Algorithm 2 Global steps of preprocessing, training, testing, and deployment

1:Collect and preprocess the data on botnet related malware samples. 2:Convert the raw data into suitable format for model input. 3:Define the hybrid CNN-LSTM model. (Input layer: Receive preprocessed data, CNN layer: Extract spatial features from dataset, LSTM layer: Capture temporal dependencies in the data sequences, Output layer: Perform prediction of botnet or non-botnet classes). 4:Split the data into training, validation, and test sets. 5:Initialize the model’s neuron weights. 6:Train the model. 7:Pass the training data through the model. 8:Adjust the model weights using gradient backpropagation to minimize prediction error. 9:Repeat these steps on the training data until maximum performance is achieved. 10:Evaluate the model. 11:Use the validation data to assess the model’s performance on unseen data. 12:Measure performance metrics (accuracy, recall, F1-score, etc.). 13:Test the model. 14:Use the test data to evaluate the finale performance of the model. 15:Analyse the results to assess the effectiveness of botnet detection. 16:Utilize the trained model. 17:Apply the model in real-time to detect suspicious botnet activities in new traffic data. 18:Integrate the model into existing botnet detection and security tools to enhance forensics investigation capabilities.