Development of a Multimodal Testbed for Dataset Collection in Detecting DGA-based Botnet Attacks Using DNS Queries, Network Traffic, and CPU Power Consumption

Abstract

The detection of Domain Generation Algorithm (DGA)-based botnets in Internet of Things (IoT) environments poses significant challenges due to the dynamic and evasive nature of these botnets. Traditional detection approaches that rely primarily on single data sources such as DNS logs or network traffic often fail to capture the complex, multi-stage behavior of modern botnets. This research presents the development of a dedicated IoT-focused testbed designed to capture a comprehensive multimodal dataset integrating DNS query logs, network traffic data, and CPU power consumption. The primary contribution of this work is the creation of a phase-labelled dataset that categorizes data into three distinct stages: Normal operation, Command and Control (C&C) communication, and Attack execution. This structured labelling provides valuable temporal insights into botnet behavior and supports the development of machine learning models with early-stage detection capability, potentially identifying threats during the C&C phase, before the attacks are launched. Initial analysis and visualizations of the collected data reveal distinct behavioral patterns across power consumption, DNS activity, and network traffic. Notable findings include the identification of high correlated features within the network traffic and DNS query datasets, together with observable phase-dependent variations in CPU power consumption corresponding to different botnet activity stages. These insights suggest that integrating diverse data modalities can significantly enhance the accuracy and robustness of botnet detection in IoT environments.