Abstract
It is hard to detect botnets due to their distributed structure and the intensity of their attacks. These attacks are typically executed in groups, where numerous compromised hosts act together in synchronized activities to address this challenge, analyzing network activity at the group level has emerged as a promising approach. In this work, we developed a dataset by extracting network activity from three widely used botnet datasets (CTU-13, NCC, and NCC-2). The traffic was grouped based on host identities and activity time intervals, and the results were structured as a graph representation rather than visual output, where vertices denote hosts and edges represent communications between them. From each graph, a range of metadata features was derived and compiled into a tabular format. The final dataset consists of two complementary perspectives: in-degree, capturing the volume of incoming activity (information received by a node), and out-degree, capturing the volume of outgoing activity (information sent by a node). This dataset produced over 27 million instances of normal activity groups and >57 instances of botnet activity groups based on in-degree analysis. Additionally, there were over 19 million normal activity groups and >384 botnet activity groups identified through out-degree analysis. These data points represent the cumulative results derived from analyzing 13 subsets from the CTU-13 dataset, 13 subsets from the NCC dataset, and 3 subsets from the NCC-2 dataset. This dataset provides a realistic, graph-based, and group-oriented perspective on botnet behavior that has been largely absent from existing resources. It offers a novel benchmark for developing and evaluating detection models focused on group activities and supports research in graph-based machine learning and anomaly detection. However, there are some limitations to consider: grouping by time intervals may mask specific behaviors of individual hosts, and visual representations may miss important details, like the ports used. Thus, while this dataset is an important advancement in the field of group-based botnet detection, caution is advised when applying these results to changing or unknown botnet behaviors.