Sign in to use this feature.

Years

Between: -

Subjects

remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline

Journals

Article Types

Countries / Regions

Search Results (100)

Search Parameters:
Keywords = IoT botnet detection

Order results
Result details
Results per page
Select all
Export citation of selected articles as:
27 pages, 2873 KB  
Article
Mean/Std: Lightweight Distribution-Aware Aggregation for Federated IoT Botnet Detection
by Yassine El Yamani, Youssef Baddi and Najib El Kamoun
IoT 2026, 7(3), 55; https://doi.org/10.3390/iot7030055 - 7 Jul 2026
Viewed by 250
Abstract
Federated learning (FL) is a promising paradigm for privacy-preserving IoT intrusion detection, but its effectiveness can be substantially degraded by the combination of heterogeneous non-IID client distributions and severe multi-class imbalance. Under such conditions, conventional size-based aggregation may overemphasize large yet highly skewed [...] Read more.
Federated learning (FL) is a promising paradigm for privacy-preserving IoT intrusion detection, but its effectiveness can be substantially degraded by the combination of heterogeneous non-IID client distributions and severe multi-class imbalance. Under such conditions, conventional size-based aggregation may overemphasize large yet highly skewed clients, limiting the representation of minority attack classes in the global model. To address this issue, we propose Mean/Std, a lightweight distribution-aware aggregation strategy that combines a client-size proxy with two complementary statistics of local label distributions, namely the standard deviation and the dominance gap of class proportions, while preserving a communication footprint comparable to FedAvg. Experiments on the N-BaIoT benchmark, comprising seven heterogeneous IoT clients and eleven traffic classes, are conducted under a privacy-oriented update-perturbation setting inspired by secure aggregation workflows. The results show that Mean/Std consistently provides the strongest imbalance-aware performance among the evaluated FL baselines, achieving a Macro-F1 score of 0.8418 and a Balanced Accuracy of 0.8722 while improving the representation of minority attack classes. Additional experiments across five independent random seeds and a comprehensive hyperparameter sensitivity analysis further confirm the robustness and stability of the proposed aggregation mechanism. Overall, the results demonstrate that lightweight distribution-aware aggregation offers an effective, robust, and practically deployable solution for mitigating aggregation bias under simultaneous non-IID heterogeneity and severe multi-class imbalance in FL-based IoT botnet detection. Full article
Show Figures

Figure 1

33 pages, 5099 KB  
Article
Persian Eagle: A Hybrid Machine Learning and Deep Learning Framework for High-Precision DDoS Detection in Urban Digital Infrastructures
by Hamid Yarali and Kaebeh Yaeghoobi
Information 2026, 17(7), 618; https://doi.org/10.3390/info17070618 - 23 Jun 2026
Viewed by 603
Abstract
Urban environments increasingly rely on interconnected digital infrastructures like IoT devices, SDN-enabled networks, and cloud platforms to support essential municipal services. Ensuring the resilience of these systems requires advanced, data-driven mechanisms capable of detecting and mitigating cyber disruptions. This study presents Persian Eagle, [...] Read more.
Urban environments increasingly rely on interconnected digital infrastructures like IoT devices, SDN-enabled networks, and cloud platforms to support essential municipal services. Ensuring the resilience of these systems requires advanced, data-driven mechanisms capable of detecting and mitigating cyber disruptions. This study presents Persian Eagle, a hybrid machine learning and deep learning framework designed to enhance the cyber-resilience of urban digital infrastructures by providing high-precision detection of Distributed Denial of Service (DDoS) attacks. DDoS attacks disrupt service availability by flooding targets with massive malicious traffic orchestrated through botnets, and in critical infrastructures, disruptions can be life-threatening. The proposed framework integrates multi-stage data preprocessing, SMOTE-based class balancing, and a four-phase feature-selection pipeline combining filtering, statistical ranking, PCA, and XGBoost. Seven complementary classifiers, including Random Forest, SVM, Gaussian Naive Bayes, XGBoost, MLP, LSTM, and Autoencoder, are bonded through a stacking cooperative with a Gradient Boosting meta-learner. The framework was evaluated on CICDDoS2019 and CICIDS2017 datasets, and achieved near-perfect performance up to 99.9998% accuracy, demonstrating strong generalization across diverse attack scenarios. By offering a scalable, transparent, and data-driven detection mechanism, Persian Eagle maintains urban digital-risk management and supports the continuity and resilience of critical smart-city services. Full article
Show Figures

Figure 1

21 pages, 574 KB  
Article
Hybrid Deep Architectures in Contrastive Latent Space: Performance Analysis of VAE-MLP, VAE-MoTE, and VAE-GAT for IoT Botnet Detection
by Hassan Wasswa and Timothy Lynar
IoT 2026, 7(2), 41; https://doi.org/10.3390/iot7020041 - 12 May 2026
Viewed by 665
Abstract
The rapid proliferation of Internet of Things (IoT) devices has significantly expanded the attack surface of modern networks leading to a surge in IoT-based botnet attacks. Detecting such attacks remains challenging due to the high dimensionality and heterogeneity of IoT network traffic. This [...] Read more.
The rapid proliferation of Internet of Things (IoT) devices has significantly expanded the attack surface of modern networks leading to a surge in IoT-based botnet attacks. Detecting such attacks remains challenging due to the high dimensionality and heterogeneity of IoT network traffic. This study proposes and evaluates three hybrid deep learning architectures for IoT botnet detection that combine representation learning with supervised classification: VAE-encoder-MLP, VAE-encoder-GAT, and VAE-encoder-MoTE. A Variational Autoencoder is initially trained to learn a compact latent representation of the high-dimensional traffic features. Subsequently, the pretrained VAE-encoder component is employed to project the data into a lower-dimensional embedding space. These embeddings are then used to train three different downstream classifiers: a multilayer perceptron (MLP), a graph attention network (GAT), and a mixture of tiny experts (MoTE) model. To further enhance representation discriminability, supervised contrastive learning is incorporated to encourage intra-class compactness and inter-class separability. The proposed architectures are evaluated on two widely studied benchmark datasets—the CICIoT2022 and N-BaIoT dataset—under both binary and multiclass classification settings. Experimental results demonstrate that all three models achieve near-perfect performance in binary attack detection, with accuracy exceeding 99.8%. In the more challenging multiclass scenario, the VAE-encoder-MLP model achieves the best overall performance, reaching accuracies of 98.55% on CICIoT2022 and 99.75% on N-BaIoT. These findings provide insights into the design of efficient and scalable deep learning architectures for IoT intrusion detection. Full article
(This article belongs to the Special Issue Cybersecurity in the Age of the Internet of Things)
Show Figures

Figure 1

20 pages, 3072 KB  
Article
Evolving IoT Botnet Threats and Practical Honeypot Observation: A Summary Review and Experimental Study
by Rajkumar Banoth, Santosh Reddy Addula, Aruna Kranthi Godishala, Rithwik Sannapu, Guna Sekhar Sajja, Deepak Kumar, Vinay Kumar Kasula and Chaitanya Tumma
J. Cybersecur. Priv. 2026, 6(3), 82; https://doi.org/10.3390/jcp6030082 - 2 May 2026
Viewed by 882
Abstract
The rapid proliferation of Internet of Things (IoT) devices has significantly increased the attack surface for large-scale botnet operations. While previous research, including detailed analyses using Cowrie and IoTPOT frameworks, has studied IoT botnet behavior, these studies often rely on retrospective datasets, isolated [...] Read more.
The rapid proliferation of Internet of Things (IoT) devices has significantly increased the attack surface for large-scale botnet operations. While previous research, including detailed analyses using Cowrie and IoTPOT frameworks, has studied IoT botnet behavior, these studies often rely on retrospective datasets, isolated protocol analyses, or hard-to-replicate setups. This paper addresses that gap with two main contributions: a structured review of ten influential IoT security studies from the USENIX Security Symposium and a confirmatory empirical experiment deploying Cowrie and IoTPOT honeypots simultaneously on a Microsoft Azure cloud-based virtual machine. Unlike earlier studies that focus on single protocols or large-scale environments, this work acts as a validation study, confirming well-known IoT botnet behaviors, including credential brute-force attacks, Mirai-style commands, and Telnet dominance, using real-time attack data collected from a reproducible, affordable cloud environment that simulates known IoT vulnerabilities (such as CVE-2016-10401, CVE-2017-17215, and CVE-2014-9222). Rather than revealing new attack methods, this study explicitly verifies the persistence of behaviors first documented almost ten years ago. The data indicates that attackers continue to exploit basic authentication flaws and reuse long-standing command sequences, confirming that core IoT vulnerabilities remain prevalent despite a decade of security research. It also highlights the ongoing gap between research progress and industry implementation. The analysis situates these findings within the broader evolution of IoT botnets, from early centralized command-and-control structures like Mirai to more resilient peer-to-peer networks that use anonymized channels and target high-wattage devices for power-grid manipulation. This study shows that small, cloud-based honeypots are valuable for continuous threat monitoring, model validation, and security assessments, providing a practical, reproducible approach for ongoing IoT security research. Full article
Show Figures

Figure 1

30 pages, 2650 KB  
Article
Fed-DTCN: A Federated Disentangled Learning Framework for Unsupervised Zero-Day Anomaly Detection in IoT with Semantic-Aware Augmentation
by Muhammad Ali Khan, Osman Khalid and Rao Naveed Bin Rais
Sensors 2026, 26(6), 1918; https://doi.org/10.3390/s26061918 - 18 Mar 2026
Cited by 1 | Viewed by 763
Abstract
The proliferation of Internet of Things (IoT) devices continues to expand the network attack surface while introducing stringent privacy requirements that challenge effective intrusion detection. Federated learning enables collaborative model training without centralizing raw network telemetry. However, existing federated intrusion detection approaches often [...] Read more.
The proliferation of Internet of Things (IoT) devices continues to expand the network attack surface while introducing stringent privacy requirements that challenge effective intrusion detection. Federated learning enables collaborative model training without centralizing raw network telemetry. However, existing federated intrusion detection approaches often degrade under statistical heterogeneity and remain vulnerable to zero-day attacks when they rely on labeled data or reconstruction-based objectives. This work proposes Fed-DTCN (Federated Dual Temporal Contrastive Network), an unsupervised federated framework for zero-day anomaly detection in IoT environments. Fed-DTCN learns robust representations of benign IoT traffic using contrastive learning with semantic-preserving augmentations. A dual-encoder architecture disentangles globally shared features from client-specific patterns, improving generalization under heterogeneous federated deployments. Personalization and privacy are preserved by selectively aggregating only the shared encoder parameters. The framework employs a compact temporal convolutional backbone together with a soft-weighted contrastive objective to constrain benign representations, thereby enabling reliable detection of out-of-distribution threats. Extensive experiments on the TON_IoT and CSE-CIC-IDS2018 benchmarks show that Fed-DTCN matches or surpasses a state-of-the-art supervised baseline on standard attacks, achieving an F1-score of 99.99% on TON_IoT. In a zero-day evaluation where the Botnet class is withheld during training, Fed-DTCN attains an F1-score of 96%, compared to 0.52% for the supervised baseline. Ablation studies validate the effectiveness of the proposed augmentations, while evaluations under heterogeneous client partitions demonstrate reduced inter-client variance and consistent per-client improvements, indicating suitability for realistic IoT deployments. Full article
(This article belongs to the Section Internet of Things)
Show Figures

Figure 1

32 pages, 3089 KB  
Article
Systematic Evaluation of Machine Learning and Deep Learning Models for IoT Malware Detection Across Ransomware, Rootkit, Spyware, Trojan, Botnet, Worm, Virus, and Keylogger
by Mazdak Maghanaki, Soraya Keramati, F. Frank Chen and Mohammad Shahin
Sensors 2026, 26(6), 1750; https://doi.org/10.3390/s26061750 - 10 Mar 2026
Cited by 6 | Viewed by 1547
Abstract
The rapid growth of Internet-of-Things (IoT) deployments has substantially expanded the attack surface of modern cyber–physical systems, making accurate and computationally feasible malware detection essential for enterprise and industrial environments. This study presents a large-scale, systematic comparison of 27 machine learning (ML) and [...] Read more.
The rapid growth of Internet-of-Things (IoT) deployments has substantially expanded the attack surface of modern cyber–physical systems, making accurate and computationally feasible malware detection essential for enterprise and industrial environments. This study presents a large-scale, systematic comparison of 27 machine learning (ML) and 18 deep learning (DL) models for IoT malware detection across eight major malware categories: Trojan, Botnet, Ransomware, Rootkit, Worm, Spyware, Keylogger, and Virus. A realistic dataset was constructed using 50,000 executable samples collected from the Any.Run platform, including 8000 malware instances (1000 per class) and 42,000 benign samples. Each sample was executed in a sandbox to extract detailed static and behavioral telemetry. A targeted feature-selection pipeline reduced the feature space to 47 diagnostic features spanning static properties, behavioral indicators, process/file/registry activity, debug signals, and network telemetry, yielding a compact representation suitable for malware detection in IoT settings. Experimental results demonstrate that ensemble tree-based ML models consistently dominate performance on the engineered tabular feature set as 7 of the top 10 models are ML, with CatBoost and LightGBM achieving near-ceiling accuracy and low false-positive rates. Per-malware analysis further shows that optimal model choice depends on malware behavior. CatBoost is best for Trojan/Spyware, LightGBM for Botnet, XGBoost for Worm, Extra Trees for Rootkit, and Random Forest for Keylogger, while DL models are competitive only for specific categories, with TabNet performing best for Ransomware and FT-Transformer for Virus. In addition, an end-to-end computational time analysis across all 45 models reveals a clear efficiency advantage for boosted tree ensembles relative to most DL architectures, supporting deployment feasibility on commodity CPU hardware. Overall, the study provides actionable guidance for designing adaptive IoT malware detection frameworks, recommending gradient-boosted ensemble ML models as the primary deployment choice, with selective DL models only when category-specific gains justify additional computational cost. Full article
(This article belongs to the Special Issue Intelligent Sensors for Security and Attack Detection)
Show Figures

Figure 1

24 pages, 4158 KB  
Article
Federated Learning and Data Mining-Based Botnet Attack Detection Framework for Internet of Things
by Kalupahana Liyanage Kushan Sudheera, Lokuge Lehele Gedara Madhuwantha Priyashan, Oruthota Arachchige Sanduni Pavithra, Malwaththe Widanalage Tharindu Aththanayake, Piyumi Bhagya Sudasinghe, Wijethunga Gamage Chatum Aloj Sankalpa, Gammana Guruge Nadeesha Sandamali and Peter Han Joo Chong
Sensors 2026, 26(5), 1573; https://doi.org/10.3390/s26051573 - 2 Mar 2026
Cited by 1 | Viewed by 708
Abstract
Botnet attacks in Internet of Things (IoT) environments often occur as multi-stage campaigns, making early and reliable detection difficult across distributed and privacy-sensitive networks. Centralized detection approaches are often limited by heterogeneous traffic characteristics, severe data imbalance, and the need to aggregate large [...] Read more.
Botnet attacks in Internet of Things (IoT) environments often occur as multi-stage campaigns, making early and reliable detection difficult across distributed and privacy-sensitive networks. Centralized detection approaches are often limited by heterogeneous traffic characteristics, severe data imbalance, and the need to aggregate large volumes of raw network data, raising scalability and privacy concerns. To address these challenges, this paper proposes FDA, a federated learning-based and data mining-driven framework for stage-aware botnet attack detection in IoT networks. FDA operates at network gateways, where anomalous traffic is first detected and then abstracted into compact and interpretable patterns using Frequent Itemset Mining (FIM). This pattern-based representation reduces noise and local traffic bias, enabling more robust learning across different IoT networks. Lightweight neural network models are trained locally at gateways, and a global model is learned through federated aggregation of model parameters, avoiding direct sharing of raw network data while enabling gateways to collaboratively learn evolving attack patterns across different IoT networks. Experimental results show that FDA achieves anomaly detection F1-scores above 99% across all gateways and multi-stage botnet attack classification F1-scores in the range of 48–49%, which are comparable to centralized machine-learning baselines while operating under decentralized and privacy-preserving constraints. Overall, FDA provides a practical, privacy-preserving, and effective solution for distributed botnet attack stage detection in real-world IoT deployments. Full article
(This article belongs to the Special Issue Feature Papers in Communications Section 2025–2026)
Show Figures

Figure 1

22 pages, 839 KB  
Article
Lightweight Heterogeneous Graph-Inspired Neural Networks for Real-Time Botnet Detection
by Oleksandr Kushnerov, Ruslan Shevchuk, Serhii Yevseiev and Mikolaj Karpinski
Electronics 2026, 15(5), 961; https://doi.org/10.3390/electronics15050961 - 26 Feb 2026
Viewed by 917
Abstract
Rapid Internet of Things (IoT) expansion creates security risks due to resource limits and evolving botnets. While Graph Neural Networks (GNNs) offer accuracy, their computational demands hinder real-time edge deployment. This study presents IoTGuard, based on a ‘Hetero-MLP’ architecture. The model replaces costly [...] Read more.
Rapid Internet of Things (IoT) expansion creates security risks due to resource limits and evolving botnets. While Graph Neural Networks (GNNs) offer accuracy, their computational demands hinder real-time edge deployment. This study presents IoTGuard, based on a ‘Hetero-MLP’ architecture. The model replaces costly message passing with 8-dimensional categorical embeddings to capture protocol semantics. To avoid topology overfitting, L3 identifiers were excluded, relying on 13 L4 attributes selected via Pearson correlation. Evaluations on the NF-BoT-IoT-v2 dataset (37.7 M samples) demonstrate a 12.17 KB (INT8) footprint via post-training quantization. This represents a 1.9× size reduction, enabling independent operation on ARM Cortex-M7 platforms (Arm Ltd., Cambridge, UK) at 37,093 requests per second. The framework achieves a DDoS F1-score of 0.9943 with a false-positive rate of 0.0054. Comparative analysis confirms that while Random Forest is accurate, Hetero-MLP reduces parameters by 25.4× versus standard GAT models. The proposed approach balances detection depth with edge constraints, offering scalable critical infrastructure protection. Full article
(This article belongs to the Special Issue Computer Networking Security and Privacy)
Show Figures

Graphical abstract

68 pages, 8733 KB  
Article
Towards Privacy-Preserving Deep Learning for Intelligent IoT Botnet Detection
by Ariwan M. Rasool, Nader Sohrabi Safa and Consolee Mbarushimana
Appl. Sci. 2026, 16(3), 1665; https://doi.org/10.3390/app16031665 - 6 Feb 2026
Viewed by 747
Abstract
Internet of Things (IoT) botnets are networks of infected smart devices controlled by attackers and posing a serious cybersecurity challenge. Developing detection approaches that maintain high accuracy while protecting privacy presents considerable challenges, particularly in large and heterogeneous IoT networks. This paper empirically [...] Read more.
Internet of Things (IoT) botnets are networks of infected smart devices controlled by attackers and posing a serious cybersecurity challenge. Developing detection approaches that maintain high accuracy while protecting privacy presents considerable challenges, particularly in large and heterogeneous IoT networks. This paper empirically compares three modelling approaches on Bot-IoT and N-BaIoT in binary and multiclass settings: handcrafted machine learning with random forest (RF), centralised deep learning (CDL) with DNN/LSTM/BiLSTM, and federated deep learning (FDL) with the same architectures. Model hyperparameters are selected via randomised search on stratified subsets and then fixed for final training. Results show near-perfect performance for all approaches in binary detection: on Bot-IoT, CDL-DNN attains perfect accuracy, and RF is virtually perfect (only four benign-to-attack false positives), while FDL models are similarly strong with only small false-positive and false-negative counts. On N-BaIoT, RF and CDL (especially LSTM) are near-perfect, and FDL is very close to CDL. For multiclass detection, CDL-DNN leads on Bot-IoT, RF remains near perfect with minimal cross-class confusion, and FDL trails slightly; on N-BaIoT, FDL-BiLSTM and RF are essentially perfect, with CDL-LSTM close behind. Overall, the findings validate RF as a competitive classical approach, show where centralised representation learning adds value, and demonstrate that federated training preserves most of the centralised accuracy while avoiding raw data centralization (data locality) for scalable deployment. Full article
(This article belongs to the Special Issue Mobile Computing and Intelligent Sensing, 2nd Edition)
Show Figures

Figure 1

40 pages, 2940 KB  
Article
Hybrid GNN–LSTM Architecture for Probabilistic IoT Botnet Detection with Calibrated Risk Assessment
by Tetiana Babenko, Kateryna Kolesnikova, Yelena Bakhtiyarova, Damelya Yeskendirova, Kanibek Sansyzbay, Askar Sysoyev and Oleksandr Kruchinin
Computers 2026, 15(1), 26; https://doi.org/10.3390/computers15010026 - 5 Jan 2026
Cited by 2 | Viewed by 1603
Abstract
Detecting botnets in IoT environments is difficult because most intrusion detection systems treat network events as independent observations. In practice, infections spread through device relationships and evolve through distinct temporal phases. A system that ignores either aspect will miss important patterns. This paper [...] Read more.
Detecting botnets in IoT environments is difficult because most intrusion detection systems treat network events as independent observations. In practice, infections spread through device relationships and evolve through distinct temporal phases. A system that ignores either aspect will miss important patterns. This paper explores a hybrid architecture combining Graph Neural Networks with Long Short-Term Memory networks to capture both structural and temporal dynamics. The GNN component models behavioral similarity between traffic flows in feature space, while the LSTM tracks how patterns change as attacks progress. The two components are trained jointly so that relational context is preserved during temporal learning. We evaluated the approach on two datasets with different characteristics. N-BaIoT contains traffic from nine devices infected with Mirai and BASHLITE, while CICIoT2023 covers 105 devices across 33 attack types. On N-BaIoT, the model achieved 99.88% accuracy with F1 of 0.9988 and Brier score of 0.0015. Cross-validation on CICIoT2023 yielded 99.73% accuracy with Brier score of 0.0030. The low Brier scores suggest that probability outputs are reasonably well calibrated for risk-based decision making. Consistent performance across both datasets provides some evidence that the architecture generalizes beyond a single benchmark setting. Full article
(This article belongs to the Section ICT Infrastructures for Cybersecurity)
Show Figures

Figure 1

28 pages, 2880 KB  
Article
A Novel Hybrid GWO-RFO Metaheuristic Algorithm for Optimizing 1D-CNN Hyperparameters in IoT Intrusion Detection Systems
by Eslam Bokhory Elsayed, Abdalla Sayed Yassin and Hanan Fahmy
Information 2025, 16(12), 1103; https://doi.org/10.3390/info16121103 - 15 Dec 2025
Cited by 1 | Viewed by 1201
Abstract
Because Internet of Things (IoT) networks are widely deployed, they have become attractive targets for botnet and distributed denial of service (DDoS) attacks, which require effective intrusion detection. Convolutional neural networks (CNNs) can achieve strong detection performance, but their many hyperparameters are usually [...] Read more.
Because Internet of Things (IoT) networks are widely deployed, they have become attractive targets for botnet and distributed denial of service (DDoS) attacks, which require effective intrusion detection. Convolutional neural networks (CNNs) can achieve strong detection performance, but their many hyperparameters are usually tuned manually, which is costly and time-consuming. This paper proposes a new hybrid metaheuristic optimizer, FW-CNN, that combines Grey Wolf Optimization and Red Fox Optimization to automatically tune the key hyperparameters of a one-dimensional CNN for IoT intrusion detection. The Red Fox component enhances exploration and helps the search escape local optima, while the Grey Wolf component strengthens exploitation and guides convergence toward high-quality solutions. The proposed model is evaluated using the N-BaIoT dataset and compared with a feedforward neural network as well as a metaheuristic-optimized model based on the Adaptive Particle Swarm Optimization–Whale Optimization Algorithm-CNN. It achieves a final accuracy of 95.56%, improving on the feedforward network by 12.56 percentage points and outperforming the Adaptive Particle Swarm Optimization–Whale Optimization Algorithm-based CNN model by 1.02 percentage points. It also yields higher average precision, Kappa coefficient, and Jaccard similarity, and significantly reduces Hamming loss. These results indicate that the proposed hybrid optimizer is stable and effective for multi-class IoT intrusion detection in real environments. Full article
(This article belongs to the Special Issue Security and Privacy of Resource-Constrained IoT Devices)
Show Figures

Graphical abstract

28 pages, 3895 KB  
Article
Advancing Machine Learning Strategies for Power Consumption-Based IoT Botnet Detection
by Almustapha A. Wakili, Saugat Guni, Sabbir Ahmed Khan, Wei Yu and Woosub Jung
Sensors 2025, 25(24), 7553; https://doi.org/10.3390/s25247553 - 12 Dec 2025
Cited by 1 | Viewed by 1217
Abstract
The proliferation of Internet of Things (IoT) devices has amplified botnet risks, while traditional network-based intrusion detection systems (IDSs) struggle under encrypted and/or sparse traffic. Power consumption offers an effective side channel for device-level detection. Yet, prior studies typically focus on a single [...] Read more.
The proliferation of Internet of Things (IoT) devices has amplified botnet risks, while traditional network-based intrusion detection systems (IDSs) struggle under encrypted and/or sparse traffic. Power consumption offers an effective side channel for device-level detection. Yet, prior studies typically focus on a single model family (often a convolutional neural network (CNN)) and rarely assess generalization across devices or compare broader model classes. In this paper, we conduct unified benchmarking and comparison of classical (SVM and RF), deep (CNN, LSTM, and 1D Transformer), and hybrid (CNN + LSTM, CNN + Transformer, and CNN + RF) models on the CHASE’19 dataset and a newly curated three-class botnet dataset, using consistent preprocessing and evaluation across single- and cross-device settings, reporting both accuracy and efficiency (latency and throughput). Experimental results demonstrate that Random Forest achieves the highest single-device accuracy (99.43% on the Voice Assistant with Seed 42), while CNN + Transformer shows a strong accuracy–efficiency trade-off in cross-device scenarios (94.02% accuracy on the combined dataset at ∼60,000 samples/s when using the best-performing Seed 42). These results offer practical guidance for selecting models under accuracy, latency, and throughput constraints and establish a reproducible baseline for power-side-channel IDSs. Full article
(This article belongs to the Special Issue IoT Cybersecurity: 2nd Edition)
Show Figures

Figure 1

22 pages, 2460 KB  
Article
AI-Driven Cybersecurity in IoT: Adaptive Malware Detection and Lightweight Encryption via TRIM-SEC Framework
by Ibrahim Mutambik
Sensors 2025, 25(22), 7072; https://doi.org/10.3390/s25227072 - 19 Nov 2025
Cited by 8 | Viewed by 1895
Abstract
The explosive growth in Internet of Things (IoT) technologies has given rise to significant security concerns, especially with the emergence of sophisticated and zero-day malware attacks. Conventional malware detection methods based on static or dynamic analysis often fail to meet the real-time operational [...] Read more.
The explosive growth in Internet of Things (IoT) technologies has given rise to significant security concerns, especially with the emergence of sophisticated and zero-day malware attacks. Conventional malware detection methods based on static or dynamic analysis often fail to meet the real-time operational needs and limited-resource constraints typical of IoT systems. This paper proposes TRIM-SEC (Transformer-Integrated Malware Security and Encryption for IoT), a lightweight and scalable framework that unifies intelligent threat detection with secure data transmission. The framework begins with Autoencoder-Based Feature Denoising (AEFD) to eliminate noise and enhance input quality, followed by Principal Component Analysis (PCA) for efficient dimensionality reduction. Malware classification is performed using a Transformer-Augmented Neural Network (TANN), which leverages multi-head self-attention to capture both contextual and temporal dependencies, enabling accurate detection of diverse threats such as Zero-Day, botnets, and zero-day exploits. For secure communication, TRIM-SEC incorporates Lightweight Elliptic Curve Cryptography (LECC), enhanced with Particle Swarm Optimization (PSO) to generate cryptographic keys with minimal computational burden. The framework is rigorously evaluated against advanced baselines, including LSTM-based IDS, CNN-GRU hybrids, and blockchain-enhanced security models. Experimental results show that TRIM-SEC delivers higher detection accuracy, fewer false alarms, and reduced encryption latency, which makes it well-suited for real-time operation in smart IoT ecosystems. Its balanced integration of detection performance, cryptographic strength, and computational efficiency positions TRIM-SEC as a promising solution for securing next-generation IoT environments. Full article
Show Figures

Figure 1

21 pages, 4097 KB  
Article
Lightweight Quantized XGBoost for Botnet Detection in Resource-Constrained IoT Networks
by Mohammed Rauf Ali Khan, Abdulaziz Y. Barnawi, Adnan Munir, Zainab Alsalman and Dario Marcelo Satan Sanunga
IoT 2025, 6(4), 70; https://doi.org/10.3390/iot6040070 - 18 Nov 2025
Cited by 3 | Viewed by 2179
Abstract
The rapid expansion of IoT devices has introduced significant security challenges, with malware authors constantly evolving their techniques to exploit vulnerabilities in IoT networks. Despite this growing threat, progress in developing effective detection solutions remains limited. In this study, we present an ML-based [...] Read more.
The rapid expansion of IoT devices has introduced significant security challenges, with malware authors constantly evolving their techniques to exploit vulnerabilities in IoT networks. Despite this growing threat, progress in developing effective detection solutions remains limited. In this study, we present an ML-based framework for detecting and classifying network threats targeting IoT environments. Using the CTU-IoT-Malware-Capture 2023 dataset and the UNSW Bot-IoT dataset, we transformed the task into a structured multi-class classification problem to better reflect real-world detection challenges. Our primary contribution lies in demonstrating the effectiveness of post-training quantization on gradient-boosted models, specifically a Quantized XGB variant enhanced with histogram-based quantization. This approach significantly reduces model size and inference time without sacrificing accuracy. The proposed model achieved high classification accuracies of 99.93% and 99.99% on the two datasets, while the quantization step led to 1.42× and 3× improvements in inference speed, and reductions in model size by 3.61× and 2.71×, respectively, making it well-suited for deployment in resource-constrained IoT settings. This work demonstrates not only the effectiveness of gradient boosting in handling complex traffic data but also introduces an efficient optimization strategy for real-time IoT threat detection. Full article
Show Figures

Figure 1

10 pages, 853 KB  
Proceeding Paper
Enhancing Machine Learning Model Prediction with Feature Selection for Botnet Intrusion Detection
by Marwa Baich and Nawal Sael
Eng. Proc. 2025, 112(1), 55; https://doi.org/10.3390/engproc2025112055 - 29 Oct 2025
Cited by 1 | Viewed by 1271
Abstract
Increased vulnerabilities brought about by the explosive growth of the Internet of Things (IoT) call for improved security measures to protect systems from attacks. Intrusion Detection Systems (IDS) that use machine learning (ML) are essential for identifying vulnerabilities. Among various threats, botnets are [...] Read more.
Increased vulnerabilities brought about by the explosive growth of the Internet of Things (IoT) call for improved security measures to protect systems from attacks. Intrusion Detection Systems (IDS) that use machine learning (ML) are essential for identifying vulnerabilities. Among various threats, botnets are particularly challenging due to their persistence and complexity. This study explores the application of ML techniques (RF, NB, DT, KNN, LR, and XGBoost) for intrusion detection in IoT networks, with a focus on handling imbalanced data and applying feature selection methods. On the Bot-IoT dataset, the study used Lasso feature selection and the SMOTE data balancing technique to obtain a high accuracy of 99.99% with low execution times using the XGBoost model. Full article
Show Figures

Figure 1

Back to TopTop