest: PSO Comprehensive Learning Pbest[44]
3
It should be noted that all parameters of the SSLPSO algorithm are dynamically determined according to the conditions
created during the execution of the algorithm.
Four criteria of Sensitivity, Specificity, Precision, and Accuracy [48] are used to better measure the results of the
algorithms. Their formulas are shown in Table (8).
Table (8): Four criteria for detecting Android Botnet Algorithms
Formula
Criterion
Formula
Criterion
Precision (Prec)
Sensitivity(SNS)
Accuracy(ACC)
Specificity (SPC)
According to Table (8), the terms TP (True Positive) and TN (True Negative) are botnet and benign data that are
correctly identified, respectively. In the same way, FP (False Positive) is the same as benign data that was mistakenly
identified by the algorithm as the botnet.
4.1. ANALYSIS OF THE RESULTS
Table (9) shows the results of the execution of the four algorithms. According to Table (9), the NFE is the same as
the Number of Function Evaluation (when the algorithm reaches Accuracy=100%, the application of NFE is
determined, well. At this time, the algorithm must end and the NFE in the quality of the algorithm as a decisive
criterion be introduced). The number of particles and the number of iterations of each algorithm is 20 and 10,
respectively. Also, the algorithms for each Android botnet family in Background and Execution manners were
implemented 3 and 2 times, respectively, and the range of Sigma particles (), penalty (), and attribute between
are considered. The results obtained from Table (9) below are the average results of the output obtained by four
algorithms.
The results from 28 Android botnet families, which included more than 660 hours of output from 4 algorithms, are
shown in Tables (9). The execution time of each algorithm is directly related to several features selected by its
algorithm. If the number of features selected in each algorithm is large, the SVM technique should train the detection
system with the help of more data, thus increasing the execution time of each algorithm. As a result, an algorithm that
can better scan the feature space and select more important and fewer features will have less execution time. In
particular, when the number of data exceeds 6,000 data, the effect of selecting important features is better
demonstrated. In this case, the execution time for all algorithms expands exponentially. If the selected features are not
important and their number is high, in addition to increasing the execution time, the results achieved by the algorithms
will be weak. Therefore, according to Table (9), it can be claimed that the proposed method can not only improve the
scanning of search space but also by selecting important features and a small number of them, provide better results
in less time than other algorithms.
Table (9): The results of detecting Android botnets by SSLPSO and the three algorithms of Table (7)
Time
NFE
SNS
SPC
Prec
ACC
Algorithm
Family
BACK
Time
NFE
SNS
SPC
Prec
ACC
Algorithm
Family
EXE
165.03
220
98.94
98.76
96.49
98.81
SSLPSO
Anseverbot
8.122e+03
220
99.76
90.80
98.99
98.87
SSLPSO
Anseverbot
249.04
220
95.33
99.13
97.40
98.16
SLPSO[44]
1.1565e+04
220
99.49
93.10
99.24
98.85
SLPSO[44]
267.53
220
96.60
95.83
95.83
98.05
CL-PSO[46]
1.0898e+04
220
99.71
90.44
98.95
98.78
CL-PSO[46]
246.38
220
96.39
99.05
97.22
98.37
PSO-CL-
Pbest[44]
1.0985e+04
220
99.50
92.25
99.15
98.78
PSO-CL-Pbest[44]
452.79
220
99.90
100
100
99.91
SSLPSO
Bmaster
1.8326e+03
220
96.15
95.42
96.15
95.82
SSLPSO
Bmaster
449.039
217.3
99.90
100
100
99.91
SLPSO[44]
1.6994e+03
220
97.28
94.94
95.81
96.21
SLPSO[44]
455.32
194.3
99.97
98.79
99.93
99.91
CL-PSO[46]
1.8203e+03
220
96.38
95.54
96.20
95.59
CL-PSO[46]
417.65
198.33
99.93
100
100
99.94
PSO-CL-
Pbest[44]
2.0909e+03
220
96.60
95.74
96.43
96.21
PSO-CL-
Pbest[44]
396.042
220
99.72
96.72
99.44
99.28
SSLPSO
DroidDream
2.3625e+04
220
99.35
95.90
98.44
98.39
SSLPSO
DroidDream
387.894
220
99.72
96.72
99.44
99.28
SLPSO[44]
2.7821e+04
220
99.40
95.15
98.16
98.22
SLPSO[44]
418.373
220
99.72
96.72
99.44
99.28
CL-PSO[46]
2.6546e+04
220
99.23
96.00
98.48
98.34
CL-PSO[46]
431.087
220
99.72
96.72
99.44
99.28
PSO-CL-
Pbest[44]
1.9652e+04
220
99.45
95.63
98.34
98.39
PSO-CL-
Pbest[44]
426.22
220
80.65
99.90
97.44
99.04
SSLPSO
Geinimi
5.5226e+03
220
80.08
100
100
98.84
SSLPSO
Geinimi
867.20
220
75.27
99.90
97.40
98.80
SLPSO[44]
4.9400e+03
220
80.08
100
100
98.84
SLPSO[44]
909.22
220
76.34
99.85
95.95
98.80
CL-PSO[46]
4.8363e+03
220
80.08
100
100
98.84
CL-PSO[46]
826.46
220
80.11
99.85
96.24
98.97
PSO-CL-
Pbest[44]
5.6722e+03
220
80.08
100
100
98.84
PSO-CL-Pbest[44]
9.3237e+03
220
97.32
100
100
99.72
SSLPSO
MisoSMS
1.4049e+04
220
94.00
99.86
97.93
99.47
SSLPSO
MisoSMS
9.6312e+03
220
97.21
100
100
99.71
SLPSO[44]
1.1106e+04
220
92.50
99.91
98.68
99.42
SLPSO[44]
9.8854e+03
220
97.43
100
100
99.73
CL-PSO[46]
1.0817e+04
220
91.75
99.86
97.92
99.32
CL-PSO[46]
9.0499e+03
220
97.00
100
100
99.69
PSO-CL-
Pbest[44]
1.1092e+04
220
92.00
99.66
95.35
99.15
PSO-CL-Pbest[44]
981.02
220
99.95
81.33
99.24
99.22
SSLPSO
NickySpy
1.0560e+04
220
99.51
99.53
99.81
99.52
SSLPSO
NickySpy
1.1277e+03
220
99.93
80.44
99.21
99.16
SLPSO[44]
7.0977e+03
220
99.47
99.29
99.72
99.42
SLPSO[44]
1.2357e+03
220
99.91
80.44
99.21
99.15
CL-PSO[46]
8.2989e+03
220
99.49
99.29
99.72
99.43
CL-PSO[46]
1.1194e+03
220
100
78.22
99.12
99.15
PSO-CL-
Pbest[44]
6.6272e+03
220
99.63
99.53
99.81
99.60
PSO-CL-
Pbest[44]
241.78
220
97.42
99.41
97.85
98.98
SSLPSO
NotCompatible
2.9490e+04
220
99.39
93.99
95.98
97.18
SSLPSO
NotCompatible
246.34
220
95.91
99.41
97.82
98.66
SLPSO[44]
3.1601e+04
220
99.17
94.34
96.20
97.19
SLPSO[44]
241.83
220
97.63
98.94
96.22
98.66
CL-PSO[46]
3.1139e+04
220
99.38
94.17
96.09
97.24
CL-PSO[46]
240.54
220
96.13
99.29
97.39
98.61
PSO-CL-
Pbest[44]
3.5369e+04
220
99.38
94.07
96.02
97.20
PSO-CL-Pbest[44]
440.60
220
100
99.88
88.38
99.88
SSLPSO
PJapps
8.0964e+03
220
98.70
95.24
96.28
97.16
SSLPSO
PJapps
469.85
220
100
99.85
85.86
99.85
SLPSO[44]
8.5079e+03
220
98.73
95.73
96.65
97.40
SLPSO[44]
500.69
220
100
99.88
88.38
99.88
CL-PSO[46]
6.5203e+03
220
98.98
94.99
96.11
97.21
CL-PSO[46]
449.66
220
100
99.82
83.33
99.82
PSO-CL-
Pbest[44]
7.5494e+03
220
98.47
95.42
96.41
97.11
PSO-CL-Pbest[44]
603.15
220
99.92
100
100
99.92
SSLPSO
Pletor
1.3799e+04
220
99.96
97.40
99.47
99.52
SSLPSO
Pletor
662.53
220
99.92
100
100
99.92
SLPSO[44]
1.7932e+04
220
99.74
97.40
99.46
99.34
SLPSO[44]
648.84
220
99.92
100
100
99.92
CL-PSO[46]
1.4848e+04
220
99.96
97.59
99.50
99.56
CL-PSO[46]
607.34
218
99.95
100
100
99.95
PSO-CL-
Pbest[44]
2.0781e+04
220
99.93
99.45
99.73
99.49
PSO-CL-Pbest[44]
338.37
220
100
96.00
99.82
99.83
SSLPSO
Rootsmart
5.0328e+03
220
98.99
92.80
99.20
98.37
SSLPSO
Rootsmart
658.37
220
100
94.67
99.76
99.77
SLPSO[44]
5.4352e+03
220
98.60
95.27
99.47
98.27
SLPSO[44]
647.12
220
100
95.33
99.79
99.80
CL-PSO[46]
4.8012e+03
220
99.56
94.65
99.40
99.07
CL-PSO[46]
639.07
220
100
96.00
99.82
99.83
PSO-CL-
Pbest[44]
5.0979e+03
220
99.17
94.24
99.36
98.68
PSO-CL-
Pbest[44]
560.19
220
99.56
66.45
94.68
94.82
SSLPSO
Sandroid
1.2069e+04
220
88.88
94.98
94.69
91.93
SSLPSO
Sandroid
580.91
220
99.45
64.68
94.41
94.48
SLPSO[44]
1.4860e+04
220
87.71
90.02
90.36
88.86
SLPSO[44]
629.13
220
99.52
66.23
94.64
94.76
CL-PSO[46]
1.3525e+04
220
82.37
93.30
92.49
87.84
CL-PSO[46]
604.73
220
99.63
63.13
94.19
94.41
PSO-CL-
Pbest[44]
1.2297e+04
220
95.09
83.54
85.25
89.32
PSO-CL-Pbest[44]
464.35
220
92.98
98.43
95.31
97.05
SSLPSO
TigerBot
2.6684e+03
220
99.82
98.38
98.41
99.10
SSLPSO
TigerBot
497.34
220
89.78
98.61
95.64
96.36
SLPSO[44]
3.2971e+03
220
99.63
98.64
98.66
99.14
SLPSO[44]
510.79
220
89.66
98.61
95.66
96.33
CL-PSO[46]
3.2607e+03
220
99.49
98.19
98.23
98.84
CL-PSO[46]
447.96
220
90.04
98.74
96.07
96.53
PSO-CL-
Pbest[44]
4.0811e+03
220
99.74
98.23
98.27
98.99
PSO-CL-Pbest[44]
242.80
220
97.44
94.80
96.03
96.25
SSLPSO
Wroba
4.4740e+04
220
99.88
97.62
99.82
99.72
SSLPSO
Wroba
246.07
220
96.26
93.80
95.21
95.15
SLPSO[44]
6.8751e+04
220
99.84
97.43
99.81
99.67
SLPSO[44]
257.27
220
98.08
91.25
93.47
94.99
CL-PSO[46]
7.2374e+04
220
99.90
97.52
99.81
99.73
CL-PSO[46]
252.21
220
100
87.04
90.35
94.14
PSO-CL-
Pbest[44]
7.5350e+04
220
99.86
97.24
99.79
99.67
PSO-CL-Pbest[44]
2.2352e+03
220
99.89
92.45
99.24
99.20
SSLPSO
Zitmo
2.5737e+04
220
91.13
98.79
97.59
96.12
SSLPSO
Zitmo
2.6979e+03
220
99.81
88.68
98.86
98.78
SLPSO[44]
3.4302e+04
220
92.59
98.90
97.82
96.70
SLPSO[44]
2.1504e+03
220
99.87
83.18
98.32
98.33
CL-PSO[46]
3.7753e+04
220
89.96
99.25
98.46
96.02
CL-PSO[46]
2.4120e+03
220
99.84
87.42
98.74
98.69
PSO-CL-
Pbest[44]
3.7443e+04
220
90.78
98.91
97.81
96.08
PSO-CL-Pbest[44]
To understand which algorithm, in which family, has performed better, we averaged the results obtained in each family
and placed them in Table (10). But what results can be extracted from Table (10)?
4.1.1. Investigating the (volume) and (the balanced or the imbalanced) of the dataset on algorithm
performance
In this section, first of all, we examine the effect of data volume on algorithm performance (based on Tables (6) and
(10)), then, we're going to take a look at the performance of algorithms based on their performance on the balanced
and the imbalanced Android botnet dataset (based on Tables (6) and (10)):
1) In a high-volume dataset (above 40,000 data); SSLPSO and CLPSO [46] approaches perform better than the
rest of the approaches (for example, MisoSMS-BACK and EXE).
2) For datasets with a size of less than 3,000, the SSLPSO algorithm outperforms the rest of the algorithms (for
instance: Anseverbot-BACK).
3) For datasets with data between 3,000 and 40,000, the SSLPSO and SLPSO approaches have shown the best
results (for example, NotCompatible-EXE).
And for the issue of balance or imbalance of datasets we have:
1) For datasets with less than 15% of Android botnets in the dataset, the SSLPSO approach has shown the best
results.
2) SSLPSO and PSO-CL-Pbest approaches provide the best results for datasets that make Android botnets above
75% of the data.
3) The SSLPSO approach has yielded the best results in datasets in which Android botnets account for between
15 and 75 percent of the data.
Conclusion: The size of the dataset does not affect the performance of the SSLPSO algorithm. Because this method
can not only choose less and better features by Smart Selecting Strategies (SSS), but also by accurately adjusting the
other two parameters of SVM (i.e., sigma parameter () and penalty parameter ()), it can identify Android botnets at
a high rate. Also, balanced and imbalanced datasets do not affect the SSLPSO algorithm. Because this technique,
with the help of 5 powerful strategies and their smart selection with the help of SSS, can easily optimize SVM
parameters and identify Android botnets at a high rate.
Table (10): Comparing the performance of algorithms in each Android botnet family
Time
NFE
SNS
SPC
Prec
ACC
Family
BACK
Time
NFE
SNS
SPC
Prec
ACC
Family
EXE
SSLPSO
---
SSLPSO
Anseverbot
SSLPSO
---
SLPSO[44]
Anseverbot
PSO-CL-
Pbest[44]
CL-
PSO[46]
PSO-CL-Pbest[44]
Bmaster
SLPSO[44]
---
PSO-CL-Pbest[44]
Bmaster
SSLPSO
---
ALL
DroidDream
PSO-CL-
Pbest[44]
---
CL-PSO[46]
DroidDream
SSLPSO
---
SSLPSO
Geinimi
CL-PSO[46]
---
ALL
Geinimi
SSLPSO
---
CL-PSO[46]
MisoSMS
CL-PSO[46]
---
SSLPSO
MisoSMS
SSLPSO
---
SSLPSO
NickySpy
PSO-CL-
Pbest[44]
---
PSO-CL-Pbest[44]
NickySpy
PSO-CL-
Pbest[44]
---
SSLPSO
NotCompatible
SSLPSO
---
SLPSO[44]
NotCompatible
SSLPSO
---
SSLPSO
PJapps
CL-PSO[46]
---
SLPSO[44]
PJapps
SSLPSO
PSO-CL-
Pbest[44]
PSO-CL-Pbest[44]
Pletor
SSLPSO
---
PSO-CL-Pbest[44]
Pletor
SSLPSO
---
SSLPSO & PSO-CL-
Pbest[44]
Rootsmart
CL-PSO[46]
---
PSO-CL-Pbest[44]
Rootsmart
SSLPSO
---
SSLPSO
Sandroid
SSLPSO
---
SSLPSO
Sandroid
PSO-CL-
Pbest[44]
---
SSLPSO
TigerBot
SSLPSO
---
SLPSO[44]
TigerBot
SSLPSO
---
SSLPSO
Wroba
SSLPSO
---
SSLPSO
Wroba
CL-PSO[46]
---
SSLPSO
Zitmo
SSLPSO
---
SLPSO[44]
Zitmo
4.1.2. A closer look at the performance of the algorithms
In this section, we are going to take a deeper look at the performance of the algorithm. Therefore, for a better comparison of each
of the four expressed algorithms, the obtained tables (9) should be averaged. Table (11) shows the results obtained from the average
output of each algorithm. Now, by analyzing Table (11), we can infer the following:
1) The SSLPSO algorithm detects Android botnet more accurately. Therefore, its TP is higher than other algorithms, and as
a result, the algorithm has the highest Sensitivity (SNS) than other algorithms.
2) The SSLPSO algorithm can more accurately distinguish benign data from infected data. Therefore, its TN is higher than
other algorithms, and as a result, the algorithm has the highest Specificity (SPC) compared to other algorithms.
3) Compared with other algorithms, in the SSLPSO algorithm less benign data is mistakenly considered as Android botnet.
In other words, its FP is less than other algorithms and its TP is more than other algorithms, and as a result of the Precision
(Prec), this algorithm is more than other algorithms.
4) The SSLPSO algorithm has a higher TP and TN than other algorithms, and as a result, the Accuracy (ACC) of this
algorithm is higher than other algorithms.
5) The CLPSO algorithm uses fewer fitness functions; Because in some families, this algorithm reaches accuracy = 100%
and one of the conditions for the end of the algorithm is met and the algorithm ends. That's why its NFE value is lower
than other algorithms.
6) SSLPSO algorithm particles scan the search space better than other algorithms and select more important and fewer
features. As a result, the Execution Time of this algorithm is less than other algorithms.
Table (11): The average results obtained from Table (9)
Accuracy(ACC)
Percision(Prec)
Specifity(SPC)
Sensitivity(SNS)
NFE
Time
Algo
Percent
Algo
Percent
Algo
Percent
Algo
Percent
Algo
Number
Algo
Time (sec)
SSLPSO
98.2829
SSLPSO
97.7386
SSLPSO
95.5300
SSLPSO
96.7604
CLPSO[46]
219.0821
SSLPSO
7.9363e+03
SLPSO [44]
98.0543
SLPSO[44]
97.5375
SLPSO [44]
95.2146
PSO-CL-
Pbest[44]
96.7293
PSO-CL-
Pbest[44]
219.1546
CLPSO [46]
9.5070e+03
PSO-CL-
Pbest[44]
98.0318
CLPSO[46]
97.4357
CLPSO [46]
94.8514
SLPSO [44]
96.1686
SLPSO [44]
219.9036
SLPSO [44]
9.5602e+03
CLPSO [46]
97.9786
PSO-CL-
Pbest[44]
96.9154
PSO-CL-
Pbest[44]
94.6139
CLPSO [46]
96.1032
SSLPSO
220
PSO-CL-
Pbest[44]
9.7083e+03
4.2. SSLPSO verses by SAPSO
In this section, we are going to compare the SSLPSO approach with our previous method (SAPSO [10]) to
determine the superiority of one of these two algorithms in detecting Android botnets (refer to Figure (4)):
1) If the time of execution of the algorithm, SNS, and SPC are not important in the detection of Android
botnet, it is better to use the SAPSO algorithm; because ACC and Prec, this algorithm is more than other
algorithms.
2) If the issue of algorithm execution time is important in detecting Android botnets, it is better to use
SSLPSO algorithm, because this algorithm, in addition to having the lowest execution time among all
algorithms, in terms of ACC and SPC after the SAPSO algorithm has provided the best results. Also, this
algorithm (SSLPSO) has the best SNS and SPC among all the algorithms Implemented on 28 Android
botnet dataset.
It should be noted that the SAPSO algorithm, like SSLPSO, is running on 28 Android botnet dataset.
Figure (4): SSLPSO VS. SAPSO[10]
4.3. ANALYSIS OF THE FEATURE SELECTED
Feature selection is the most important part of the algorithm (5) because choosing the wrong features can confuse the particles
in the search space. Choosing the unimportant features of a data set can result in an inappropriate response from the PSO algorithm.
In other words, if the PSO algorithm can optimize the other two SVM parameters in the best way, but does not select the important
dataset features; The SVM technique cannot detect Android botnets with high accuracy (and vice versa). Therefore, in each family,
an algorithm that has the best result compared to other algorithms is selected and its features are compared with those of other
families (27 other datasets). Then, 20 top features related to Android botnet are selected. Table (12) shows these features in order
of importance.
Table (12): 20 extracted attributes of the best results from Android botnet detecting algorithms
Percent
Superior Features
Number
67.86
RST Flag Count
1
67.86
Total Backward Packets
2
64.29
min_seg_size_forward
3
64.29
URG Flag Count
4
64.29
Fwd Packets/s
5
64.29
Bwd Packet Length Mean
6
60.71
Active Std
7
60.71
Init_Win_bytes_forward
8
60.71
Fwd Avg Bulk Rate
9
60.71
Avg Bwd Segment Size
10
60.71
Down/Up Ratio
11
60.71
ECE Flag Count
12
60.71
ACK Flag Count
13
60.71
SYN Flag Count
14
60.71
Fwd PSH Flags
15
60.71
Bwd Packet Length Min
16
60.71
Fwd Packet Length Std
17
57.14
Bwd Packets/s
18
57.14
Flow IAT Mean
19
57.14
Source Port
20
4.3.1. Analysis of the features obtained in this paper
In Table (12), 'Percent' refers to the percentage of the repeat of a feature at 28 different datasets. According to Table (12), the
98.2829
97.7386
95.53
96.7604
98.3261
97.8061
95.3246
96.4921
AC C P R EC SPC SN S
CRITERIONS
SSLPSO SAPSO[10]
most important features are RST Flag Count and Total Backward Packets, which were selected in 67.86% of the datasets. For more
information on the 85 features of CICFlowMeters, refer to articles [49, 50].
Because Android botnets leave the least amount of footprints when communicating with the C&C server and other botnets. As
a result, many features not only do not affect the accurate detection of Android botnets but also increase the FP and FN rates.
Because an Android bot tries to minimize the detection rate by encrypting its important features that are of interest to security
researchers. For example, security researchers focus on features such as Source IP, Destination IP, and closed content; So, if
Android botnets can generate domain (for their IPs) [40] and encrypt the features that security researchers are interested in; Most
likely, researchers will not be able to detect Android botnets.
Therefore, we have used the best results to get the best features of Android botnets, because these features are probably not
encrypted by Android botnets. As a result, by detecting 20 top Android botnet features, it can be claimed that these features are
directly related to TN and TP, and have an inverse relationship with FP and FN. So by focusing on these features, we can identify
Android with great accuracy.
5. Discussion
The results of the SSLPSO-SVM approach raise two questions: First, Given the results for the 28 Android botnet dataset, can the
SSLPSO-SVM approach provide an acceptable answer for similar datasets (botnet types, malware, etc.)? Second, how can this
approach be implemented in practice? Third, can this approach be used for other machine learning techniques?
In answer to the first question, it must be admitted that in this case, it is not possible to conclude that the SSLPSO-SVM
technique works best for other datasets. But it can be claimed that it will deliver one of the best results. Because the proposed
technique utilizes two unique characteristics, that is, setting the SVM parameters along with the selection of important dataset
features. These two things are interdependent, namely, selecting the best parameters for SVM will give the best performance of
SVM when the selected features are the best features of the dataset and vice versa. As a result, the SSLPSO-SVM technique, with
these two capabilities in mind, can easily optimize important SVM parameters and select important dataset features if run on the
same datasets multiple times. Therefore, this technique seems to be able to provide one of the best answers.
In answer to the second question, first of all, it should be noted that this approach is not suitable for installation and
implementation on smartphones. Because, this approach seems to devote a large amount of processing time to the smartphone
processor, thereby reducing the speed of users' phones and increasing their energy consumption. But the main application of this
approach is for organizations that care about protecting information and tackling malware like botnets. In this case, these organs
create a smart detection system by providing a comprehensive dataset of botnets and malware and training this dataset by the
SSLPSO-SVM technique (Figure (3)). It should be noted that the process of creating Android botnet datasets is fully explained in
our previous work and this approach can be used to create other datasets [1]. After developing a smart detection system and backing
it up with a powerful server, the target organ should capture its network flow and extract the required features using a feature
engineering approach (See our previous work for a better understanding of these concepts [1]). The intelligent detection system
then easily labels any data and separates benign traffic from the infected. The results obtained by 28 Android botnet datasets show
that this approach can be effective for detecting datasets similar to Android botnet.
In the end, the authors' answer to the last question is positive. Because the goal of the SSLPSO approach is to optimize machine
learning techniques. Therefore, whether these techniques are supervised or unsupervised, the SSLPSO approach can improve the
results obtained by optimizing the parameters of machine learning techniques.
6. CONCLUSION
In this paper, SSLPSO-SVM is introduced to detect Android botnets. In this method, the SSLPSO-SVM technique uses five
different velocity update strategies differently. The particle velocity at each stage of the operation is completely intelligently
updated, and the particle velocity is by the conditions for the creation of the particle at the previous stage. the priority and frequency
of execution of the algorithm are always with the strategy that has performed better in its previous stage. That is, the Smart Selection
Strategies (SSS) method chooses a strategy that has changed Pbest and Gbest's values more than other strategies. Particle speeds
are also updated using one of the five velocity strategies. Then the main parameters of the SVM method (, in RBF kernel mode
and features) are also optimized by the SSLPSO algorithm; so, the proposed models are trained by using 28 standard Android
botnets to be able to detect Android botnets with a high percentage.
The results of various simulations revealed the superiority of the proposed model (SSLPSO-SVM) in comparison with the other
three methods. The results also showed that the SSLPSO-SVM approach was the fastest method among other methods. In addition
to the above, the proposed approach, data volume, and balanced or imbalanced dataset do not effect on its performance and can
identify Android botnets at a high rate. In the end, using the best results from the 28th Android botnet, the top 20 Android botnet
features were identified and we concluded that one of the factors influencing the selection of important features of a dataset is the
approach and the parameters used on that dataset.
ACKNOWLEDGMENTS
The authors greatly appreciate Dr. Gholamreza Nakhaeizadeh (APL-Professor of Economics and Econometrics, Karlsruhe
Institute of Technology, Germany) for the invaluable contributions he made to this study. Further, the authors kindly appreciate
Birjand University of Technology for helping us to conduct the study experiments in the university research lab.
REFERENCES
[1] M. Moodi and M. Ghazvini, "A new method for assigning appropriate labels to create a 28 Standard Android
Botnet Dataset (28-SABD)," Journal of Ambient Intelligence and Humanized Computing, vol. 10, no. 11, pp.
4579-4593, 2019/11/01 2019.
[2] Z. Abdullah, M. M. Saudi, and N. B. Anuar, "ABC: android botnet classification using feature selection and
classification algorithms," Advanced Science Letters, vol. 23, no. 5, pp. 4717-4720, 2017.
[3] S. Anwar, M. F. Zolkipli, Z. Inayat, J. Odili, M. Ali, and J. M. Zain, "Android Botnets: A Serious Threat to
Android Devices," Pertanika Journal of Science & Technology, vol. 26, no. 1, 2018.
[4] S. Arshad, M. A. Shah, A. Khan, and M. Ahmed, "Android malware detection & protection: a survey,"
International Journal of Advanced Computer Science and Applications, vol. 7, no. 2, pp. 463-475, 2016.
[5] A. Karim, R. Salleh, and M. K. Khan, "SMARTbot: A behavioral analysis framework augmented with machine
learning to identify mobile botnet applications," PloS one, vol. 11, no. 3, 2016.
[6] X. Meng and G. Spanoudakis, "MBotCS: A Mobile Botnet Detection System Based on Machine Learning," in
Risks and Security of Internet and Systems, Cham, 2016, pp. 274-291: Springer International Publishing.
[7] W. Hijawi, J. Alqatawna, and H. Faris, "Toward a Detection Framework for Android Botnet," in 2017
International Conference on New Trends in Computing Sciences (ICTCS), 2017, pp. 197-202.
[8] C.-C. Chang and C.-J. Lin, "LIBSVM: A library for support vector machines," ACM transactions on intelligent
systems and technology (TIST), vol. 2, no. 3, pp. 1-27, 2011.
[9] P. J. García Nieto, E. García-Gonzalo, J. R. Alonso Fernández, and C. Díaz Muñiz, "A hybrid wavelet kernel
SVM-based method using artificial bee colony algorithm for predicting the cyanotoxin content from
experimental cyanobacteria concentrations in the Trasona reservoir (Northern Spain)," Journal of
Computational and Applied Mathematics, vol. 309, pp. 587-602, 2017/01/01/ 2017.
[10] M. Moodi, M. Ghazvini, H. Moodi, and B. Ghavami, "A smart adaptive particle swarm optimization–support
vector machine: android botnet detection application," The Journal of Supercomputing, 2020/03/04 2020.
[11] J. Kennedy and R. Eberhart, "Particle swarm optimization," in Proceedings of ICNN'95 - International
Conference on Neural Networks, 1995, vol. 4, pp. 1942-1948 vol.4.
[12] J. Kennedy, "Particle Swarm Optimization," in Encyclopedia of Machine Learning, C. Sammut and G. I. Webb,
Eds. Boston, MA: Springer US, 2010, pp. 760-766.
[13] Z. Zhan, J. Zhang, Y. Li, and H. S. Chung, "Adaptive Particle Swarm Optimization," IEEE Transactions on
Systems, Man, and Cybernetics, Part B (Cybernetics), vol. 39, no. 6, pp. 1362-1381, 2009.
[14] J. Kennedy and R. C. Eberhart, "A discrete binary version of the particle swarm algorithm," in 1997 IEEE
International Conference on Systems, Man, and Cybernetics. Computational Cybernetics and Simulation,
1997, vol. 5, pp. 4104-4108 vol.5.
[15] A. Apvrille, "Symbian worm Yxes: towards mobile botnets?," Journal in Computer Virology, vol. 8, no. 4, pp.
117-131, 2012/11/01 2012.
[16] P. Porras, H. Saïdi, and V. Yegneswaran, "An Analysis of the iKee.B iPhone Botnet," in Security and Privacy
in Mobile Information and Communication Systems, Berlin, Heidelberg, 2010, pp. 141-152: Springer Berlin
Heidelberg.
[17] T. Strazzere and T. Wyatt, "Geinimi trojan technical teardown," Lookout Mobile Security, 2011.
[18] A. Karim, S. A. A. Shah, R. B. Salleh, M. Arif, and R. M. Noor, "Mobile botnet attacks–An emerging threat:
Classification, review and open issues," KSII Transactions on Internet and Information Systems (TIIS), vol. 9,
no. 4, pp. 1471-1492, 2015.
[19] A. F. Abdul Kadir, N. Stakhanova, and A. A. Ghorbani, "Android Botnets: What URLs are Telling Us," in
Network and System Security, Cham, 2015, pp. 78-91: Springer International Publishing.
[20] S. Garcia, M. J. Erquiaga, A. Shirokova, and C. G. Garino, "Geost Botnet. Operational Security Failures of a
New Android Banking Threat," in 2019 IEEE European Symposium on Security and Privacy Workshops
(EuroS&PW), 2019, pp. 406-409.
[21] K. Singh, S. Sangal, N. Jain, P. Traynor, and W. Lee, "Evaluating Bluetooth as a Medium for Botnet Command
and Control," in Detection of Intrusions and Malware, and Vulnerability Assessment, Berlin, Heidelberg, 2010,
pp. 61-80: Springer Berlin Heidelberg.
[22] Q. Li, S. Zhu, and G. Cao, "Routing in Socially Selfish Delay Tolerant Networks," in 2010 Proceedings IEEE
INFOCOM, 2010, pp. 1-9.
[23] A. J. Alzahrani and A. A. Ghorbani, "SMS-based mobile botnet detection framework using intelligent agents,"
Journal of Cyber Security and Mobility, vol. 5, no. 2, pp. 47-74, 2016.
[24] B. Choi, S. Choi, and K. Cho, "Detection of Mobile Botnet Using VPN," in 2013 Seventh International
Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, 2013, pp. 142-148.
[25] M. Mahmoud, M. Nir, and A. Matrawy, "A Survey on Botnet Architectures, Detection and Defences," IJ
Network Security, vol. 17, no. 3, pp. 264-281, 2015.
[26] M. Anagnostopoulos, G. Kambourakis, and S. Gritzalis, "New facets of mobile botnet: architecture and
evaluation," International Journal of Information Security, vol. 15, no. 5, pp. 455-473, 2016/10/01 2016.
[27] Y. Dong, J. Dai, and X. Sun, "A Mobile Botnet That Meets Up at Twitter," in Security and Privacy in
Communication Networks, Cham, 2018, pp. 3-21: Springer International Publishing.
[28] M. R. Faghani and U. T. Nguyen, "Mobile botnets meet social networks: design and analysis of a new type of
botnet," International Journal of Information Security, vol. 18, no. 4, pp. 423-449, 2019/08/01 2019.
[29] S. Anwar, M. F. Zolkipli, Z. Inayat, J. Odili, M. Ali, and J. M. Zain, "Android Botnets: A Serious Threat to
Android Devices," Pertanika Journal of Science & Technology, vol. 26, no. 1, pp. 37-70, 2018.
[30] A. F. Abdul Kadir, N. Stakhanova, and A. A. Ghorbani, "Android Botnets: What URLs are Telling Us," in
International Conference on Network and System Security, , New York, NY, USA, 2015, pp. 78-91: Springer
[31] G. Kirubavathi and R. Anitha, "Structural analysis and detection of android botnets using machine learning
techniques," International Journal of Information Security, vol. 17, no. 2, pp. 153-167, 2018/04/01 2018.
[32] S. Y. Yerima and M. K. Alzaylaee, "Mobile Botnet Detection: A Deep Learning Approach Using
Convolutional Neural Networks," in 2020 International Conference on Cyber Situational Awareness, Data
Analytics and Assessment (CyberSA), 2020, pp. 1-8.
[33] F. Wei, Y. Li, S. Roy, X. Ou, and W. Zhou, "Deep Ground Truth Analysis of Current Android Malware,"
Cham, 2017, pp. 252-276: Springer International Publishing.
[34] W. Wang, X. Wang, D. Feng, J. Liu, Z. Han, and X. Zhang, "Exploring Permission-Induced Risk in Android
Applications for Malicious Application Detection," IEEE Transactions on Information Forensics and Security,
vol. 9, no. 11, pp. 1869-1882, 2014.
[35] A. A. Ahmed, W. A. Jabbar, A. S. Sadiq, and H. Patel, "Deep learning-based classification model for botnet
attack detection," Journal of Ambient Intelligence and Humanized Computing, 2020/03/09 2020.
[36] M. Asadi, M. A. Jabraeil Jamali, S. Parsa, and V. Majidnezhad, "Detecting botnet by using particle swarm
optimization algorithm based on voting system," Future Generation Computer Systems, vol. 107, pp. 95-111,
2020/06/01/ 2020.
[37] S. Arshad, M. A. Shah, A. Khan, and M. Ahmed, "Android malware detection & protection: a survey,"
International Journal of Advanced Computer Science and Applications, vol. 7, pp. 463-475, 2016.
[38] N. Painter and B. Kadhiwala, "Machine-Learning-Based Android Malware Detection Techniques—A
Comparative Analysis," in Information and Communication Technology for Sustainable Development,
Singapore, 2018, pp. 181-190: Springer Singapore.
[39] J. Lin, X. Zhao, and H. Li, "Target: Category-based android malware detection revisited," in Proceedings of
the Australasian Computer Science Week Multiconference, 2017, pp. 1-9.
[40] I. Ghafir, V. Prenosil, and M. Hammoudeh, "Botnet Command and Control Traffic Detection Challenges: A
Correlation-based Solution," International Journal of Advances in Computer Networks and Its Security, vol.
7, no. 1, pp. 27-31, 2017.
[41] Z. Abdullah, M. M. Saudi, and A. N. Badrul, "ABC: Android Botnet Classification Using Feature Selection
and Classification Algorithms," Adv. Sci. Lett, vol. 23, no. 5, pp. 4717-4720, 2017.
[42] C. D. McDermott, F. Majdani, and A. V. Petrovski, "Botnet Detection in the Internet of Things using Deep
Learning Approaches," in 2018 International Joint Conference on Neural Networks (IJCNN), 2018, pp. 1-8.
[43] D. Zhuang and J. M. Chang, "Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow
Level Community Behavior Analysis," IEEE Transactions on Information Forensics and Security, vol. 14, no.
6, pp. 1485-1500, 2019.
[44] Y. Wang, B. Li, T. Weise, J. Wang, B. Yuan, and Q. Tian, "Self-adaptive learning based particle swarm
optimization," Information Sciences, vol. 181, no. 20, pp. 4515-4538, 2011/10/15/ 2011.
[45] X. Zuo, G. Zhang, and W. Tan, "Self-Adaptive Learning PSO-Based Deadline Constrained Task Scheduling
for Hybrid IaaS Cloud," IEEE Transactions on Automation Science and Engineering, vol. 11, no. 2, pp. 564-
573, 2014.
[46] J. J. Liang, A. K. Qin, P. N. Suganthan, and S. Baskar, "Comprehensive learning particle swarm optimizer for
global optimization of multimodal functions," IEEE Transactions on Evolutionary Computation, vol. 10, no.
3, pp. 281-295, 2006.
[47] A. K. Qin, V. L. Huang, and P. N. Suganthan, "Differential Evolution Algorithm With Strategy Adaptation for
Global Numerical Optimization," IEEE Transactions on Evolutionary Computation, vol. 13, no. 2, pp. 398-
417, 2009.
[48] M. Ghazvini, S. Monadjemi, N. Movahhedinia, and K. Jamshidi, "Defect detection of tiles using 2D-wavelet
transform and statistical features," World Academy of Science, Engineering and Technology, vol. 49, no. 901-
904, p. 1, 2009.
[49] A. H. Lashkari, G. Draper-Gil, M. S. I. Mamun, and A. A. Ghorbani, "Characterization of Tor Traffic using
Time based Features," in ICISSP, 2017, pp. 253-262.
[50] G. D. Gil, A. H. Lashkari, M. Mamun, and A. A. Ghorbani, "Characterization of encrypted and VPN traffic
using time-related features," in Proceedings of the 2nd International Conference on Information Systems
Security and Privacy (ICISSP 2016), 2016, pp. 407-414.
