Search Results (92)

Urban environments increasingly rely on interconnected digital infrastructures like IoT devices, SDN-enabled networks, and cloud platforms to support essential municipal services. Ensuring the resilience of these systems requires advanced, data-driven mechanisms capable of detecting and mitigating cyber disruptions. This study presents Persian Eagle, a hybrid machine learning and deep learning framework designed to enhance the cyber-resilience of urban digital infrastructures by providing high-precision detection of Distributed Denial of Service (DDoS) attacks. DDoS attacks disrupt service availability by flooding targets with massive malicious traffic orchestrated through botnets, and in critical infrastructures, disruptions can be life-threatening. The proposed framework integrates multi-stage data preprocessing, SMOTE-based class balancing, and a four-phase feature-selection pipeline combining filtering, statistical ranking, PCA, and XGBoost. Seven complementary classifiers, including Random Forest, SVM, Gaussian Naive Bayes, XGBoost, MLP, LSTM, and Autoencoder, are bonded through a stacking cooperative with a Gradient Boosting meta-learner. The framework was evaluated on CICDDoS2019 and CICIDS2017 datasets, and achieved near-perfect performance up to 99.9998% accuracy, demonstrating strong generalization across diverse attack scenarios. By offering a scalable, transparent, and data-driven detection mechanism, Persian Eagle maintains urban digital-risk management and supports the continuity and resilience of critical smart-city services. Full article

The rapid proliferation of Internet of Things (IoT) devices has significantly expanded the attack surface of modern networks leading to a surge in IoT-based botnet attacks. Detecting such attacks remains challenging due to the high dimensionality and heterogeneity of IoT network traffic. This study proposes and evaluates three hybrid deep learning architectures for IoT botnet detection that combine representation learning with supervised classification: VAE-encoder-MLP, VAE-encoder-GAT, and VAE-encoder-MoTE. A Variational Autoencoder is initially trained to learn a compact latent representation of the high-dimensional traffic features. Subsequently, the pretrained VAE-encoder component is employed to project the data into a lower-dimensional embedding space. These embeddings are then used to train three different downstream classifiers: a multilayer perceptron (MLP), a graph attention network (GAT), and a mixture of tiny experts (MoTE) model. To further enhance representation discriminability, supervised contrastive learning is incorporated to encourage intra-class compactness and inter-class separability. The proposed architectures are evaluated on two widely studied benchmark datasets—the CICIoT2022 and N-BaIoT dataset—under both binary and multiclass classification settings. Experimental results demonstrate that all three models achieve near-perfect performance in binary attack detection, with accuracy exceeding 99.8%. In the more challenging multiclass scenario, the VAE-encoder-MLP model achieves the best overall performance, reaching accuracies of 98.55% on CICIoT2022 and 99.75% on N-BaIoT. These findings provide insights into the design of efficient and scalable deep learning architectures for IoT intrusion detection. Full article

The rapid proliferation of Internet of Things (IoT) devices has significantly increased the attack surface for large-scale botnet operations. While previous research, including detailed analyses using Cowrie and IoTPOT frameworks, has studied IoT botnet behavior, these studies often rely on retrospective datasets, isolated protocol analyses, or hard-to-replicate setups. This paper addresses that gap with two main contributions: a structured review of ten influential IoT security studies from the USENIX Security Symposium and a confirmatory empirical experiment deploying Cowrie and IoTPOT honeypots simultaneously on a Microsoft Azure cloud-based virtual machine. Unlike earlier studies that focus on single protocols or large-scale environments, this work acts as a validation study, confirming well-known IoT botnet behaviors, including credential brute-force attacks, Mirai-style commands, and Telnet dominance, using real-time attack data collected from a reproducible, affordable cloud environment that simulates known IoT vulnerabilities (such as CVE-2016-10401, CVE-2017-17215, and CVE-2014-9222). Rather than revealing new attack methods, this study explicitly verifies the persistence of behaviors first documented almost ten years ago. The data indicates that attackers continue to exploit basic authentication flaws and reuse long-standing command sequences, confirming that core IoT vulnerabilities remain prevalent despite a decade of security research. It also highlights the ongoing gap between research progress and industry implementation. The analysis situates these findings within the broader evolution of IoT botnets, from early centralized command-and-control structures like Mirai to more resilient peer-to-peer networks that use anonymized channels and target high-wattage devices for power-grid manipulation. This study shows that small, cloud-based honeypots are valuable for continuous threat monitoring, model validation, and security assessments, providing a practical, reproducible approach for ongoing IoT security research. Full article

The proliferation of Internet of Things (IoT) devices continues to expand the network attack surface while introducing stringent privacy requirements that challenge effective intrusion detection. Federated learning enables collaborative model training without centralizing raw network telemetry. However, existing federated intrusion detection approaches often degrade under statistical heterogeneity and remain vulnerable to zero-day attacks when they rely on labeled data or reconstruction-based objectives. This work proposes Fed-DTCN (Federated Dual Temporal Contrastive Network), an unsupervised federated framework for zero-day anomaly detection in IoT environments. Fed-DTCN learns robust representations of benign IoT traffic using contrastive learning with semantic-preserving augmentations. A dual-encoder architecture disentangles globally shared features from client-specific patterns, improving generalization under heterogeneous federated deployments. Personalization and privacy are preserved by selectively aggregating only the shared encoder parameters. The framework employs a compact temporal convolutional backbone together with a soft-weighted contrastive objective to constrain benign representations, thereby enabling reliable detection of out-of-distribution threats. Extensive experiments on the TON_IoT and CSE-CIC-IDS2018 benchmarks show that Fed-DTCN matches or surpasses a state-of-the-art supervised baseline on standard attacks, achieving an F1-score of 99.99% on TON_IoT. In a zero-day evaluation where the Botnet class is withheld during training, Fed-DTCN attains an F1-score of 96%, compared to 0.52% for the supervised baseline. Ablation studies validate the effectiveness of the proposed augmentations, while evaluations under heterogeneous client partitions demonstrate reduced inter-client variance and consistent per-client improvements, indicating suitability for realistic IoT deployments. Full article

The rapid growth of Internet-of-Things (IoT) deployments has substantially expanded the attack surface of modern cyber–physical systems, making accurate and computationally feasible malware detection essential for enterprise and industrial environments. This study presents a large-scale, systematic comparison of 27 machine learning (ML) and 18 deep learning (DL) models for IoT malware detection across eight major malware categories: Trojan, Botnet, Ransomware, Rootkit, Worm, Spyware, Keylogger, and Virus. A realistic dataset was constructed using 50,000 executable samples collected from the Any.Run platform, including 8000 malware instances (1000 per class) and 42,000 benign samples. Each sample was executed in a sandbox to extract detailed static and behavioral telemetry. A targeted feature-selection pipeline reduced the feature space to 47 diagnostic features spanning static properties, behavioral indicators, process/file/registry activity, debug signals, and network telemetry, yielding a compact representation suitable for malware detection in IoT settings. Experimental results demonstrate that ensemble tree-based ML models consistently dominate performance on the engineered tabular feature set as 7 of the top 10 models are ML, with CatBoost and LightGBM achieving near-ceiling accuracy and low false-positive rates. Per-malware analysis further shows that optimal model choice depends on malware behavior. CatBoost is best for Trojan/Spyware, LightGBM for Botnet, XGBoost for Worm, Extra Trees for Rootkit, and Random Forest for Keylogger, while DL models are competitive only for specific categories, with TabNet performing best for Ransomware and FT-Transformer for Virus. In addition, an end-to-end computational time analysis across all 45 models reveals a clear efficiency advantage for boosted tree ensembles relative to most DL architectures, supporting deployment feasibility on commodity CPU hardware. Overall, the study provides actionable guidance for designing adaptive IoT malware detection frameworks, recommending gradient-boosted ensemble ML models as the primary deployment choice, with selective DL models only when category-specific gains justify additional computational cost. Full article

Botnet attacks in Internet of Things (IoT) environments often occur as multi-stage campaigns, making early and reliable detection difficult across distributed and privacy-sensitive networks. Centralized detection approaches are often limited by heterogeneous traffic characteristics, severe data imbalance, and the need to aggregate large volumes of raw network data, raising scalability and privacy concerns. To address these challenges, this paper proposes FDA, a federated learning-based and data mining-driven framework for stage-aware botnet attack detection in IoT networks. FDA operates at network gateways, where anomalous traffic is first detected and then abstracted into compact and interpretable patterns using Frequent Itemset Mining (FIM). This pattern-based representation reduces noise and local traffic bias, enabling more robust learning across different IoT networks. Lightweight neural network models are trained locally at gateways, and a global model is learned through federated aggregation of model parameters, avoiding direct sharing of raw network data while enabling gateways to collaboratively learn evolving attack patterns across different IoT networks. Experimental results show that FDA achieves anomaly detection F1-scores above 99% across all gateways and multi-stage botnet attack classification F1-scores in the range of 48–49%, which are comparable to centralized machine-learning baselines while operating under decentralized and privacy-preserving constraints. Overall, FDA provides a practical, privacy-preserving, and effective solution for distributed botnet attack stage detection in real-world IoT deployments. Full article

Internet of Things (IoT) botnets are networks of infected smart devices controlled by attackers and posing a serious cybersecurity challenge. Developing detection approaches that maintain high accuracy while protecting privacy presents considerable challenges, particularly in large and heterogeneous IoT networks. This paper empirically compares three modelling approaches on Bot-IoT and N-BaIoT in binary and multiclass settings: handcrafted machine learning with random forest (RF), centralised deep learning (CDL) with DNN/LSTM/BiLSTM, and federated deep learning (FDL) with the same architectures. Model hyperparameters are selected via randomised search on stratified subsets and then fixed for final training. Results show near-perfect performance for all approaches in binary detection: on Bot-IoT, CDL-DNN attains perfect accuracy, and RF is virtually perfect (only four benign-to-attack false positives), while FDL models are similarly strong with only small false-positive and false-negative counts. On N-BaIoT, RF and CDL (especially LSTM) are near-perfect, and FDL is very close to CDL. For multiclass detection, CDL-DNN leads on Bot-IoT, RF remains near perfect with minimal cross-class confusion, and FDL trails slightly; on N-BaIoT, FDL-BiLSTM and RF are essentially perfect, with CDL-LSTM close behind. Overall, the findings validate RF as a competitive classical approach, show where centralised representation learning adds value, and demonstrate that federated training preserves most of the centralised accuracy while avoiding raw data centralization (data locality) for scalable deployment. Full article

Detecting botnets in IoT environments is difficult because most intrusion detection systems treat network events as independent observations. In practice, infections spread through device relationships and evolve through distinct temporal phases. A system that ignores either aspect will miss important patterns. This paper explores a hybrid architecture combining Graph Neural Networks with Long Short-Term Memory networks to capture both structural and temporal dynamics. The GNN component models behavioral similarity between traffic flows in feature space, while the LSTM tracks how patterns change as attacks progress. The two components are trained jointly so that relational context is preserved during temporal learning. We evaluated the approach on two datasets with different characteristics. N-BaIoT contains traffic from nine devices infected with Mirai and BASHLITE, while CICIoT2023 covers 105 devices across 33 attack types. On N-BaIoT, the model achieved 99.88% accuracy with F1 of 0.9988 and Brier score of 0.0015. Cross-validation on CICIoT2023 yielded 99.73% accuracy with Brier score of 0.0030. The low Brier scores suggest that probability outputs are reasonably well calibrated for risk-based decision making. Consistent performance across both datasets provides some evidence that the architecture generalizes beyond a single benchmark setting. Full article

Because Internet of Things (IoT) networks are widely deployed, they have become attractive targets for botnet and distributed denial of service (DDoS) attacks, which require effective intrusion detection. Convolutional neural networks (CNNs) can achieve strong detection performance, but their many hyperparameters are usually tuned manually, which is costly and time-consuming. This paper proposes a new hybrid metaheuristic optimizer, FW-CNN, that combines Grey Wolf Optimization and Red Fox Optimization to automatically tune the key hyperparameters of a one-dimensional CNN for IoT intrusion detection. The Red Fox component enhances exploration and helps the search escape local optima, while the Grey Wolf component strengthens exploitation and guides convergence toward high-quality solutions. The proposed model is evaluated using the N-BaIoT dataset and compared with a feedforward neural network as well as a metaheuristic-optimized model based on the Adaptive Particle Swarm Optimization–Whale Optimization Algorithm-CNN. It achieves a final accuracy of 95.56%, improving on the feedforward network by 12.56 percentage points and outperforming the Adaptive Particle Swarm Optimization–Whale Optimization Algorithm-based CNN model by 1.02 percentage points. It also yields higher average precision, Kappa coefficient, and Jaccard similarity, and significantly reduces Hamming loss. These results indicate that the proposed hybrid optimizer is stable and effective for multi-class IoT intrusion detection in real environments. Full article

The explosive growth in Internet of Things (IoT) technologies has given rise to significant security concerns, especially with the emergence of sophisticated and zero-day malware attacks. Conventional malware detection methods based on static or dynamic analysis often fail to meet the real-time operational needs and limited-resource constraints typical of IoT systems. This paper proposes TRIM-SEC (Transformer-Integrated Malware Security and Encryption for IoT), a lightweight and scalable framework that unifies intelligent threat detection with secure data transmission. The framework begins with Autoencoder-Based Feature Denoising (AEFD) to eliminate noise and enhance input quality, followed by Principal Component Analysis (PCA) for efficient dimensionality reduction. Malware classification is performed using a Transformer-Augmented Neural Network (TANN), which leverages multi-head self-attention to capture both contextual and temporal dependencies, enabling accurate detection of diverse threats such as Zero-Day, botnets, and zero-day exploits. For secure communication, TRIM-SEC incorporates Lightweight Elliptic Curve Cryptography (LECC), enhanced with Particle Swarm Optimization (PSO) to generate cryptographic keys with minimal computational burden. The framework is rigorously evaluated against advanced baselines, including LSTM-based IDS, CNN-GRU hybrids, and blockchain-enhanced security models. Experimental results show that TRIM-SEC delivers higher detection accuracy, fewer false alarms, and reduced encryption latency, which makes it well-suited for real-time operation in smart IoT ecosystems. Its balanced integration of detection performance, cryptographic strength, and computational efficiency positions TRIM-SEC as a promising solution for securing next-generation IoT environments. Full article

Increased vulnerabilities brought about by the explosive growth of the Internet of Things (IoT) call for improved security measures to protect systems from attacks. Intrusion Detection Systems (IDS) that use machine learning (ML) are essential for identifying vulnerabilities. Among various threats, botnets are particularly challenging due to their persistence and complexity. This study explores the application of ML techniques (RF, NB, DT, KNN, LR, and XGBoost) for intrusion detection in IoT networks, with a focus on handling imbalanced data and applying feature selection methods. On the Bot-IoT dataset, the study used Lasso feature selection and the SMOTE data balancing technique to obtain a high accuracy of 99.99% with low execution times using the XGBoost model. Full article

Botnet attacks on Internet of Things (IoT) devices are escalating at the 5G/6G multi-access edge, yet most federated learning frameworks for IoT malware detection (FL-IMD) still hinge on a central aggregator, enlarging the attack surface, weakening privacy, and creating a single point of failure. We propose a two-tier, fully decentralized FL architecture aligned with MEC’s Proximal Edge Server (PES)/Supplementary Edge Server (SES) hierarchy. PES nodes train locally and encrypt updates with the Cheon–Kim–Kim–Song (CKKS) scheme; SES nodes verify ECDSA-signed provenance, homomorphically aggregate ciphertexts, and finalize each round via an Algorand-style committee that writes a compact, tamper-evident record (update digests/URIs and a global-model hash) to an append-only ledger. Using the N-BaIoT benchmark with an unsupervised autoencoder, we evaluate known-device and leave-one-device-out regimes against a classical centralized baseline and a cryptographically hardened but server-centric variant. With the heavier CKKS profile, attack sensitivity is preserved (TPR $\ge 0.99$), and specificity (TNR) declines by only 0.20 percentage points relative to plaintext in both regimes; a lighter profile maintains TPR while trading 3.5–4.8 percentage points of TNR for about 71% smaller payloads. Decentralization adds only a negligible per-round overhead for committee finality, while homomorphic aggregation dominates latency. Overall, our FL-IMD design removes the trusted aggregator and provides verifiable, ledger-backed provenance suitable for trustless MEC deployments. Full article

Network flow collection has become a cornerstone of cyber defence, yet the literature still lacks a consolidated view of which technologies are effective across different environments and conditions. We conducted a systematic review of 362 publications indexed in six digital libraries between January 2019 and July 2025, of which 51 met PRISMA 2020 eligibility criteria. All extraction materials are archived on OSF. NetFlow derivatives appear in 62.7% of the studies, IPFIX in 45.1%, INT/P4 or OpenFlow mirroring in 17.6%, and sFlow in 9.8%, with totals exceeding 100% because several papers evaluate multiple protocols. In total, 17 of the 51 studies (33.3%) tested production links of at least 40 Gbps, while others remained in laboratory settings. Fewer than half reported packet-loss thresholds or privacy controls, and none adopted a shared benchmark suite. These findings highlight trade-offs between throughput, fidelity, computational cost, and privacy, as well as gaps in encrypted-traffic support and GDPR-compliant anonymisation. Most importantly, our synthesis demonstrates that flow-collection methods directly shape what can be detected: some exporters are effective for volumetric attacks such as DDoS, while others enable visibility into brute-force authentication, botnets, or IoT malware. In other words, the choice of telemetry technology determines which threats and anomalous behaviours remain visible or hidden to defenders. By mapping technologies, metrics, and gaps, this review provides a single reference point for researchers, engineers, and regulators facing the challenges of flow-aware cybersecurity. Full article

Private consumers, small businesses, and even large enterprises are all at risk from botnets. These botnets are known for spearheading Distributed Denial-Of-Service (DDoS) attacks, spamming large populations of users, and causing critical harm to major organizations. The development of Internet of Things (IoT) devices led to the use of these devices for cryptocurrency mining, in-transit data interception, and sending logs containing private data to the master botnet. Different techniques were developed to identify these botnet activities, but only a few use Graph Neural Networks (GNNs) to analyze host activity by representing their communications with a directed graph. Although GNNs are intended to extract structural graph properties, they risk causing overfitting, which leads to failure when attempting to do so from an unidentified network. In this study, we test the notion that structural graph patterns might be used for efficient botnet detection. In this study, we also present SIR-GN, a structural iterative representation learning methodology for graph nodes. Our approach is built to work well with untested data, and our model is able to provide a vector representation for every node that captures its structural information. Finally, we demonstrate that, when the collection of node representation vectors is incorporated into a neural network classifier, our model outperforms the state-of-the-art GNN-based algorithms in the detection of bot nodes within unknown networks. Full article

The rapid expansion of internet of things (IoT) applications has significantly boosted productivity and streamlined daily activities. However, this widespread adoption has also introduced considerable security challenges, making IoT environments vulnerable to large-scale botnet attacks. These attacks have often succeeded in achieving their malicious goals, highlighting the urgent need for robust detection strategies to secure IoT networks. To overcome these obstacles, this research presents an innovative anomaly-driven intrusion detection approach specifically tailored for IoT networks. The proposed model employs an advanced hybrid architecture that seamlessly integrates convolutional neural networks (CNN) with multilayer perceptron (MLP), enabling precise detection and classification of both binary and multi-class IoT network traffic. The CNN component is responsible for extracting and enhancing features from network traffic data and preparing these features for effective classification by the MLP, which handles the final classification task. To further manage class imbalance, the model incorporates the enhanced hybrid adaptive synthetic sampling-synthetic minority oversampling technique (ADASYN-SMOTE) for binary classification, advanced ADASYN for multiclass classification, and employs edited nearest neighbors (ENN) alongside class weights. The CNN-MLP architecture is meticulously crafted to minimize erroneous classifications, enhance instantaneous threat detection, and precisely recognize previously unseen cyber intrusions. The model’s effectiveness was rigorously tested using the IoT-23 and NF-BoT-IoT-v2 datasets. On the IoT-23 dataset, the model achieved 99.94% accuracy in two-stage binary classification, 99.99% accuracy in multiclass classification excluding the normal class, and 99.91% accuracy in single-phase multiclass classification including the normal class. Utilizing the NF-BoT-IoT-v2 dataset, the model attained an exceptional 99.96% accuracy in the dual-phase binary classification paradigm, 98.02% accuracy in multiclass classification excluding the normal class, and 98.11% accuracy in single-phase multiclass classification including the normal class. The results demonstrate that our model consistently delivers high levels of accuracy, precision, recall, and F1 score across both binary and multiclass classifications, establishing it as a robust solution for securing IoT networks. Full article