Shuhan Chen,Congqi Shen,Danrui Yu,Yuqin Wu,Chunming Wu

DOI: https://doi.org/10.1109/isncc52172.2021.9615889

2021-01-01

Abstract:Botnets provide a fundamental infrastructure for various kinds of network attacks, such as DDoS attack, etc. Detecting DDoS attack in botnet is a long-standing challenge. In this paper, we propose a novel method to detect DDoS attack in botnet through the analysis of packet forwarding and network traffic. The primary idea is to collect features from both overall network traffic and packet to describe the attack pattern and conduct a detection model with high accuracy. Firstly, apart from overall network traffic, we calculate several statistics related to looking up functions of flow tables during packet forwarding on switches to describe attack pattern. Secondly, these features are put into a deep learning model to detect DDoS attack. We perform evaluations under Software Defined Networking (SDN) paradigm. In particular, we compare the proposed method with traditional methods. The experimental results demonstrate that the proposed method is meaningful in improving the accuracy of DDoS attack detection by adding packet-level features extracted from packet forwarding.

Jiawei Zhou,Zhiying Xu,Alexander M. Rush,Minlan Yu

DOI: https://doi.org/10.48550/arXiv.2003.06344

2020-03-13

Abstract:Botnets are now a major source for many network attacks, such as DDoS attacks and spam. However, most traditional detection methods heavily rely on heuristically designed multi-stage detection criteria. In this paper, we consider the neural network design challenges of using modern deep learning techniques to learn policies for botnet detection automatically. To generate training data, we synthesize botnet connections with different underlying communication patterns overlaid on large-scale real networks as datasets. To capture the important hierarchical structure of centralized botnets and the fast-mixing structure for decentralized botnets, we tailor graph neural networks (GNN) to detect the properties of these structures. Experimental results show that GNNs are better able to capture botnet structure than previous non-learning methods when trained with appropriate data, and that deeper GNNs are crucial for learning difficult botnet topologies. We believe our data and studies can be useful for both the network security and graph learning communities.

Cryptography and Security,Machine Learning

Tanzeela Altaf,Xu Wang,Wei Ni,Guangsheng Yu,Ren Ping Liu,Robin Braun

DOI: https://doi.org/10.3390/electronics13122274

IF: 2.9

2024-06-11

Electronics

Abstract:This research introduces a novel framework utilizing a sequential gated graph convolutional neural network (GGCN) designed specifically for botnet detection within Internet of Things (IoT) network environments. By capitalizing on the strengths of graph neural networks (GNNs) to represent network traffic as complex graph structures, our approach adeptly handles the temporal dynamics inherent to botnet attacks. Key to our approach is the development of a time-stamped multi-edge graph structure that uncovers subtle temporal patterns and hidden relationships in network flows, critical for recognizing botnet behaviors. Moreover, our sequential graph learning framework incorporates time-sequenced edges and multi-edged structures into a two-layered gated graph model, which is optimized with specialized message-passing layers and aggregation functions to address the challenges of time-series traffic data effectively. Our comparative analysis with the state of the art reveals that our sequential gated graph convolutional neural network achieves substantial improvements in detecting IoT botnets. The proposed GGCN model consistently outperforms the conventional model, achieving improvements in accuracy ranging from marginal to substantial—0.01% for BoT IoT and up to 25% for Mirai. Moreover, our empirical analysis underscores the GGCN's enhanced capabilities, particularly in binary classification tasks, on imbalanced datasets. These findings highlight the model's ability to effectively navigate and manage the varying complexity and characteristics of IoT security threats across different datasets.

engineering, electrical & electronic,physics, applied,computer science, information systems

Jing Wang,Ioannis Ch. Paschalidis

DOI: https://doi.org/10.48550/arXiv.1503.02337

2015-03-09

Abstract:Signature-based botnet detection methods identify botnets by recognizing Command and Control (C\&C) traffic and can be ineffective for botnets that use new and sophisticate mechanisms for such communications. To address these limitations, we propose a novel botnet detection method that analyzes the social relationships among nodes. The method consists of two stages: (i) anomaly detection in an "interaction" graph among nodes using large deviations results on the degree distribution, and (ii) community detection in a social "correlation" graph whose edges connect nodes with highly correlated communications. The latter stage uses a refined modularity measure and formulates the problem as a non-convex optimization problem for which appropriate relaxation strategies are developed. We apply our method to real-world botnet traffic and compare its performance with other community detection methods. The results show that our approach works effectively and the refined modularity measure improves the detection accuracy.

Social and Information Networks,Physics and Society

Rongrong Jiang,Zhengqiu Weng,Lili Shi,Erxuan Weng,Hongmei Li,Weiqiang Wang,Tiantian Zhu,Wuzhao Li

DOI: https://doi.org/10.1002/cpe.8258

2024-08-17

Concurrency and Computation Practice and Experience

Abstract:Summary With the development of the Internet of Things (IoT), the number of terminal devices is rapidly growing and at the same time, their security is facing serious challenges. For the industrial control system, there are challenges in detecting and preventing botnet. Traditional detection methods focus on capturing and reverse analyzing the botnet programs first and then parsing the extracted features from the malicious code or attacks. However, their accuracy is very low and their latency is relatively high. Moreover, they sometimes even cannot recognize the unknown botnets. The machine learning based detection methods rely on manual feature engineering and have a weak generalization. The deep learning‐based methods mostly rely on the system log, which does not take into account the multisource information such as traffic. To address the above issues, from the perspective of the botnet features, this paper proposes an intelligent detection method over parallel CNN‐LSTM, integrating the spatial and temporal features to identify botnets. Experimental demonstrate that the accuracy, recall, and F1‐score of our proposed method achieve up to over 98%, and the precision, 97.8%, is not the highest but reasonable. It reveals compared with the existing start‐of‐the‐art methods, our proposed method outperforms in the botnet detection. Our methodology's strength lies in its ability to harness the multifaceted information present in IoT traffic, offering a more nuanced and comprehensive analysis. The parallel CNN‐LSTM architecture ensures that spatial and temporal data are processed concurrently, preserving the integrity of the information and enabling a more robust detection mechanism. The result is a detection system that not only performs exceptionally well in a controlled environment but also holds promise for real‐world application, where the rapid and accurate identification of botnets is paramount.

computer science, theory & methods, software engineering

Yuhao Yan,Bo Lang,Xiaoyuan Meng,Nan Xiao

DOI: https://doi.org/10.1109/tifs.2024.3453172

IF: 7.231

2024-09-11

IEEE Transactions on Information Forensics and Security

Abstract:Botnet is one of the main threats to cybersecurity because of its concealment and hazardous nature, especially in autonomous systems (ASs), such as campus networks. Graph-based detection methods are attracting increasing attention due to their ability to find and use the topological features of botnets. However, constructing or obtaining a botnet dataset is always difficult, and almost all existing public datasets suffer from extreme imbalances and poor authenticity, which makes training graph-based detection models challenging. To address these problems, we propose a role-based multistage growth method for generating AS botnet datasets, which is scalable and efficient. Our method generates a background communication graph based on complex network theory, models botnet behaviors by building a state machine, and generates the traffic of botnets. The experimental results show that our method can effectively restore the AS communication graph, and the generated datasets can significantly improve the performance of various graph-based detection models. Our generated dataset is available at https://github.com/Yebmoon/Botnet-graph-dataset.

computer science, theory & methods,engineering, electrical & electronic

Yalu Wang,Jie Li,Wei Zhao,Zhijie Han,Hang Zhao,Lei Wang,Xin He

DOI: https://doi.org/10.3390/rs15143611

IF: 5

2023-07-21

Remote Sensing

Abstract:With the rapid development of the Internet of Things (IoT)-based near-Earth remote sensing technology, the problem of network intrusion for near-Earth remote sensing systems has become more complex and large-scale. Therefore, seeking an intelligent, automated, and robust network intrusion detection method is essential. Many researchers have researched network intrusion detection methods, such as traditional feature-based and machine learning methods. In recent years, network intrusion detection methods based on graph neural networks (GNNs) have been proposed. However, there are still some practical issues with these methods. For example, they have not taken into consideration the characteristics of near-Earth remote sensing systems, the state of the nodes, and the temporal features. Therefore, this article analyzes the factors of existing near-Earth remote sensing systems and proposes a spatio-temporal graph attention network (N-STGAT) that considers the state of nodes and applies them to the network intrusion detection of near-Earth remote sensing systems. Finally, the proposed method in this article is validated using the latest flow-based datasets NF-BoT-IoT-v2 and NF-ToN-IoT-v2. The results demonstrate that the binary classification accuracy for network intrusion detection exceeds 99%, while the multi-classification accuracy exceeds 93%. These findings provide substantial evidence that the proposed method outperforms existing intrusion detection techniques.

environmental sciences,imaging science & photographic technology,remote sensing,geosciences, multidisciplinary

Yalu Wang,Jie Li,Wei Zhao,Zhijie Han,Hang Zhao,Lei Wang,Xin He

DOI: https://doi.org/10.3390/rs15143611

IF: 5

2023-01-01

Remote Sensing

Abstract:With the rapid development of the Internet of Things (IoT)-based near-Earth remote sensing technology, the problem of network intrusion for near-Earth remote sensing systems has become more complex and large-scale. Therefore, seeking an intelligent, automated, and robust network intrusion detection method is essential. Many researchers have researched network intrusion detection methods, such as traditional feature-based and machine learning methods. In recent years, network intrusion detection methods based on graph neural networks (GNNs) have been proposed. However, there are still some practical issues with these methods. For example, they have not taken into consideration the characteristics of near-Earth remote sensing systems, the state of the nodes, and the temporal features. Therefore, this article analyzes the factors of existing near-Earth remote sensing systems and proposes a spatio-temporal graph attention network (N-STGAT) that considers the state of nodes and applies them to the network intrusion detection of near-Earth remote sensing systems. Finally, the proposed method in this article is validated using the latest flow-based datasets NF-BoT-IoT-v2 and NF-ToN-IoT-v2. The results demonstrate that the binary classification accuracy for network intrusion detection exceeds 99%, while the multi-classification accuracy exceeds 93%. These findings provide substantial evidence that the proposed method outperforms existing intrusion detection techniques.

Fatma Zafar,Shivank Soni

DOI: https://doi.org/10.24113/ijoscience.v10i3.513

2024-03-28

SMART MOVES JOURNAL IJOSCIENCE

Abstract:This paper presents a comprehensive approach to botnet detection in Internet of Things (IoT) networks through the development and evaluation of a Generative Adversarial Network (GAN) augmented machine learning model. The methodology encompasses a multi-step process, starting with data collection and pre-processing, including feature extraction, normalization, and handling missing values. To address the challenge of data imbalance, a novel application of GANs is proposed. For classification of network traffic into botnet and legitimate traffic is performed using xgboost. The performance of the proposed model is rigorously evaluated using the N-BaIoT dataset, demonstrating its effectiveness through high accuracy, precision, recall, and F1-score metrics. The results indicate significant improvements over existing models, showcasing the potential of the proposed methodology in enhancing IoT network security against botnet threats.

S K Khaja Shareef,R Krishna Chaitanya,Srinivasulu Chennupalli,Devi Chokkakula,K V D Kiran,Udayaraju Pamula,Ramesh Vatambeti

DOI: https://doi.org/10.1038/s41598-024-67865-2

2024-07-26

Abstract:The Internet of Things (IoT) permeates various sectors, including healthcare, smart cities, and agriculture, alongside critical infrastructure management. However, its susceptibility to malware due to limited processing power and security protocols poses significant challenges. Traditional antimalware solutions fall short in combating evolving threats. To address this, the research work developed a feature selection-based classification model. At first stage, a preprocessing stage enhances dataset quality through data smoothing and consistency improvement. Feature selection via the Zebra Optimization Algorithm (ZOA) reduces dimensionality, while a classification phase integrates the Graph Attention Network (GAN), specifically the Dual-channel GAN (DGAN). DGAN incorporates Node Attention Networks and Semantic Attention Networks to capture intricate IoT device interactions and detect anomalous behaviors like botnet activity. The model's accuracy is further boosted by leveraging both structural and semantic data with the Sooty Tern Optimization Algorithm (STOA) for hyperparameter tuning. The proposed STOA-DGAN model achieves an impressive 99.87% accuracy in botnet activity classification, showcasing robustness and reliability compared to existing approaches.

Yixuan Wu,Laisen Nie,Shupeng Wang,Zhaolong Ning,Shengtao Li

DOI: https://doi.org/10.1109/jiot.2021.3112159

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:With the rapid advance of Internet of Things (IoT), it is difficult for cloud-centric computing to meet the requirements of low latency and ease of use. As an open and distributed system, edge computing integrates computing, networking, storage, and applications. It provides intelligent services on the edge of an IoT. The edge network is composed of various wireless and wired networks, and the computing and storage resources of edge nodes are limited. These conditions make the edge network expose to a variety of cyber attacks. Additionally, it is difficult for an IoT edge node to support large-scale network data collection and detection for IoT security. Although big data-enabled intrusion detection algorithms can ensure the high accuracy of intrusion detection systems, it is stressful for resource-limited edge nodes to implement those algorithms in IoT. Motivated by these challenges, we propose an intelligent intrusion detection algorithm implemented by big data mining based on a fuzzy rough set, generative adversarial network (GAN), and convolutional neural network (CNN). In our method, we first propose a fuzzy rough set-based algorithm to perform feature selection for big data via IoT. Then, we take advantage of the efficient feature extraction capabilities of CNN for implementing intrusion detection based on selected features. Furthermore, after combining CNN and GAN, we propose an intelligent algorithm to realize intrusion detection in a variety of scenarios. Finally, the proposed method is compared with existing methods for evaluation. Simulation results show that our method has up to 4% higher accuracy than existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Pedro Camelo,Joao Moura,Ludwig Krippahl

DOI: https://doi.org/10.48550/arXiv.1410.8747

2014-10-31

Cryptography and Security

Abstract:Botnets represent a global problem and are responsible for causing large financial and operational damage to their victims. They are implemented with evasion in mind, and aim at hiding their architecture and authors, making them difficult to detect in general. These kinds of networks are mainly used for identity theft, virtual extortion, spam campaigns and malware dissemination. Botnets have a great potential in warfare and terrorist activities, making it of utmost importance to take action against. We present CONDENSER, a method for identifying data generated by botnet activity. We start by selecting appropriate the features from several data feeds, namely DNS non-existent domain responses and live communication packages directed to command and control servers that we previously sinkholed. By using machine learning algorithms and a graph based representation of data, then allows one to identify botnet activity, helps identifying anomalous traffic, quickly detect new botnets and improve activities of tracking known botnets. Our main contributions are threefold: first, the use of a machine learning classifier for classifying domain names as being generated by domain generation algorithms (DGA); second, a clustering algorithm using the set of selected features that groups network communication with similar patterns; third, a graph based knowledge representation framework where we store processed data, allowing us to perform queries.

Mohammed S. Alshehri,Jawad Ahmad,Sultan Almakdi,Mimonah Al Qathrady,Yazeed Yasin Ghadi,William J. Buchanan

DOI: https://doi.org/10.1109/access.2024.3371992

IF: 3.9

2024-03-12

IEEE Access

Abstract:The rise of Internet of Things (IoT) has led to increased security risks, particularly from botnet attacks that exploit IoT device vulnerabilities. This situation necessitates effective Intrusion Detection Systems (IDS), that are accurate, lightweight, and fast (having less inference time), designed particularly to detect botnet attacks in resource constrained IoT devices. This paper proposes SkipGateNet, a novel deep learning model designed for detecting Mirai and Bashlite botnet attacks in resource constrained IoT and fog computing environments. SkipGateNet is a lightweight, fast model combining 1D-Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM) layers. The novelty of this model lies in the integration of 'Learnable Skip Connections'. These connections feature gating mechanisms that enhance detection by focusing on relevant features and ignoring irrelevant ones. They add adaptability to the architecture, performing feature selection and propagating only essential features to deeper layers. Tested on the N-BaIoT dataset, SkipGateNet efficiently detects ten types of botnet attacks, with a remarkable test accuracy of 99.91%. It is also compact (2596.87 KB) and demonstrates a quick inference time of 8.0 milliseconds, suitable for real-time implementation in resource-limited settings. While evaluating its performance, parameters like precision, recall, accuracy, and F1 score were considered, along with statistical reliability measures like Cohen's Kappa Coefficient and Matthews Correlation Coefficient. These highlight its reliability and effectiveness in IoT security challenges. The paper also compares SkipGateNet to existing models and four other deep learning architectures, including two sequential CNN architectures, a simple CNN+LSTM architecture, and a CNN+LSTM with standard skip connections. SkipGateNet surpasses all in accuracy and inference time, demonstrating its superiority in addressing IoT security issues.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shuhao Shi,Kai Qiao,Chen,Jie Yang,Jian Chen,Bin Yan

DOI: https://doi.org/10.1145/3589335.3651544

2024-01-01

Abstract:The presence of a large number of bots in Online Social Networks (OSN) leads to undesirable social effects. Graph neural networks (GNNs) are effective in detecting bots as they utilize user interactions. However, class-imbalanced issues can affect bot detection performance. To address this, we propose an over-sampling strategy for GNNs (OS-GNN) that generates samples for the minority class without edge synthesis. First, node features are mapped to a feature space through neighborhood aggregation. Then, we generate samples for the minority class in the feature space. Finally, the augmented features are used to train the classifiers. This framework is general and can be easily extended into different GNN architectures. The proposed framework is evaluated using three real-world bot detection benchmark datasets, and it consistently exhibits superiority over the baselines.

Abdelaziz Amara korba,Aleddine Diaf,Yacine Ghamri-Doudane

2024-07-22

Abstract:In the rapidly evolving landscape of cyber threats targeting the Internet of Things (IoT) ecosystem, and in light of the surge in botnet-driven Distributed Denial of Service (DDoS) and brute force attacks, this study focuses on the early detection of IoT bots. It specifically addresses the detection of stealth bot communication that precedes and orchestrates attacks. This study proposes a comprehensive methodology for analyzing IoT network traffic, including considerations for both unidirectional and bidirectional flow, as well as packet formats. It explores a wide spectrum of network features critical for representing network traffic and characterizing benign IoT traffic patterns effectively. Moreover, it delves into the modeling of traffic using various semi-supervised learning techniques. Through extensive experimentation with the IoT-23 dataset - a comprehensive collection featuring diverse botnet types and traffic scenarios - we have demonstrated the feasibility of detecting botnet traffic corresponding to different operations and types of bots, specifically focusing on stealth command and control (C2) communications. The results obtained have demonstrated the feasibility of identifying C2 communication with a 100% success rate through packet-based methods and 94% via flow based approaches, with a false positive rate of 1.53%.

Cryptography and Security,Artificial Intelligence

Hongyu Yang,Zelin Wang,Liang Zhang,Xiang Cheng

DOI: https://doi.org/10.1002/int.23074

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:The existing botnet detection methods have the problems of uneven sampling, poor feature selection, and weak generalization ability, resulting in low detection and classification results and poor adaptability to the internet of things (IoT) environment with limited computing and storage resources. This paper proposes an IoT botnet detection method using feature reconstruction and interval optimization to solve the above problems. Through the designed address triple and time window-based IP aggregation and feature reconstruction method (ATTW-IP-FR), the network traffic samples obtained from the IoT gateway are integrated, and the flow features are reconstructed to attain the reconstructed sample set. The proposed self-corrected hybrid weighted sampling algorithm balances the normal and botnet flow samples in the reconstructed sample set to get the resampling sample set. The introduced multiattribute decision-making and adjacency relation chain-based sequential forward selection algorithm is applied to eliminate the redundant features in the resampling sample set, and the optimal feature subset is obtained. The resampling sample set filtered by the optimal feature subset is detected and classified through the designed two-stage hybrid heterogeneous model optimized by the intermittent chaos and bald eagle search algorithm-based interval optimization algorithm. The experimental results show that the proposed method effectively detects the botnet in two real IoT scenarios. The detection accuracy is 99.17% $ \% $, the Matthews correlation coefficient is 98.35% $ \% $, the false positive rate is 0.25% $ \% $, and the false negative rate is 1.27% $ \% $, which are better than the existing methods. This method can effectively reduce sampling and feature selection time and space overhead and better adapt to the resource-constrained IoT environment.

Ganesh Subramaniam,Huan Chen,Ravi Varadhan,Robert Archibald

DOI: https://doi.org/10.48550/arXiv.2108.08924

2021-08-19

Cryptography and Security

Abstract:Cybersecurity, security monitoring of malicious events in IP traffic, is an important field largely unexplored by statisticians. Computer scientists have made significant contributions in this area using statistical anomaly detection and other supervised learning methods to detect specific malicious events. In this research, we investigate the detection of botnet command and control (C&C) hosts in massive IP traffic. We use the NetFlow data, the industry standard for monitoring of IP traffic for exploratory analysis and extracting new features. Using statistical as well as deep learning models, we develop a statistical intrusion detection system (SIDS) to predict traffic traces identified with malicious attacks. Employing interpretative machine learning techniques, botnet traffic signatures are derived. These models successfully detected botnet C&C hosts and compromised devices. The results were validated by matching predictions to existing blacklists of published malicious IP addresses.

Guimin Dong,Mingyue Tang,Zhiyuan Wang,Jiechao Gao,Sikun Guo,Lihua Cai,Robert Gutierrez,Bradford Campbel,Laura E. Barnes,Mehdi Boukhechba

DOI: https://doi.org/10.1145/3565973

2023-04-05

ACM Transactions on Sensor Networks

Abstract:The Internet of Things (IoT) boom has revolutionized almost every corner of people’s daily lives: healthcare, environment, transportation, manufacturing, supply chain, and so on. With the recent development of sensor and communication technology, IoT artifacts, including smart wearables, cameras, smartwatches, and autonomous systems can accurately measure and perceive their surrounding environment. Continuous sensing generates massive amounts of data and presents challenges for machine learning. Deep learning models (e.g., convolution neural networks and recurrent neural networks) have been extensively employed in solving IoT tasks by learning patterns from multi-modal sensory data. Graph neural networks (GNNs), an emerging and fast-growing family of neural network models, can capture complex interactions within sensor topology and have been demonstrated to achieve state-of-the-art results in numerous IoT learning tasks. In this survey, we present a comprehensive review of recent advances in the application of GNNs to the IoT field, including a deep dive analysis of GNN design in various IoT sensing environments, an overarching list of public data and source codes from the collected publications, and future research directions. To keep track of newly published works, we collect representative papers and their open-source implementations and create a Github repository at GNN4IoT.

computer science, information systems,telecommunications

Deepa Krishnan,Pravin Shrinath

DOI: https://doi.org/10.1007/s13369-024-08742-y

IF: 2.807

2024-02-15

Arabian Journal for Science and Engineering

Abstract:The detection of security attacks holds significant importance in IoT networks, primarily due to the escalating number of interconnected devices and the sensitive nature of the transmitted data. This paper introduces a novel methodology designed to identify both known and unknown attacks within IoT networks. For the identification of known attacks, our proposed approach employs a stacked multi-classifier trained with classwise features. To address the challenge of highly imbalanced classes without resorting to resampling, we utilize the Localized Generalized Matrix Learning Vector Quantization (LGMLVQ) approach to select the most relevant features for each class. The efficacy of this model is evaluated using the widely recognized NF-BoT-IoT dataset, demonstrating an impressive accuracy score of 99.9952%.. The proposed study also focuses on detecting unseen attacks leveraging a shallow autoencoder, employing the technique of reconstruction error thresholding. The efficiency of this approach is evaluated using benchmark datasets. namely NF-ToN-IoT and NF-CSE-CIC-IDS 2018. The model's performance on previously unseen samples is noteworthy, with an average accuracy, precision, recall and F1-Score of 93.715%, 99.955%,90.865% and 95.145%, respectively. The proposed work presents significant contributions to IoT security by proposing a comprehensive solution with demonstrated performance in detecting both known and unknown attacks in the context of imbalanced data.

multidisciplinary sciences