0% found this document useful (0 votes)

34 views19 pages

Hybrid Machine Learning Model For Efficient Botnet

This article presents a hybrid machine learning model, ACLR, for efficient botnet attack detection in IoT environments, utilizing a combination of ANN, CNN, LSTM, and RNN. The model achieved a testing accuracy of 0.9698 and demonstrated superior performance compared to existing models, with a ROC-AUC of 0.9934 and PR-AUC of 0.9950. The research emphasizes the importance of advanced detection methods to combat the evolving threats posed by botnets in the rapidly growing IoT landscape.

Uploaded by

starlite04071

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

34 views19 pages

Hybrid Machine Learning Model For Efficient Botnet

Uploaded by

starlite04071

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

This article has been accepted for publication in IEEE Access.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3376400

Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/[Link]

Hybrid Machine Learning Model for

Efficient Botnet Attack Detection in IoT
Environment
MUDASIR ALI 1 , MOBEEN SHAHROZ 2 , MUHAMMAD FAHEEM MUSHTAQ 2 SULTAN
ALFARHOOD 3,* , MEJDL SAFRAN 3 AND IMRAN ASHRAF 4,*
1
Department of Computer Science, The Islamia University of Bahawalpur, Bahawalpur, Punjab, 63100, Pakistan; (mudasiralics786@[Link])
2
Department of Artificial Intelligence, The Islamia University of Bahawalpur, Bahawalpur, Punjab, 63100, Pakistan; ([Link]@[Link];
[Link]@[Link])
3
Department of Computer Science College of Computer and Information Sciences King Saud University [Link] 51178 Riyadh 11543 Saudi Arabia;
(sultanf@[Link], mejdl@[Link])
4
Department of Information and Communication Engineering, Yeungnam University, Gyeongsan 38541, South Korea; (email: ashrafimran@[Link])
Corresponding author: Correspondence: Imran Ashraf and Sultan Alfarhood;( email: ashrafimran@[Link]; sultanf@[Link])
This research is funded by the Researchers Supporting Project Number (RSPD2024R890), King Saud University, Riyadh, Saudi Arabia.

ABSTRACT Cyber attacks are growing with the rapid development and wide use of internet technology.
Botnet attack emerged as one of the most harmful attacks. Botnet identification is becoming challenging
due to the numerous attack vectors and the ongoing evolution of viruses. As the Internet of Things (IoT)
technology is developing rapidly, many network devices have been subject to botnet attacks leading to
substantial losses in different sectors. Botnets pose serious risks to network security and deep learning
models have shown potential for efficiently identifying botnet activity from network traffic data. In this
research, a botnet identification system is proposed based on the stacking of artificial neural network (ANN),
convolutional neural network (CNN), long short-term memory (LSTM), and recurrent neural network
(RNN) (ACLR). The experiments are conducted by employing both the individual models, as well as,
the proposed ACLR model for performance comparison. The UNSW-NB15 dataset is used for botnet
attacks and contains nine different attack types including ’Normal’, ’Generic’, ’Exploits’, ’Fuzzers’, ’DoS’,
’Reconnaissance’, ’Analysis’, ’Backdoor’, ’Shell code’ and ’Worms’. Experimental results indicate the
proposed ACLR model gains 0.9698 testing accuracy showing that it is successful in capturing the intricate
patterns and characteristics of botnet attacks. The proposed ACLR model’s k values (3, 5, 7, and 10) for a
K-fold cross-validation accuracy score is 0.9749 indicating that the model’s robustness and generalizability
are demonstrated by k = 5. In addition, the proposed model detects botnets with a high receiver operating
characteristic area under the curve (ROC-AUC) of 0.9934 and a precision-recall area under the curve (PR-
AUC) of 0.9950. Performance comparison with existing state-of-the-art models further corroborates the
superior performance of the proposed approach. The results of this research can be helpful against evolving
threats and enhance cyber security procedures.

INDEX TERMS Botnet attack detection; stacking; cyber-attacks; stacked ensemble; deep learning; IoT

I. INTRODUCTION from harmful activities, such as distributed denial of service

(DDoS) assaults, data breaches, and malware distribution, by
HE rise of Internet technology led to its rapid and
T wide adoption by the masses for daily, social, cultural,
and institutional activities. Similar to other technologies, the
identifying and destroying botnets. Early identification not
only minimizes possible damage but also preserves network
effectiveness and user confidence in digital services. Addi-
internet also has negative uses where people are targeted
tionally, it promotes cyber resilience, guarantees adherence to
to steal their money or personal information. Botnet attack
legal and regulatory standards, and supports innovation in the
detection is a crucial component of cyber security, largely
continuous struggle against globally advancing cyber threats.
because it aids in preventing and reducing a variety of online
Deep learning-based botnet detection uses powerful machine
security risks. Security experts can protect networks and data

VOLUME 4, 2016 1

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see [Link]
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2024.3376400

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

learning models to quickly find and categorize harmful botnet and devices depend on the ability to detect botnet activity.
activity in the network data. Quickly identifying and counter- Because they can be used for spam distribution, distributed
acting the cyber dangers posed by botnets, aids organizations denial of services (DDoS) attacks, and theft of data, botnets
in protecting their systems and data. Such attacks have hap- offer a serious threat. By utilizing deep learning algorithms
pened on both individuals and groups in a variety of ways in botnet detection, researchers and practitioners expect to in-
to obtain financial advantage. One of the most well-known crease the accuracy and efficacy of detection approaches and
forms of assault is ransomware, which targets a person and enable proactive protection strategies against botnet attacks
locks their data until they pay the ransom demanded by [4].
the attacker. The attackers utilize botnets to assault huge The topic of botnet identification is facing additional diffi-
organizations. Due to its success in fending off the growing culties as a result of the proliferation of Internet of Things
menace of botnets, botnet detection employing deep learning (IoT) devices. The possible presence of a few devices be-
algorithms has attracted a lot of interest recently. coming infected by botnet viruses can have disastrous effects
Network traffic analyzers based on deep learning have because there are billions of connected devices worldwide.
become an effective tool for spotting and reducing botnet The size and diversity of IoT networks present challenges
activity. These analyzers use deep learning models to au- for traditional botnet detection methods, underscoring the ne-
tomatically extract pertinent information from unprocessed cessity for cutting-edge solutions. Deep learning techniques
packet data. The first few packets in a flow’s headers are for botnet identification have become more popular in this
specifically extracted and examined to look for patterns and field. The challenge of botnet detection in IoT networks is
traits typical of botnet traffic. Using convolutional neural to efficiently detect and reduce the presence of botnets. This
network (CNN) and autoencoder, it is possible to identify problem is solved by deep learning algorithms, which auto-
malicious botnet traffic independent of the architecture of the matically extract relevant features from unprocessed packets
underlying botnet [1]. Autoencoders are used to teach the [5]. To properly detect new botnet behaviors, however, the
network how to rebuild its input to learn the fundamental detection models must be capable to adapt and update in the
form of network traffic data. This method aids in spotting present as botnets continue to develop and adopt complex
peculiar patterns that point to botnet activity. By identifying evasion strategies.
spatial connections and hierarchical representations, CNNs Real-time or nearly real-time detection of botnet activity
on the other hand excel in the analysis of structured data, is made possible by deep learning algorithms’ capacity to
such as network traffic. Researchers and practitioners in the handle massive volumes of network traffic data effectively.
field of botnet detection have made tremendous progress in Scalable deep learning architectures that can manage the
identifying and reducing botnet risks because of the strength high-dimensional and dynamic nature of IoT traffic data are
of deep learning algorithms. These techniques have produced difficult to develop and put into practice. The generalization
encouraging results in precisely classifying and identifying of detection models across various botnet topologies and
botnet traffic, allowing for proactive defenses against botnet variants is the focus of the problem statement. To ensure
attacks [2]. robustness and adaptability in the face of changing botnet
Botnet identification using deep learning algorithms has threats, deep learning algorithms must be able to learn and
proven to be a promising method for lessening the threat of detect botnet activities regardless of the underlying network
botnets. It has been suggested that deep learning-based net- structure [6].
work traffic analyzers can successfully detect and counteract Deep learning techniques for botnet identification have
botnet activity. Bidirectional long-short-term memory recur- several benefits. They offer automatic and perceptive systems
rent neural networks (BLSTM-RNN) are a famous example to deal with the diversifying and increasingly sophisticated
of how deep learning is being used in botnet identification. dangers posed by botnets. These methods have the potential
BLSTM-RNN models are well suited for analyzing network to accurately detect both well-known and newly-discovered
traffic and spotting trends connected to botnet activity be- botnet activity by utilizing deep neural networks. Addition-
cause they are excellent at collecting both the past and future ally, the ability to extract features from packet headers en-
context of sequential data [3]. There are various benefits to ables effective analysis of network data, making it possible
using deep learning algorithms for botnet identification. First to detect botnet behaviors in real-time [7]. However, there
of all, these algorithms are capable of learning and adapt- are still issues with the creation and application of these sug-
ing automatically to the changing characteristics of botnets, gested alternatives. Deep learning techniques are currently
allowing them to recognize novel and previously unknown being modified to handle encrypted traffic and changing
botnet behaviors. Second, these algorithms can find hidden botnet structures. Further research is needed in the areas of
patterns and anomalies that would not be noticeable using generalizability of detection models across various network
conventional detection techniques by extracting characteris- settings and handling the dynamic nature of botnet behaviors
tics from raw data packets. Deep learning models can also [8]. In this regard, this research proposes a stacked model and
handle enormous amounts of network traffic data quickly, makes the following primary contributions:
making it possible to detect botnet activity in real-time or • This research proposes a stacking model ACLR for
almost real-time. The security and integrity of networks botnet attack identification to improve security mea-
2 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

sures for IoT systems. The proposed model utilizes the strategies used by attackers. Deep learning methods, how-
strengths of artificial neural network (ANN), convolu- ever, present a more promising strategy for overcoming these
tional neural network (CNN), long short-term memory difficulties.
(LSTM), and recurrent neural network (RNN). The authors [10] were the first to employ machine learning
• Experiments involve the classification of several attack for botnet traffic detection. They utilized a CNN model in that
types, including common ones like normal and generic regard. Experimental results show that the accuracy of the
as well as worms, backdoors, shell code, fuzzers, training set is 98.62%, the loss is 4.74% and training takes an
DoS, reconnaissance, and analysis. For experiments, average of 32 seconds for each epoch. Accuracy is 99.57%,
the dataset is preprocessed involving the removal of loss is 1.74% and test duration is 10 seconds per epoch for
null values and label encoding for categorical values the test set.
necessary for training machine learning models. The largest and most destructive internet cybercrimes have
• The efficacy of the proposed approach is meticulously involved DDoS attacks. The Mirai botnet was one of the
assessed through a comprehensive set of widely rec- most well-known instances of a DDoS assault using the
ognized performance evaluation metrics, encompassing IoT. A DDoS attack is a kind of cyber-attack in which a
accuracy, precision, recall, and the F1 score. In order to hacker temporarily subjugates several compromised systems
add further resilience to the results, the performance is to attack a particular target and sends concurrent requests to
thoroughly verified using k-fold cross-validation, with k a server for a specific service, overwhelming the server and
values of 3,5, 7, and 10. Moreover, to evaluate the dis- convincing it to disregard real requests from end users. To
criminative power of the model, the receiver operating create and disseminate a network of robots (botnets) made up
characteristic area under the curve (ROC-AUC) metric of the afflicted IoT devices (bots), Mirai is a piece of malware
is also utilized. In addition, performance comparison that infects IoT devices. The attacker (the "botmaster") then
with state-of-the-art models is also carried out. instructs the bots to take part in DDoS attacks on Internet
The preceding research is distributed into the following targets using a command and control (C&C) server. The re-
section: Section II presents the literature review of the cur- search [11] presented a bidirectional LSTM (BLSTM-RNN)
rent research works and technologies. Section III introduces approach for botnet attack detection. To determine whether
the overall research approach, describing the data collection the BLSTM-RNN’s incorporation of contextual data received
methods and discussing the data analysis techniques. Sec- from the past and future may lead to higher accuracy, the
tion IV shows the results and discussion of the proposed model was compared against a unidirectional LSTM-RNN.
approach. Section V presents the conclusion and establishes With 99%, 98%, and 98% validation accuracy and 0.000809,
a connection to the broader context. 0.125630, and 0.116453 validation loss metrics, respectively
the findings for Mirai, UDP, and DNS were highly encourag-
II. RELATED WORK ing.
Attacks on computer networks can read, damage, and steal The research [12] used classifiers such as k-nearest neigh-
data, which has a devastating impact on how well the system bors (KNN), decision tree (DT), AdaBoost (AB), random
performs as a whole. Pre-intrusion actions like port scanning forest (RF), linear SVM (LSVM), and radial basis function
and IP spoofing come before attacks. Attacks are discovered SVM (RSVM), all of which were applied to the three dif-
by keeping track of data from source and destination IP ferent sets of DS1 data. The performances obtained by the
addresses, ports, protocol specifics, header specifics, etc. logistic regression (LR) and Naive Bayes (NB) classifiers
[9]. Attacks can be divided into two categories: passive were significantly worse.
and active, depending on their nature. The passive attack The authors combined the CNN-LSTM model in [13]
may be network- or system-based, with the attacker covertly to identify DDoS attacks using the CICIDS 2017 dataset.
monitoring the network to obtain private data. Monitoring Results show a 97.16% accuracy, 97.41% precision, and
passive attacks might be tricky. Active attackers bypass all 99.1% reliability. A domain generation algorithm attack is
security precautions and gain access to networks by taking studied in [14] and an accuracy of 94.9% is reported. Im-
advantage of security flaws, posing as a reliable system, or plementation of countermeasures for cyber attacks incurs
stealing credentials. large costs; so, cost reduction is an important factor in cyber
security. Using only 25% of the implementation budget, the
A. CYBER SECURITY proposed model in [15] outperformed cutting-edge IoT bot-
To recognize and reduce one of the biggest hazards to sys- net detection techniques in terms of accuracy. As a result, it
tems connected to the internet, cyber security is a crucial cuts the implementation budget by almost 75%. The research
duty. Botnets are collections of hacked computers that are [16] employs CNN and LSTM for botnet attack detection. In
coordinated by a master host and used for malicious purposes comparison to the average validation accuracy, the average
like spam distribution, DDoS, and data theft. Traditional training accuracy for DNNBoT1 and DNNBoT2 was 90.71%
botnet detection techniques, like anomaly-based identifica- and 91.44% respectively, for each was 90.54% and 91.24%.
tion and signature-based approaches, have trouble identifying A growing trend in recent years is deep learning potential
unknown botnets, encrypted traffic, and complex evasion methods for botnet detection. Cyber security is seriously
VOLUME 4, 2016 3

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

threatened by botnets, which are networks of compromised technique in memory-restricted IoT devices appears to be
hosts used by a master host to conduct malicious operations. more realistic for efficient botnet identification.
In order to effectively address the variety of cyber security The authors used LSTM-based domain generation algo-
issues, popular deep learning methods can be used, including rithms (DGAs) for botnet attack detection [25]. Different
their ensembles and hybrid methods [17]. DGAs with benign and DGA domain names were employed
for multiclass classification. On two different test data sets,
B. MACHINE LEARNING APPROACHES FOR BOTNET the accuracy of the LSTM model for binary classification
ATTACK DETECTION was 98.7%, whereas 68.3% and 67.0% respectively were the
accuracy scores for multi-class classification.
An all-encompassing, useful technique for learning real-
The capability of recurrent neural networks (RNN) to
valued, discrete-valued, and vector-valued functions is the
properly identify samples of network traffic from extremely
ANN. The research [18] proposed an ANN model and tested
imbalanced classes has been investigated [26]. Stacked RNN
it using the CTU-13 dataset. In comparison to support vector
(SRNN) surpassed RNN when the functionality of SRNN
machine (SVM), and NB, the model yields better accuracy of
was assessed using the Bot-IoT dataset. RNN is used to train
approximately 99%. Similarly, an ANN is deployed for auto-
the feature representations of highly skewed network traffic
matically identifying DDoS attacks in [19]. Results showed
data for discriminative categorization. Precision, recall, F1,
that ANN in particular showed a very good accuracy of 99%
AUC, GM, and MCC were all improved by the SRNN model.
and proved to be more effective against DDoS attacks.
Spam emails are becoming a serious issue for networks
Various CNN models are also utilized for botnet attack and user productivity. The research [27] analyzed and as-
detection. A CNN-LSTM model is utilized in [20] for attack sessed how well deep RRN performs in detecting spam
detection IoT settings, categorizing and halting network ac- emails. The F score, average validation accuracy for the se-
tivity by severing wifi connections. CNN layers are utilized lected datasets, and estimates of the true positive rate (TPR),
to extract features from the input data while LSTM is used for true negative rate (TNR), false positive rate (FPR), and true
detection. The authors report good results with a specificity negative rate (TNR) were made. According to the findings,
of 93% and an F1 score of 100%. The results demonstrate the deep RNN approach has a detection rate and accuracy
the innovative outcomes of utilizing the CNN-LSTM model of up to 98.65%. Additionally, the proposed method has the
in the analysis of regular packets, fuzzing assaults, and flood greatest F score, AUC, and TPR which are approximately and
attacks. The weighted average findings of the author’s sug- respectively 97.93%, 98.61%, and 98.65%.
gested approach for identifying the botnet on the Provision Studies on DDoS attacks have identified various defense
PT-737E camera were as follows: 88% for camera precision, strategies, including traffic separation, attack identification
87% for recall, and 83% for F1 score. On the Provision and mitigation, and source tracking [28]. DDoS detection
PT-838 camera, the system’s classification results for botnet systems distinguish normal and anomalous activity streams,
assaults and regular packets were 89% for recall, 85% for F1 while traffic separation hinders significant movement. SDNs
score, and 94% for accuracy [21]. are vulnerable due to centralized control and security vul-
A botnet detection system that successfully locates P2P nerabilities. The performance of the proposed structure is
botnets using machine learning is employed in [22]. Us- assessed by the author using various traffic simulation situ-
ing well-known P2P botnet datasets, the proposed approach ations, and the outcomes produced by the machine learning
demonstrates to be effective in identifying botnets with low DDoS detection module are compared. For NB, SVM, and
false positive rates and great accuracy. The recommended DT, the accuracy rates attained by the proposed framework
technique creates a CNN-based model and gathers flow- were 97.4%, 96.1%, and 98.1%, respectively.
based data from packet headers, a technique that is frequently The Network Virtualization Feature replaces specialized
employed for speech and image recognition. The test shows hardware with virtual machines for network functions [29].
that this step increases detection precision to 98.6% while The System Data Network (SDN) manages all virtual com-
reducing false positive rates to 0.5%. [23]. puters and networks, reducing power consumption, effi-
The research [24] utilized a long short-term memory au- ciency, and security risks. The proposed design for smart
toencoder (LAE) encoding phase to minimize the feature cities uses black SDN-IoT with NFV integration, with a
dimensionality of large-scale IoT network traffic data. Us- tiered approach comprising application, CP, DP, and per-
ing the low-dimensional feature set’s long-term interrelated ception layers. The distributed SDN controller routes data
changes to research the deep bidirectional long short-term towards itself. The author emphasizes fault tolerance, load
memory (BLSTM) created by LAE to accurately categorize balancing, energy and security management, and scalabil-
network traffic samples. The BoT-IoT data collection is used ity in SDN management solutions. AI-based methods are
in numerous tests to verify the viability of the suggested insufficient for intelligent decision-making in unpredictable
hybrid deep learning approach. The LAE model showed the situations. Blockchain, IoT, and AI can improve privacy,
highest percentage of data size reduction (91.89%), accord- security, and transparency.
ing to the simulation’s results. As the data size of key network The Smart Data Network (SDN) approach offers a solution
traffic aspects lowers, the application of the deep learning to the security challenges posed by the rapidly expanding In-
4 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

ternet of Things (IoT) networks [30]. It decouples control and III. METHODOLOGY
data planes, simplifies network management, and prepares The botnet detection is carried out using a hybrid deep
systems for IoT data attacks. The author presents a scalable learning model proposed in this research. Figure 1 shows
method for automatic, verifiable, adaptive, and immutable the methodology of the proposed approach. The proposed ap-
access control policies for IoT devices. proach is based on model stacking where the output of ANN,
CNN, LSTM, and RNN is used for the final prediction. Addi-
The research [31] investigates cyber attacks on electrical
tionally, it is estimated how well deep learning classification
power grids that occurred in Ukraine in 2015 and 2016.
models perform when employed to analyze botnet attack
The approach is focused on early-stage attack detection by
detection using the UNSW-NB15 dataset. The preprocessing
analyzing anomalies in the communication network. The
is carried out to remove null values and handle categorical
focus is to locate the active attack in real time using a hybrid
data using label encoding. To expedite the process, a variety
graph convolutional LSTM model. For implementation, SDN
of deep learning algorithms including ANN, CNN, LSTM,
and anomaly detection are combined showing a detection
and RNN are applied.
accuracy of 96% thereby outperforming existing models.
Similarly, the authors propose a novel intrusion detection
model in [32] to detect attacks on smart grids. The authors A. DATASET DESCRIPTION
combine a deep learning model with a feature selection The dataset for botnet detection is collected from the Kaggle
approach for better detection accuracy. LSTM and extreme dataset repository. The dataset was originally collected from
gradient boosting (XGBoost) models are combined for intru- the University of New South Wales (UNSW) for analyzing
sion detection. For better parameter selection of XGBoost, network behavior [33]. Despite not being created in an IoT
a Bayesian method is utilized. Experimental results show environment, the dataset has been utilized in multiple studies
superior performance of the proposed approach. on network security and IoT security. The UNSW-NB15
dataset has been used by researchers and cyber security
professionals to test intrusion detection systems and create

FIGURE1: Architecture of the proposed approach.

VOLUME 4, 2016 5

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

algorithms to find different kinds of network assaults, includ- and blocks is constrained. By selecting the proper external
ing those that may harm IoT devices and networks [34]–[36]. parameters, generic assaults can be found. Exhaustive key
searches, dictionary attacks, rainbow table assaults, and other
TABLE1: Statistics of the UNSW-NB15 dataset. generic attacks on block ciphers are a few examples [37].
Attack Types Absolute Frequencies Absolute Percentages
Normal 37000 0.449400 2) Exploits
Generic 18871 0.229206
Exploits 11132 0.135209 An attacker seizes the ability to govern computer resources
Fuzzers 6062 0.073629 or network data, exploits a weakness in the programmer
DoS 4089 0.049665 or operating system, and causes system failures or crashes.
Reconnaissance 3496 0.042462
Analysis 677 0.008223 Zero-day exploits make use of software flaws that suppliers
Backdoor 583 0.007081 are unaware of [38].
Shellcode 378 0.004591
Worms 44 0.000534
3) Fuzzers
The dataset is configured as a training set and Fuzzers assault systems by flooding them with a lot of
testing set, namely UNSW_NB15_training-[Link] and random data to break them and identify faults. It can lo-
UNSW_NB15_testing-[Link] respectively. Both a training cate security gaps in networks and operating systems as
set and a testing set are available for the UNSW-NB15 well as vulnerabilities in software and systems [39]. It has
dataset. To assess the model’s performance, the training file been demonstrated that deep neural networks (DNNs) are
set is utilized as a main dataset which is further divided into extremely sensitive to even small changes in their input data.
training and testing datasets for further processing in the ratio This problem illustrates how Sensei may improve the robust
of 0.7 to 0.3. The total number of records in the dataset is accuracy of the DNN by up to 11.9% and 5.5% on average
82332 that contains nine attack types including ’Normal’, when compared to the state-of-the-art for each of the 15
’Generic’, ’Exploits’, ’Fuzzers’, ’DoS’, ’Reconnaissance’, models. This problem is comparable to the overfitting issue
’Analysis’, ’Backdoor’, ’Shell code’ and ’Worms’. The num- in test-based program synthesis and autonomous program
ber of samples for each class and other details are given in repair. Additionally, Sensei-SA can improve strong accuracy
Table 1 and Figure 2. while reducing the average DNN training time by 25% [40].

4) Denial of Service
Attacks with DoS suspend service, making network re-
sources inaccessible to users. DoS assaults utilizing machine
learning and deep learning models have dramatically in-
creased in frequency and complexity, according to VeriSign
[41]. The accuracy of the CNN-based intrusion detection
system is higher for DoS attack detection [42].

5) Reconnaissance
Before starting the actual attack, reconnaissance assaults
gather all available information regarding the intended sys-
tem and act as a planning tool. Social, public, and software
reconnaissance are the three basic categories of reconnais-
sance attacks. Information is obtained during this assault
using packet sniffing, port monitoring, ping sweeps, and
inquiries about internet data [43].

6) Analysis
FIGURE2: Target attack category. It uses web scripts, spam emails, and port scanning to access
the web application. By thwarting IP spoofing, modifying the
A variety of cyber-attacks can be carried out via botnets. frequency of port scans, and switching up the order in which
Some of the most frequent attack types linked to botnets ports are searched; machine learning models can detect port
include scanning. Because they propagate malicious code, carry out
phishing scams, and generate revenue, spam emails are risky.
1) Generic The use of content-based email filtering using machine learn-
Block ciphers are vulnerable to generic attacks that do not ing models discovers specific keywords that can result in
take their internal structure into account. All block ciphers a high variation between spam and valid emails. One of
are vulnerable to general attacks because the length of the key the many effects of malicious HTML code penetrations is
6 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

the exposure of cookies, which changes the content of the C. DEEP LEARNING MODELS
victim’s page [44]. ANNs are used in deep learning to conduct complex cal-
culations on vast volumes of data. Healthcare, e-commerce,
7) Backdoor entertainment, and advertising are just a few applications that
Attacks using backdoors to undermine security measures and often use deep learning. For obtaining better performance
gain access to computers and their data. This assault targets from machine learning models, hyperparameter optimization
user’s access to computing resources as well as their privacy is critical. The hyperparameters selection process involves
[45]. careful consideration and experimentation to achieve opti-
mal model performance. Cross-validation techniques assess
8) Shellcode generalization performance, mitigating overfitting risk. Prior-
A brief piece of code called shell code is utilized as the itizing hyperparameters with significant influence allows for
payload when software vulnerability is exploited. It launches fine-tuning critical parameters for optimal results, ensuring
a command interpreter that enables interactive command robust evaluation of model performance. For this purpose,
entry and reports back the results of commands executed on hyperparameter ranges are selected from the existing liter-
vulnerable systems. Run-time heuristics that depict machine- ature that carried out similar tasks. Once the range of various
level operations can be used to identify shell code assaults hyperparameters is defined, the gridsearchCV method is uti-
[46]. lized to obtain the best parameters. This method executes the
model with all the combinations of the parameters for the
given range and provides the best-fit parameters for optimal
9) Worms
performance.
By taking advantage of the security flaws, worms reproduce
and propagate to other computational resources. Two ex- 1) Artificial Neural Networks
pected characteristics of the worm detection system are early
ANNs are crucial components of deep learning which are
warning and a quicker response time for countermeasures.
motivated by the design and operation of the human brain.
It takes into account the payload’s structure and content,
ANNs are reported for their capacity to recognize intricate
network traffic, packet headers, and host behavior monitoring
relationships and patterns in data, which makes them useful
for worm detection [47].
for a number of applications such as time series analysis,
picture identification, and natural language processing. They
B. DATA PREPROCESSING have been successfully used in several industries includ-
Preprocessing must be completed before any analysis to ing finance, healthcare, and autonomous cars. Despite their
make the data ready for the model training and testing. The strength, ANNs can be computationally demanding and need
dataset needs to be loaded, cleaned, modified, and trans- a lot of labeled training data. Despite this, substantial strides
formed into a form that is appropriate for machine learning in hardware and algorithms have made ANNs a pillar of
models. Figure 2 shows the distribution of the samples for contemporary machine learning. This research uses an ANN
each class. It shows that there is an imbalance in the statistics with the architecture shown in Figure 3. The discussion of
since at least one of the category labels has lower samples hyperparameters of ANNs is shown in table 2.
compared to other category labels. To make the number of
instances of each attack type equal, resulting in a total of TABLE2: Hyperparameter of ANN model.
82332 cases. Then, category features are transformed into nu- Hyperparameter Values
merical values using label encoding. The number of columns Number of Layers 3
are features. This dataset has 45 features. Encoding categori- Layer 1 Dense 64
cal values into numerical representations that deep learning Layer 2 Dense 32
Layer 3 Dense 1
algorithms can use is a common task when working with Activation function relu
categorical data. Using a label encoder, which gives each Activation function sigmoid
category in the data a distinct number label, is a well-liked Optimizer adam
loss binary_crossentropy
method for this purpose. There are several methods you may metrics accuracy
use when using a label encoder to handle missing values in batch_size 32
categorical data. Before using the label encoder, one choice is Number of Epochs 30
to substitute the missing values with a particular placeholder,
such as "NaN". This can be accomplished by using the label
encoder after transforming the category data into strings. 2) Convolutional Neural Networks
Numerous libraries, like sci-kit learn, use the Label Encoder An advanced form of an ANN is CNN, which was created
class from the sklearn. The preprocessing module offers label to be particularly effective at processing and analyzing visual
encoding as a feature. This can be accomplished by utilizing data, such as pictures and movies. CNNs are very good at
the label encoder class from sci-kit learn, which concentrates extracting significant patterns and characteristics from im-
on encoding target labels rather than input information. ages. The input data is subjected to filters in the convolutional
VOLUME 4, 2016 7

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

FIGURE3: Architecture of artificial neural network.

layers, which enables the network to learn regional patterns botnet detection using the architecture shown in Figure 4. The
and spatial hierarchies. The feature maps are downscaled by hyperparameters of the CNN model are shown in Table 3.
the pooling layers, which reduces computational complexity
while preserving crucial data. The completely connected 3) Long Short-Term Memory Network
layers at the network’s end are where the high-level features The LSTM algorithm is an example of recurrent neural net-
are processed and the final output is produced. CNNs have work (RNN) architecture created expressly to represent and
demonstrated astonishing performance in a wide range of analyze sequence data. LSTMs can capture long-term depen-
computer vision applications including object detection, im- dencies and maintain information over long time periods, un-
age classification, and semantic segmentation. like conventional RNNs. The pertinent information is stored
and updated by the memory cells and the gates decide which
TABLE3: Hyperparameter of CNN model.
facts are important to remember and which are not. The three
Hyperparameter Values gates that control the information flow via the LSTM units
Number of Convolutional Layers 2 are gates for input, forgetting, and output. Because of their
Number of Filters (Layer 1) 64
Number of Filters (Layer 2) 32 special construction LSTMs can handle sequences of various
Activation function relu lengths and detect temporal relationships in the data.
Activation function sigmoid LSTMs are widely used in speech recognition, natural
Kernel Size (3,3)
Pooling MaxPooling (2x2)
language processing, and time series analysis. Significant
Optimizer adam improvements have been made across a variety of fields,
loss binary_crossentropy including a result of the high efficiency with which LSTMs
metrics accuracy have been shown to capture intricate patterns and correlations
batch_size 32
Number of Epochs 30 within sequential data. Figure 5 shows the architecture of
LSTM used in this research. The hyperparameters of LSTM
The effectiveness of CNNs can be due to their capacity to are shown in Table 4.
take advantage of shared weights and local spatial correla-
tions. Compared to fully linked networks, this dramatically 4) Recurrent Neural Network
decreases the number of parameters, making CNNs more An artificial neural network that works well for processing
effective and simpler to train. This research uses a CNN for sequential data is RNN. RNNs, as opposed to conventional

FIGURE4: Architecture of convolutional neural network.

8 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

TABLE5: Hyperparameter of RNN model.

Hyperparameter Values
Number of Layers 2
SimpleRNN 64
Dense 1
Activation function sigmoid
Optimizer adam
loss binary_crossentropy
metrics accuracy
batch_size 32
Number of Epochs 30

comprehensive overview of their differences is presented in

FIGURE5: Architecture of long short-term memory network. Table 6.
TABLE6: Major differences between LSTM and RNN.
TABLE4: Hyperparameter of LSTM model.
Feature RNN LSTM
Hyperparameter Values Architecture Simple and straight- More complex,
Number of Layers 2 forward recurrence. including memory
LSTM (Layer 1) 64 cells and gates.
Dense (Layer 2) 32 Memory Handling Short memory span Long memory span,
Activation function sigmoid due to vanishing and handles vanishing and
Optimizer adam exploding gradient exploding gradient
loss binary_crossentropy problems. problems effectively.
metrics accuracy Memory Cells No explicit memory Contains memory
batch_size 32 cells. cells to store and
Number of Epochs 30 access information
over long sequences.
Gating Mechanisms No gating Gating mechanisms
mechanisms. (e.g., input, output,
feed-forward networks, feature connections between nodes forget) control
that create a directed cycle, which enables them to remember information flow.
Gradient Flow Suffers from vanish- Mitigates
information and gain knowledge from prior inputs. RNNs ing or exploding gra- vanishing/exploding
can represent sequences of any length and capture temporal dients over long se- gradients through
dependencies thanks to their cyclic structure. Information quences. gating mechanisms,
allowing better
travels through time because each node in an RNN receives learning.
input from both the input current and the prior hidden state. Training Complexity Less complex More complex
due to additional
parameters and gating
mechanisms.
Performance Struggles with long- Well-suited for cap-
term dependencies. turing long-term de-
pendencies.

D. PROPOSED STACKING ACLR MODEL

A deep learning technique called stacking is used to integrate
the results of various classification models to get a more
potent and precise final prediction. To improve the overall
FIGURE6: Recurrent neural network used in this research. predictive performance, stacking combines several models.
By stacking models, we can benefit from the strengths and
RNNs are effective for tasks like processing natural lan- diversity of different algorithms. Each algorithm may have
guage, speech recognition, and handwriting recognition due its unique way of capturing the data’s patterns and linkages
to their recursive nature. The vanishing gradient problem, and by combining their predictions, we can make a prediction
in which gradients get smaller and smaller with time, can that is more reliable and precise. Stacking helps in reducing
limit the ability of conventional RNNs to detect long-range bias and variance, improving generalization, to the training
dependencies. Variations like the LSTM and gated recurrent data.
unit (GRU) are created to remedy this. The architecture of Figure 7 shows the architecture of the proposed ACLR
the sued RNN is shown in Figure 6. The hyperparameters of model. Stacking is a powerful ensemble learning tech-
RNN are shown in Table 5. nique that leverages the strengths of multiple deep learn-
Although LSTM is a type of RNN, they both bear several ing algorithms including ANN, CNN, LSTM, and RNN.
differences in their architecture and working functionality. A While deep learning stacking methods solve compli-
VOLUME 4, 2016 9

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

FIGURE7: Architecture of proposed Hybrid ACLR model.

cated problems but demand more data and computer re- in understanding the model, necessitating careful evaluation
sources and give less interpretability, ensemble techniques of the combination and training approach. Applying a single
(ANN+CNN+LSTM+RNN) mix multiple models for en- model will not produce excellent results but, when many
hanced generalization and interpretation ability. By combin- models are combined through stacking, good accurate results
ing their predictions in a layered fashion stacking can en- will be produced. This is a novel approach in terms of these
hance the overall predictive performance leading to improved strategies. A complete list of the hyperparameters is given in
accuracy and robustness in deep learning models. Stacking Table 7.
discovers the most effective way to combine the predictions
from various successful machine learning models. By utiliz- E. EVALUATION PARAMETERS
ing each of their own capabilities, minimizing overfitting, and Accuracy, recall, and precision are common measures for as-
enhancing feature extraction, stacking RNNs, ANNs, CNNs, sessing the efficacy of machine learning models, particularly
and LSTMs improves performance in deep learning. By for classification tasks. The model’s ability to forecast the
using an ensemble technique, models become more resilient various classes or categories of the input data is indicated by
and flexible when dealing with different data distributions. It these measures.
also increases computing complexity and presents difficulties
Despite being a frequently used statistic, accuracy is not

TABLE7: Hyperparameters of models.

Models Layers Unit Kernal_size Activation Function Loss Optimizer Metrix Epoch Accuracy
ANN 3 64,32,1 - relu,sigmoid binary_crossentropy adam accuracy 25 0.7568
ANN 3 64,32,1 - tanh, sigmoid binary_crossentropy adamax accuracy 25 0.7010
ANN 3 64,32,1 - tanh,relu categorical_crossentropy rmsprop accuracy 25 0.7268
ANN 3 64,32,1 - softmax,sigmoid binary_crossentropy adagrad accuracy 25 0.7465
ANN 3 64,32,1 - tanh, sigmoid mean_squared_error sgd accuracy 25 0.7567
CNN 6 64,32 3 relu,sigmoid binary_crossentropy adam accuracy 30 0.944
CNN 6 64,32 3 elu,softmax binary_crossentropy rmsprop accuracy 30 0.7582
CNN 6 64,32 3 softmax,sigmoid categorical_crossentropy adagrad accuracy 30 0.8874
CNN 6 64,32 3 sigmoid,tanh binary_crossentropy sgd accuracy 30 0.9273
CNN 6 64,32 3 elu,sigmoid mean_squared_error adamax accuracy 30 0.6993
LSTM 2 64,1 - sigmoid binary_crossentropy adam accuracy 30 0.9651
LSTM 2 64,1 - elu binary_crossentropy rmsprop accuracy 30 0.9436
LSTM 2 64,1 - softmax categorical_crossentropy adagrad accuracy 30 0.9516
LSTM 2 64,1 - tanh binary_crossentropy adamax accuracy 30 0.9638
LSTM 2 64,1 - relu mean_squared_error sgd accuracy 30 0.9311
RNN 2 64,1 - sigmoid binary_crossentropy adam accuracy 10 0.9486
RNN 2 64,1 - relu binary_crossentropy adamax accuracy 10 0.9213
RNN 2 64,1 - tanh categorical_crossentropy adagrad accuracy 10 0.9471
RNN 2 64,1 - softmax binary_crossentropy sgd accuracy 10 0.9121
RNN 2 64,1 - selu mean_squared_error rmsprop accuracy 10 0.9491
ACLR 17 64,32,1 3 relu,sigmoid binary_crossentropy adam accuracy 25 0.9698
ACLR 17 64,32,1 3 relu,softmax binary_crossentropy sgd accuracy 25 0.9274
ACLR 17 64,32,1 3 elu,tanh categorical_crossentropy rmsprop accuracy 25 0.9482
ACLR 17 64,32,1 3 selu,sigmoid binary_crossentropy adamax accuracy 25 0.9598
ACLR 17 64,32,1 3 tanh,softmax mean_squared_error adagrad accuracy 25 0.9058

10 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

always sufficient, especially when dealing with unbalanced Z 1

datasets. The proportion of accurately anticipated positive PR-AUC = Precision(Recall) dRecall (6)
instances recall, often referred to as sensitivity or the true 0
positive rate, refers to responses to actual positive events. In this formula, the integral represents the area under the
It demonstrates that the model can accurately identify all curve, Precision and Recall are functions of the threshold
relevant positive cases. Higher recall values suggest that applied to the model’s predicted probabilities.
the model is good at minimizing false negatives. Precision,
commonly referred to as positive predictive value, is the ratio IV. RESULTS AND DISCUSSION
of accurately predicted positive cases to all expected positive The experiments have been conducted with multiple deep
cases. It demonstrates the model’s accuracy in identifying learning models but due to their complexity and requires
positive samples and minimizing false positives. High ac- large number of datasets, show low prediction accuracy.
curacy values imply that the model generates minimal false That’s why the selection criteria for the deep learning algo-
positives. The following equations are used to calculate the rithms (ANN, CNN, LSTM, and RNN) have been adopted
evaluation parameters based on less complexity and works better with small datasets
instead of large datasets. By using 70% training data and 30%
(T P + T N )
Accuracy = (1) testing data from the dataset, the performance of the deep
(T P + T N + F P + F N )
learning model is assessed. The predictability of the model is
where TP refers to true positive which is the number of investigated using a random look at set sizes from the dataset.
correctly predicted attacks. FP refers to a false positive which Experiments are conducted to evaluate the multi-class deep
indicates a normal packet predicted as an attack. Similarly, learning models’ precision, recall, accuracy, and F1 score.
TN indicates true negative which shows a normal packet
predicted as a normal packet. Conversely, FN indicates an A. PERFORMANCE OF ANN
attack predicted as a normal packet. The ANN is trained on a labeled dataset to calculate the
TP evaluation metrics, and it is then assessed on a test dataset.
P recision = (2) The ANN’s performance is illustrated in Table 8. It success-
TP + FP
fully predicted different types of attacks with an accuracy
TP of 0.7568Ṡimilarly, other performance evaluation metrics are
Recall = (3) good including a precision of 0.7817, a recall of 0.7568, an
TP + FN
F1 score of 0.7559, and a training duration of 25.13 seconds.
An often-used statistic in research articles to assess the ef-
ficacy of classification systems is the F1 score. By including TABLE8: Performance of ANN model.
precision and recall into a single score, it provides an accu-
Epochs Accuracy Precision Recall F1-Score Training
rate evaluation of the model’s performance. The following Time
formula used to determine the F1 score is 5 0.7275 0.7631 0.7274 0.7088 33.16s
10 0.7479 0.7483 0.7479 0.7456 26.14s
(P recision ∗ Recall) 15 0.6868 0.7134 0.6868 0.6644 28.16s
F 1 score = 2 ∗ (4) 20 0.6761 0.7442 0.6761 0.6647 28.15s
(P recision + Recall)
25 0.7568 0.7817 0.7568 0.7559 25.13s
The ROC-AUC measures the area under the Receiver 30 0.6332 0.7750 0.6332 0.5536 27.14s
Operating Characteristic curve, which is a graphical repre-
sentation of a binary classification model’s performance. It
plots the True Positive Rate (TPR) against the False Positive
Rate (FPR) at various thresholds. The ROC-AUC represents
the area under the ROC curve and ranges from 0 to 1, where
a higher value indicates better model performance. A value
of 0.5 suggests random classification, while a value of 1
indicates perfect classification.
Z 1
ROC-AUC = TPR(FPR) dFPR (5)
0
The PR-AUC measures the area under the Precision-Recall
curve, which assesses a model’s performance in binary clas-
sification, with a focus on positive class prediction accuracy.
The PR-AUC represents the area under the Precision-Recall
curve and ranges from 0 to 1, with higher values indicating
better model performance. A value of 1 means perfect preci-
sion and recall, while a value of 0 suggests poor performance.
VOLUME 4, 2016 11

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

B. RESULTS OF CONVOLUTIONAL NEURAL D. RESULTS OF RECURRENT NEURAL NETWORKS

NETWORKS RNNs are excellent at modeling sequential data and can
Many text classification tasks are performed using CNNs, detect temporal dependencies. They are useful for applica-
which may also be used to determine accuracy, precision, tions like time series analysis natural language processing
and F1 score. To calculate these metrics using a test dataset and speech recognition because of their recurrent connections
a CNN’s performance can be evaluated after having been which let them retain knowledge from earlier time steps.
trained on a labeled dataset. An indicator of how well CNN RNNs can achieve high accuracy, precision, and F1 scores
made general predictions is the percentage of cases in the test by utilizing their capacity to record temporal patterns and
set that were correctly categorized as a whole. contextual data, enabling precise and reliable sequence clas-
sification.
TABLE9: Performance of CNN.
TABLE11: Performance of RNN model.
Epochs Accuracy Precision Recall F1-Score Training
Time Epochs Accuracy Precision Recall F1-Score Training
5 0.7663 0.7658 0.7663 0.7652 107.24s Time
10 0.8851 0.8879 0.8851 0.8843 215.11s 5 0.9391 0.9396 0.9391 0.9389 308.8s
15 0.8957 0.8967 0.8957 0.8959 321.11s 10 0.9486 0.9486 0.9486 0.9486 616.16s
20 0.9268 0.9279 0.9268 0.9264 427.14s 15 0.9522 0.9523 0.9522 0.9521 925.24s
25 0.9392 0.9398 0.9392 0.9390 533.11s 20 0.9471 0.9472 0.9471 0.9471 1234.32s
30 0.9440 0.9444 0.9440 0.9439 639.15s 25 0.9477 0.9479 0.9477 0.9478 1542.40s
30 0.9448 0.9448 0.9448 0.9448 1851.48s
Results given in Table 9 show the performance of the CNN
model for different epochs ranging from 5 to 30 epochs. Experimental results of the RNN model are given in Table
Results indicate that the CNN model achieved an accuracy 11. Results indicate that the RNN model can achieve the
score of 0.9440, precision of 0.9444, recall of 0.9440, F1 highest accuracy score of 0.9522 with 15 epochs. Similarly,
score of 0.9439, and a 639.15-second training period. These the highest precision score is 0.9523, the recall score is
results are significantly better compared to results obtained 0.9522, the F1 score is 0.9521, and 925.24 seconds ended
by the ANN model. the training phase. Although these results are not better than
what we achieved using the LSTM model, the performance
C. RESULTS OF LONG SHORT TERM MEMORY of RNN is substantially better than the ANN model. Simi-
NETWORKS larly, LSTM has a slightly better performance than the CNN
The ability of LSTMs to recognize long-term dependencies model.
in sequential data makes them particularly useful for tasks
like natural language processing voice recognition and time E. RESULTS USING STACKING ACLR MODEL
series analysis. LSTMs can achieve high accuracy, precision,
Comparing deep learning models is a vital part of this re-
and F1 scores by utilizing their capacity to model context and
search. In this research, we contrast the most widely used
sequential patterns resulting in trustworthy and accurate clas-
deep learning classification techniques. Similarly, the results
sification results for applications requiring sequence-based
of the proposed ANN+CNN+LSTM+RNN(ACLR) model
data. Experimental results of the LSTM model are given in
are analyzed; Table 12 shows experimental results using
Table 10.
the proposed model. Experimental results demonstrate that
TABLE10: Performance of LSTM model. the proposed model shows better performance than other
Epochs Accuracy Precision Recall F1-Score Training
deep learning models used in this research with the highest
Time accuracy score of 0.9698. This accuracy is better than the
5 0.9494 0.9507 0.9494 0.9495 670.80s LSTM model which has the best accuracy score of 0.9651.
10 0.9608 0.9608 0.9608 0.9608 1325.36s The precision, recall, and F1 scores of the proposed model
15 0.9559 0.9565 0.9559 0.9560 1983.58s
20 0.9641 0.9641 0.9641 0.9641 2641.36s are also the highest with 0.9691, 0.9693, and 0.9692 for the
25 0.9631 0.9631 0.9631 0.9631 3299.32s period of the training session, respectively.
30 0.9651 0.9651 0.9651 0.9651 3957.32s
TABLE12: Performance of the proposed ACLR model.
The results of the LSTM model indicate its superior per- Epochs Accuracy Precision Recall F1-Score Training
formance compared to ANN and CNN models. Compared to Time
the highest accuracy score of 0.9440 which CNN obtained 5 0.9500 0.9407 0.9703 0.9553 915.8s
10 0.9554 0.9517 0.9681 0.9598 1819.21s
with 30 epochs. the LSTM model obtained an accuracy score 15 0.9583 0.9634 0.9608 0.9621 2726.53s
of 0.9651 for the same number of epochs. Similarly, other 20 0.9634 0.9739 0.9593 0.9665 3634.42s
performance parameters are also better than ANN and CNN. 25 0.9698 0.9691 0.9693 0.9692 4543.50s
LSTM obtains a precision score of 0.9651, a recall score 30 0.9597 0.9610 0.9659 0.9635 5451.57s
of 0.9651, an F1 score of 0.9651, and 3957.32 seconds to
complete the training session.
12 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

F. COMPARATIVE ANALYSIS OF ALL MODELS of the proposed models varies slightly across different folds,
Table 13 shows the results of all models employed in this however, its average performance is better than other models.
research. Results are given regarding the accuracy, precision,
TABLE14: Model performance with k =3.
recall, and F1 scores. It can be observed that the proposed
model performs better than all other models including ANN, Fold Accuracy Precision Recall F1-Score Training
CNN, LSTM, and RNN which are fine-tuned to obtain Time
1 0.9403 0.9285 0.9661 0.947 10.38s
optimal performance using the current dataset. Of the em- 2 0.9437 0.934 0.9662 0.9498 10.38s
ployed models, ANN shows the poorest performance with 3 0.943 0.9301 0.9692 0.9492 10.36s
a 0.7568 accuracy score. The CNN model shows slightly
better performance than the ANN model with an accuracy
score of 0.9440. The performance of both LSTM and RNN
is substantially better than ANN with 0.9651 and 0.9522
accuracy scores, respectively. However, the performance of
the proposed model is superior among all employed models.
Figure 8 illustrates a visual presentation of the performance
of all the deep learning models used in this research. Evalua-
tion of the stacking strategy for [Link] Compare
the models and their performance. The proposed strategy
stacking provides good results.
TABLE13: Analysis of all employed models.
Models Accuracy Precision Recall F1-Score Training
Time
ANN 0.7568 0.7817 0.7568 0.7559 25.13s
CNN 0.9440 0.9444 0.9440 0.9439 533.11s
LSTM 0.9651 0.9651 0.9651 0.9651 3299.32s
RNN 0.9522 0.9523 0.9522 0.9521 1542.40s
ACLR 0.9698 0.9691 0.9693 0.9692 4543.50s

G. RESULTS OF K-FOLD CROSS-VALIDATION FOR

ACLR MODEL
For performance validation, k-fold cross-validation is carried
out for the proposed approach. Table 14, 15, 16 and 17
shows the results with the training time and for k=3,5,7,
and 10, respectively. Results indicate that the performance

FIGURE8: Performance analysis of deep learning models.

VOLUME 4, 2016 13

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

TABLE15: Model performance with k =5. TABLE17: Model performance with k =10.
Fold Accuracy Precision Recall F1-Score Training Fold Accuracy Precision Recall F1-Score Training
Time Time
1 0.9749 0.9770 0.9717 0.9723 10.38s 1 0.9387 0.9363 0.9539 0.945 10.38s
2 0.9708 0.9711 0.9709 0.9731 10.38s 2 0.9518 0.9533 0.959 0.9562 10.38s
3 0.9659 0.9665 0.9644 0.9654 10.36s 3 0.92 0.9458 0.9039 0.9244 10.36s
4 0.9714 0.9713 0.9701 0.9732 11.38s 4 0.9503 0.9577 0.9502 0.9539 11.38s
5 0.9713 0.9708 0.9711 0.9710 11.39s 5 0.9444 0.9448 0.9561 0.9504 11.39s
6 0.9589 0.9647 0.9604 0.9625 11.39s
7 0.9463 0.9689 0.9328 0.9505 11.39s
8 0.9512 0.9585 0.9536 0.956 9.33s
H. ROC-AUC AND PR-AUC OF THE MODELS 9 0.9455 0.9655 0.9337 0.9494 9.32s
PERFORMANCE 10 0.9533 0.9548 0.9469 0.9507 8.29s
To extract insights and make wise judgments, proposed data-
driven solutions use a variety of neural network architectures,
including ANN, CNN, LSTM, and RNN. ROC-AUC and
PR-AUC metrics are used to measure model efficacy, guar-
anteeing strong classification performance and a thorough
comprehension of model behavior. The performance of ROC-
AUC and PR-AUC is shown in Figures 9, and 10. The
accuracy shows the correctly predicted values over the total
number of predictions which shows how many numbers of
attacks have been detected in real-life systems as shown in
the tables of the result section.

FIGURE10: Performance regarding PR-AUC curve.

As an example in Table 18 the proposed ACLR model

shows an accuracy of 97.49% which means approximately
97.50% predictions are accurately performed by the proposed
model and with the training period. Where precision 97.70%
and recall 97.17% present the class-wise results and predic-
tion accuracy per class. And f1 score shows the harmonic
mean of the precision and recall which is 97.23% shows the
balance between prediction accuracies.
FIGURE9: Performance regarding ROC-AUC curve.
I. PERFORMANCE COMPARISON WITH EXISTING
APPROACHES
TABLE16: Model performance with k =7. Performance comparison with existing state-of-the-art mod-
els is necessary to determine the efficacy of the proposed
Fold Accuracy Precision Recall F1-Score Training
Time model. For this purpose, several existing studies have been
1 0.9556 0.9582 0.9609 0.9596 10.38s selected that utilized deep learning models for botnet detec-
2 0.9475 0.97 0.9341 0.9517 10.38s tion. For example, studies [49], [50], [52], [54], [57] and [53]
3 0.9446 0.9454 0.9549 0.9501 10.36s
4 0.9272 0.906 0.9662 0.9351 11.38s
deployed either CNN or an ensemble of CNN with a deep
5 0.9404 0.9454 0.9454 0.9454 11.39s learning model and obtained very good results. Similarly,
6 0.9477 0.9559 0.9502 0.9531 11.39s [48] proposed an ANN model and utilized the same dataset
7 0.9452 0.9466 0.955 0.9506 11.39s that is used in this research. Both [51] and [55] made use

TABLE18: Comparative analysis of the stacking algorithm.

Models Accuracy Precision Recall F1-Score ROC-AUC PR-AUC Training
Time
ANN+CNN 0.8211 0.8280 0.8520 0.8398 0.9184 0.9333 81.44s
RNN+ANN 0.9223 0.9156 0.9461 0.9306 0.9808 0.9850 292.161s
LSTM+RNN 0.7949 0.9689 0.6483 0.7768 0.7887 0.8489 740.407s
CNN+LSTM 0.9106 0.8779 0.9730 0.9230 0.9838 0.9872 316.173s
Proposed ACLR 0.9749 0.9770 0.9717 0.9723 0.9934 0.9950 1604.104s

14 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

TABLE19: Comparative analysis with existing literature.

Reference Algorithms Dataset Classes Accuracy Precision Recall F1-score
[48] ANN UNSW-NB15 Multi-class 0.6397 - - -
[49] CNN+BLSTM UNSW-NB15 Multi-class 0.7556 0.7933 0.7564 0.7744
[50] CNN1D+BLSTM UNSW-NB15 Multi-class 0.7632 0.8100 0.7600 0.7700
[51] LSTM UNSW-NB15 Binary-class 0.7000 - - -
[52] SimpleRNN UNSW-NB15 Binary-class 0.8070 0.7750 0.9840 0.8670
[53] CNN-LSTM UNSW-NB15 Binary-class 0.9368 - - -
[54] CNN 1D UNSW-NB15 Binary-class 0.8980 - - -
[55] LSTM UNSW-NB15 Binary-class 0.8899 - - -
[56] CNN UNSW-NB15 Binary-class 0.8112 0.8237 0.7836 0.8006
[57] CNN-LSTM UNSW-NB15 Binary-class 0.8993 0.8615 - 0.9043
Proposed ACLR UNSW-NB15 Binary-class 0.9698 0.9691 0.9693 0.9692
K-fold ACLR UNSW-NB15 Binary-class 0.9749 0.9770 0.9717 0.9723

of LSTM models for the same task while [56] leveraged an K. COMPUTATIONAL COMPLEXITY VS ACCURACY
RNN model. Results comparison given in Table 19 reveals Computational complexity is very important for botnet attack
that the proposed model outperforms these studies and ob- detection approaches as they have to work in real time. Often
tains a better accuracy score using the same dataset. a trade-off is made between the computational complexity of
the model and its accuracy. A better accuracy can be obtained
J. PERFORMANCE COMPARISON OF MACC, FLOPS for the deep learning model by increasing its number of
AND INFERENCE TIME. layers and neurons, however, it would increase the training
Within the domain of computational efficiency, assessing time of the model. Table 21 shows the relationship between
the Performance Comparison of Multiply-Accumulate Op- the training time and attack detection accuracy for various
erations (MACC), Floating Point Operations Per Second models used in this study. Results suggest increased training
(FLOPS), and Inference Time is crucial for evaluating the time when the number of epochs is increased for better
effectiveness of machine learning models. The study ob- training of the models. With increased training time, a better
tained the computational capabilities of a single model in accuracy is observed for CNN, LSTM, RNN, and ACLR
comparison to the combination of two models, specifically time, except for a few cases for LSTM and RNN where a
considering MACC, FLOPS, and inference time metrics. The marginal decrease is observed in the accuracy.
analysis uncovered that employing a singular model substan-
tially decreased both MACC and FLOPS requirements, indi- TABLE21: Model accuracy vs training time, layers, and epochs.
cating a more efficient computational process. Additionally, Model Layers Epoch Accuracy Training time
the inference time for the individual model was significantly 5 0.7663 107.24s
reduced compared to the merged model, highlighting the ef- 10 0.8851 215.11s
15 0.8957 321.11s
ficiency of a consolidated approach. The proposed model not CNN 6
20 0.9268 427.14s
only demonstrated superior time efficiency but also yielded 25 0.9392 533.11s
improved results compared to the cumulative processing 30 0.9440 639.15s
5 0.9494 670.80s
time of the two models. This underscores the importance of 10 0.9608 1325.36s
optimizing model architecture for enhanced computational 15 0.9559 1983.58s
LSTM 2
efficiency, contributing to more effective and swift machine 20 0.9641 2641.36s
25 0.9631 3299.32s
learning applications. Table 20 presents a comparison of 30 0.9651 3957.32s
the MACC, FLOPS, and inference time models’ respective 5 0.9391 308.8s
performances. 10 0.9486 616.16s
15 0.9522 925.24s
RNN 2
20 0.9471 1234.32s
TABLE20: Performance comparison of MACC, FLOPS, and 25 0.9477 1542.40s
inference time. 30 0.9448 1851.48s
5 0.9500 915.8s
Models MACC FLOPS Inference Time 10 0.9554 1819.21s
ANN 1556640320 10772022.54 0.1053 seconds 15 0.9583 2726.53s
CNN 15554 3912.37 3.9755 seconds ACLR 3
20 0.9634 3634.42s
LSTM 33922 818.03 41.468 seconds 25 0.9698 4543.50s
RNN 8578 1017.0066 8.4346 seconds 30 0.9597 5451.57s
ANN+CNN 251865900 503731800 10.5890 seconds
RNN+ANN 483057900 966115800 24.600 seconds
LSTM+RNN 1561163500 3122327000 83.094 seconds In addition, increasing the number of layers of the em-
CNN+LSTM 615449900 1230899800 41.606 seconds ployed models also increases the training time of models, as
ACLR 88946 2240.3580 39.701 seconds shown in Table 22. Traditionally, increasing the number of
layers and neurons is aimed at learning intricate relationships
between the input and output of the model, thereby improv-
VOLUME 4, 2016 15

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

ing the prediction performance of the model. However, this increasing the number of layers for the deployed models is
increase in the model’s accuracy comes at the cost of higher observed to produce better performance, however, it comes
computational complexity. at the cost of increased computational complexity and higher
training time. Among the employed models, the ANN model
TABLE22: Comparison of model complexity vs accuracy. shows poor performance while LSTM, RNN, and CNN show
Model Layers Epoch Accuracy Training time better results. The comparative findings demonstrate that the
6 0.9440 639.15s proposed approach outperforms ANN, CNN, LSTM, and
CNN 7 30 0.9511 728.11s
8 0.9578 815.31s RNN models in terms of performance and accuracy for the
2 0.9651 3957.32s detection of botnets. In comparison to previous models, the
LSTM 3 30 0.9701 4521.42s suggested ACLR model has the greatest ROC AUC (0.9934)
4 0.9753 4832.01s
2 0.9448 1851.48s
and PR AUC (0.9950) values. Performance analysis with
RNN 3 30 0.9468 2031.847 existing models indicates that ACLR can perform better
4 0.9586 2558.037 than state-of-the-art models. It is important to note that
3 0.9597 5451.57s
ACLR 4 30 0.9617 5641.21s
deep learning algorithms for botnet identification still have
5 0.9683 6043.32s limitations such as a lack of labeled statistics on training and
the possibility of hostile attacks. To increase the precision,
scalability, and robustness of deep learning-based botnet
L. DISCUSSION detection systems more research and development in this area
The research introduces ACLR, a hybrid deep learning model are required. The stacking model in the proposed research
designed for the effective detection of botnet attacks in the has been based on four deep learning models which consume
IoT network. The innovative approach integrates four distinct more time than the single model in predictions but show more
models ANN, CNN, LSTM, and RNN through a stacking efficient results than the single model. It also necessitates
technique. These models synergize to form the powerful data interchange and synchronization. This demonstrates the
hybrid model, ACLR. Validation of ACLR’s performance significance of carefully balancing model complexity and
is conducted using k-fold cross-validation, resulting in a effectiveness across a range of applications. As it will be
remarkable accuracy of 0.9749. Through a systematic eval- totally automated in future research, there should be more
uation using epochs ranging from 5 to 30, to proposed training using reinforcement learning, which can be more
ACLR model demonstrated remarkable performance, achiev- effective.
ing an impressive accuracy of 0.9698 without K-fold cross-
validation. Evaluation metrics, including ROC-AUC and PR- ACKNOWLEDGMENT
AUC, have been used to evaluate the performance of the The authors extend their appreciation to King Saud Univer-
proposed research based on ACLR. The highest ROC-AUC sity for funding this research through Researchers Supporting
is 0.9934 and PR-AUC is 0.9950 has been achieved. Com- Project Number (RSPD2024R890), King Saud University,
prehensive assessment parameters, encompassing accuracy, Riyadh, Saudi Arabia.
precision, recall, and F1 score, collectively emphasize the
robustness of ACLR in the detection and mitigation of botnet
REFERENCES
threats within IoT environments. This research signifies a
[1] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, “Towards the
notable advancement in IoT security, offering an innovative development of realistic botnet dataset in the internet of things for network
and efficient hybrid machine-learning solution. forensic analytics: Bot-iot dataset,” Future Generation Computer Systems,
vol. 100, pp. 779–796, 2019.
V. CONCLUSION [2] O. Ibitoye, O. Shafiq, and A. Matrawy, “Analyzing adversarial attacks
against deep learning for intrusion detection in iot networks,” in 2019 IEEE
The frequency and intensity of cyber attacks have witnessed global communications conference (GLOBECOM), pp. 1–6, IEEE, 2019.
a growth lately and botnet attacks have emerged with the [3] M. Shahhosseini, H. Mashayekhi, and M. Rezvani, “A deep learning
potential to cause serious damage. Deep learning-based mod- approach for botnet detection using raw network traffic data,” Journal of
Network and Systems Management, vol. 30, no. 3, p. 44, 2022.
els have shown potential for automated botnet detection; [4] S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and
ensemble models come out as better predictors than indi- R. Khayami, “Botshark: A deep learning approach for botnet traffic
vidual models. This research proposes a hybrid stacking detection,” Cyber Threat Intelligence, pp. 137–153, 2018.
[5] M. Ge, X. Fu, N. Syed, Z. Baig, G. Teo, and A. Robles-Kelly, “Deep
model, ANN+CNN+LSTM+RNN (ACLR) for botnet detec- learning-based intrusion detection for iot networks,” in 2019 IEEE 24th
tion. The experimental setup involves ACLR implementation pacific rim international symposium on dependable computing (PRDC),
in the Google COLAB environment using the UNSW-NB15 pp. 256–25609, IEEE, 2019.
dataset. In addition, this research employed ANN, CNN, [6] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, “Deep
learning for cyber security intrusion detection: Approaches, datasets, and
LSTM, and RNN models for performance comparison with comparative study,” Journal of Information Security and Applications,
the proposed ACLR model. Experimental results suggest a vol. 50, p. 102419, 2020.
superior performance of ACLR with a 0.9698 accuracy score [7] T. Hasan, J. Malik, I. Bibi, W. U. Khan, F. N. Al-Wesabi, K. Dev, and
G. Huang, “Securing industrial internet of things against botnet attacks
while the k-fold cross-validation accuracy score is 0.9749 using hybrid deep learning approach,” IEEE Transactions on Network
where the value of k is 3,5,7 and 10, respectively. In addition, Science and Engineering, 2022.

16 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

[8] D. T. Son, N. T. K. Tram, and P. M. Hieu, “Deep learning techniques to [30] M. Khalid, S. Hameed, A. Qadir, S. A. Shah, and D. Draheim, “Towards
detect botnet,” Journal of Science and Technology on Information security, sdn-based smart contract solution for iot access control,” Computer Com-
vol. 1, no. 15, pp. 85–91, 2022. munications, vol. 198, pp. 1–31, 2023.
[9] M. Gandhi and S. Srivatsa, “Detecting and preventing attacks using [31] A. Presekal, A. Ştefanov, V. S. Rajkumar, and P. Palensky, “Attack graph
network intrusion detection systems,” International Journal of Computer model for cyber-physical power systems using hybrid deep learning,”
Science and Security, vol. 2, no. 1, pp. 49–60, 2008. IEEE Transactions on Smart Grid, 2023.
[10] J. Liu, S. Liu, and S. Zhang, “Detection of iot botnet based on deep [32] C. Song, Y. Sun, G. Han, and J. J. Rodrigues, “Intrusion detection based
learning,” in 2019 Chinese control conference (CCC), pp. 8381–8385, on hybrid classifiers for smart grid,” Computers & Electrical Engineering,
IEEE, 2019. vol. 93, p. 107212, 2021.
[11] C. D. McDermott, F. Majdani, and A. V. Petrovski, “Botnet detection in the [33] N. Moustafa and J. Slay, “Unsw-nb15: a comprehensive data set for net-
internet of things using deep learning approaches,” in 2018 international work intrusion detection systems (unsw-nb15 network data set),” in 2015
joint conference on neural networks (IJCNN), pp. 1–8, IEEE, 2018. military communications and information systems conference (MilCIS),
[12] S. Sriram, R. Vinayakumar, M. Alazab, and K. Soman, “Network flow pp. 1–6, IEEE, 2015.
based iot botnet attack detection using deep learning,” in IEEE INFOCOM [34] V. Timčenko and S. Gajin, “Machine learning based network anomaly
2020-IEEE conference on computer communications workshops (INFO- detection for iot environments,” in ICIST-2018 conference, 2018.
COM WKSHPS), pp. 189–194, IEEE, 2020. [35] M. Zeeshan, Q. Riaz, M. A. Bilal, M. K. Shahzad, H. Jabeen, S. A. Haider,
[13] B. Nugraha, A. Nambiar, and T. Bauschert, “Performance evaluation of and A. Rahim, “Protocol-based deep intrusion detection for dos and ddos
botnet detection using deep learning techniques,” in 2020 11th Interna- attacks using unsw-nb15 and bot-iot data-sets,” IEEE Access, vol. 10,
tional Conference on Network of the Future (NoF), pp. 141–149, IEEE, pp. 2269–2283, 2021.
2020. [36] M. Ahmad, Q. Riaz, M. Zeeshan, H. Tahir, S. A. Haider, and M. S.
[14] P. Karunakaran, “Deep learning approach to dga classification for effective Khan, “Intrusion detection in internet of things using supervised machine
cyber security,” Journal of Ubiquitous Computing and Communication learning based on application and transport layer features using unsw-nb15
Technologies (UCCT), vol. 2, no. 04, pp. 203–213, 2020. data-set,” EURASIP Journal on Wireless Communications and Network-
[15] N. Elsayed, Z. ElSayed, and M. Bayoumi, “Iot botnet detection using an ing, vol. 2021, no. 1, pp. 1–23, 2021.
economic deep learning model,” arXiv preprint arXiv:2302.02013, 2023. [37] M. Thapliyal, A. Bijalwan, N. Garg, and E. S. Pilli, “A generic process
[16] M. A. Haq and M. A. Rahim Khan, “Dnnbot: Deep neural network-based model for botnet forensic analysis,” in Conference on Advances in Com-
botnet detection and classification.,” Computers, Materials & Continua, munication and Control Systems (CAC2S 2013), pp. 98–102, Atlantis
vol. 71, no. 1, 2022. Press, 2013.
[17] I. H. Sarker, “Deep cybersecurity: a comprehensive overview from neural [38] F. Hussain, S. G. Abbas, U. U. Fayyaz, G. A. Shah, A. Toqeer, and A. Ali,
network and deep learning perspective,” SN Computer Science, vol. 2, “Towards a universal features set for iot botnet attacks detection,” in 2020
no. 3, p. 154, 2021. IEEE 23rd International Multitopic Conference (INMIC), pp. 1–6, IEEE,
[18] A. A. Ahmed, W. A. Jabbar, A. S. Sadiq, and H. Patel, “Deep learning- 2020.
based classification model for botnet attack detection,” Journal of Ambient [39] H. N. Thanh and T. Van Lang, “Evaluating effectiveness of ensemble
Intelligence and Humanized Computing, pp. 1–10, 2020. classifiers when detecting fuzzers attacks on the unsw-nb15 dataset,”
[19] I. Letteri, M. Del Rosso, P. Caianiello, and D. Cassioli, “Performance Journal of Computer Science and Cybernetics, vol. 36, no. 2, pp. 173–185,
of botnet detection by neural networks in software-defined networks.,” in 2020.
ITASEC, 2018.
[40] X. Gao, R. K. Saha, M. R. Prasad, and A. Roychoudhury, “Fuzz testing
[20] T. H. Aldhyani and H. Alkahtani, “Attacks to automatous vehicles: A deep based data augmentation to improve robustness of deep neural networks,”
learning algorithm for cybersecurity,” Sensors, vol. 22, no. 1, p. 360, 2022. in Proceedings of the acm/ieee 42nd international conference on software
[21] M. Y. Alzahrani and A. M. Bamhdi, “Hybrid deep-learning model to detect engineering, pp. 1147–1158, 2020.
botnet attacks over internet of things environments,” Soft Computing,
[41] N. Moustafa and J. Slay, “Unsw-nb15: a comprehensive data set for net-
vol. 26, no. 16, pp. 7721–7735, 2022.
work intrusion detection systems (unsw-nb15 network data set),” in 2015
[22] Y. N. Soe, P. I. Santosa, and R. Hartanto, “Ddos attack detection based on military communications and information systems conference (MilCIS),
simple ann with smote for iot environment,” in 2019 fourth international pp. 1–6, IEEE, 2015.
conference on informatics and computing (ICIC), pp. 1–5, IEEE, 2019.
[42] M. A. Ferrag, L. Shu, H. Djallel, and K.-K. R. Choo, “Deep learning-based
[23] S.-C. Chen, Y.-R. Chen, and W.-G. Tzeng, “Effective botnet detection
intrusion detection for distributed denial of service attack in agriculture
through neural networks on convolutional features,” in 2018 17th IEEE
4.0,” Electronics, vol. 10, no. 11, p. 1257, 2021.
International Conference On Trust, Security And Privacy In Computing
[43] Z. Al-Othman, M. Alkasassbeh, and S. A.-H. Baddar, “A state-of-the-art
And Communications/12th IEEE International Conference On Big Data
review on iot botnet attack detection,” arXiv preprint arXiv:2010.13852,
Science And Engineering (TrustCom/BigDataSE), pp. 372–378, IEEE,
2020.
2018.
[24] S. I. Popoola, B. Adebisi, M. Hammoudeh, G. Gui, and H. Gacanin, [44] E. G. Dada, J. S. Bassi, H. Chiroma, A. O. Adetunmbi, O. E. Ajibuwa,
“Hybrid deep learning for botnet attack detection in the internet-of-things et al., “Machine learning for email spam filtering: review, approaches and
networks,” IEEE Internet of Things Journal, vol. 8, no. 6, pp. 4944–4956, open research problems,” Heliyon, vol. 5, no. 6, 2019.
2020. [45] Y. Zhai, L. Yang, J. Yang, L. He, and Z. Li, “Baddga: Backdoor attack
[25] S. Akarsh, S. Sriram, P. Poornachandran, V. K. Menon, and K. Soman, on lstm-based domain generation algorithm detector,” Electronics, vol. 12,
“Deep learning framework for domain generation algorithms prediction no. 3, p. 736, 2023.
using long short-term memory,” in 2019 5th International Conference on [46] S. Soltani, S. A. H. Seno, M. Nezhadkamali, and R. Budiarto, “A survey
Advanced Computing & Communication Systems (ICACCS), pp. 666– on real world botnets and detection mechanisms,” International Journal of
671, IEEE, 2019. Information and Network Security, vol. 3, no. 2, p. 116, 2014.
[26] S. I. Popoola, B. Adebisi, M. Hammoudeh, H. Gacanin, and G. Gui, [47] R. U. Khan, X. Zhang, R. Kumar, A. Sharif, N. A. Golilarz, and M. Alazab,
“Stacked recurrent neural network for botnet detection in smart homes,” “An adaptive multi-layer botnet detection technique using machine learn-
Computers & Electrical Engineering, vol. 92, p. 107039, 2021. ing classifiers,” Applied Sciences, vol. 9, no. 11, p. 2375, 2019.
[27] M. Alauthman, “Botnet spam e-mail detection using deep recurrent neural [48] T. A. Tuan, H. V. Long, L. H. Son, R. Kumar, I. Priyadarshini, and
network,” Int. J, vol. 8, no. 5, pp. 1979–1986, 2020. N. T. K. Son, “Performance evaluation of botnet ddos attack detection
[28] J. Bhayo, S. A. Shah, S. Hameed, A. Ahmed, J. Nasir, and D. Draheim, using machine learning,” Evolutionary Intelligence, vol. 13, pp. 283–294,
“Towards a machine learning-based framework for ddos attack detection 2020.
in software-defined iot (sd-iot) networks,” Engineering Applications of [49] K. Jiang, W. Wang, A. Wang, and H. Wu, “Network intrusion detection
Artificial Intelligence, vol. 123, p. 106432, 2023. combined hybrid sampling with deep hierarchical network,” IEEE access,
[29] S. Siddiqui, S. Hameed, S. A. Shah, I. Ahmad, A. Aneiba, D. Draheim, and vol. 8, pp. 32464–32476, 2020.
S. Dustdar, “Towards software-defined networking-based iot frameworks: [50] B. Bowen, A. Chennamaneni, A. Goulart, and D. Lin, “Blocnet: a hybrid,
A systematic literature review, taxonomy, open challenges and prospects,” dataset-independent intrusion detection system using deep learning,” In-
IEEE Access, 2022. ternational Journal of Information Security, pp. 1–25, 2023.

VOLUME 4, 2016 17

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

[51] N. Guizani and A. Ghafoor, “A network function virtualization system for MUHAMMAD FAHEEM MUSHTAQ received
detecting malware in large iot based networks,” IEEE Journal on Selected his Ph.D. degree from the Department of Infor-
Areas in Communications, vol. 38, no. 6, pp. 1218–1228, 2020. mation Security, Faculty of Computer Science and
[52] H. Zhu, X. Peng, and X. Gao, “Research on anomalous behavior detection Information Technology, University Tun Hussein
of federated deep learning network intrusion based on fate-cnn,” in Sec- Onn Malaysia (UTHM), Malaysia, in 2018. He has
ond International Symposium on Computer Applications and Information made several contributions through research publi-
Systems (ISCAIS 2023), vol. 12721, pp. 136–142, SPIE, 2023. cations and book chapters toward Information Se-
[53] M. Azizjon, A. Jumabek, and W. Kim, “1d cnn based network intrusion
curity. He earned his BS(IT) and MS(CS) degrees
detection with normalization on imbalanced data,” in 2020 international
from The Islamia University of Bahawalpur, Pun-
conference on artificial intelligence in information and communication
(ICAIIC), pp. 218–224, IEEE, 2020. jab, Pakistan, in 2011 and 2013, respectively. He
[54] M. Lopez-Martin, B. Carro, A. Sanchez-Esguevillas, and J. Lloret, “Shal- received Microsoft certifications of Internet Security and Acceleration (ISA)
low neural network with kernel approximation for prediction problems Server, Microsoft Certified Professional (MCP), and Microsoft Certified
in highly demanding data networks,” Expert Systems with Applications, Technology Professional (MCTS) in 2010. He is currently working as Head,
vol. 124, pp. 196–208, 2019. of the Department of Artificial Intelligence, The Islamia University Ba-
[55] R. A. Disha and S. Waheed, “Performance analysis of machine learning hawalpur, Bahawalpur Pakistan. Previously, he is working as Head/Assistant
models for intrusion detection system using gini impurity-based weighted Professor, at the Department of Information Technology, Khwaja Fareed
random forest (giwrf) feature selection technique,” Cybersecurity, vol. 5, University of Engineering and Information Technology, Rahim Yar Khan,
no. 1, p. 1, 2022. Pakistan. He has been working as a Research Assistant during his Ph.D.
[56] N. Elmrabit, F. Zhou, F. Li, and H. Zhou, “Evaluation of machine learning degree from March 2016 to August 2018. His main research interest in-
algorithms for anomaly detection,” in 2020 international conference on cludes Information Security, Artificial Intelligence, Cognitive system, and
cyber security and protection of digital services (cyber security), pp. 1–8, applications.
IEEE, 2020.
[57] A. Halbouni, T. S. Gunawan, M. H. Habaebi, M. Halbouni, M. Kartiwi,
and R. Ahmad, “Cnn-lstm: hybrid deep neural network for network intru-
sion detection system,” IEEE Access, vol. 10, pp. 99837–99849, 2022.

SULTAN ALFARHOOD is an Assistant Professor

in the Department of Computer Science at King
Saud University (KSU). Since joining KSU in
2007, he has made several contributions to the
field of computer science through his research and
publications. Dr. Alfarhood holds a PhD in Com-
puter Science from the University of Arkansas and
has published several research papers on cutting-
edge topics such as Machine Learning, Recom-
mender Systems, Linked Open Data, and Text
MUDASIR ALI pursuing his MS Computer Sci-
Mining. His work includes proposing innovative approaches and techniques
ence degree from Department of Computer Sci-
to enhance the accuracy and effectiveness of recommender systems and
ence, The Islamia University of Bahawalpur, Ba-
sentiment analysis.
hawalpur, Pakistan. He has received a BSCS de-
gree in 2021 from the Department of Computer
Science, Institute of Southern Punjab, Multan. His
current research interest includes Data mining,
Artificial Intelligence, Cyber Security, Machine
Learning and Deep Learning.

MEJDL SAFRAN is an Assistant Professor of

Computer Science at King Saud University. He
has been a faculty member since 2007 and holds
a MSc. (2013) and a PhD (2018) in Computer
Science from Southern Illinois University Carbon-
dale. His research interests include computational
intelligence, artificial intelligence, deep learning,
pattern recognition, and predictive analytics. He
has published articles in refereed journals and
conference proceedings such as ACM Transac-
tions on Information Systems, Applied Computing and Informatics, MDPI
Biomedicine, MDPI Sensors, IEEE International Conference on Cluster,
MOBEEN SHAHROZ pursuing his Ph.D. in IEEE International Conference on Computer and Information Science, In-
Computer Science from The Islamia University ternational Conference on Database Systems for Advanced Applications,
of Bahawalpur. He received an MS Computer and International Conference on Computational Science and Computational
Science degree in 2020 and an MCS degree in Intelligence. His current research focus includes developing efficient recom-
2018 from the Department of Computer Science, mendation algorithms for large-scale systems, predictive models for online
Khawaja Fareed University of Engineering and human activities, machine learning algorithms for performance manage-
Information Technology(KFUEIT), Rahim Yar ment, and modeling and analyzing user behavior. Since 2018, he has been
Khan, Pakistan. His current research interest in- providing part-time consulting services in the field of artificial intelligence
cludes the Internet of Things(IoT), Artificial Intel- to private and public organizations and firms.
ligence, Data mining, Natural Language Process-
ing, Machine learning, Deep Learning, and Image classification.

18 VOLUME 4, 2016

Mudasir et al. et al.: Hybrid Machine Learning Model for Efficient Botnet Attack Detection in IoT Environment

IMRAN ASHRAF received his Ph.D. in Infor-

mation and Communication Engineering from Ye-
ungnam University, South Korea in 2018, and
the M.S. degree in computer science from the
Blekinge Institute of Technology, Karlskrona,
Sweden, in 2010 with distinction. He has worked
as a postdoctoral fellow at Yeungnam University,
as well. He is currently working as an Assistant
Professor at the Information and Communication
Engineering Department, at Yeungnam University,
Gyeongsan, South Korea. His research areas include positioning using next-
generation networks, communication in 5G and beyond, location-based
services in wireless communication, smart sensors (LIDAR) for smart cars,
and data analytics.

VOLUME 4, 2016 19

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. For more information, see [Link]

Machine Learning Detection
No ratings yet
Machine Learning Detection
13 pages
Botnet Detection
No ratings yet
Botnet Detection
16 pages
Deep Learning Based Classification Model For Botnet Attack Detection
No ratings yet
Deep Learning Based Classification Model For Botnet Attack Detection
10 pages
Grp-2 Implementation Paper
No ratings yet
Grp-2 Implementation Paper
6 pages
NLP-Driven Botnet Detection
No ratings yet
NLP-Driven Botnet Detection
30 pages
Hybrid Feature Selection Models For Machine
No ratings yet
Hybrid Feature Selection Models For Machine
5 pages
Mathematical Problems in Engineering - 2021 - Xing - Survey On Botnet Detection Techniques Classification Methods and
No ratings yet
Mathematical Problems in Engineering - 2021 - Xing - Survey On Botnet Detection Techniques Classification Methods and
24 pages
2004.00234v1 Botnet Detection Using Recurrent Variational
No ratings yet
2004.00234v1 Botnet Detection Using Recurrent Variational
8 pages
Ensemble Botnet Detection in IoT
No ratings yet
Ensemble Botnet Detection in IoT
6 pages
The Incorporation of Stacked Long Short-Term Memory Into Intrusion Detection Systems For Botnet Attack Classification
No ratings yet
The Incorporation of Stacked Long Short-Term Memory Into Intrusion Detection Systems For Botnet Attack Classification
14 pages
1 s2.0 S235286482200102X Main
No ratings yet
1 s2.0 S235286482200102X Main
9 pages
IEEE Conference Template 1
No ratings yet
IEEE Conference Template 1
4 pages
Botnet Detection Framework Using ML
No ratings yet
Botnet Detection Framework Using ML
16 pages
Exposing Bot Attacks Using Machine Learning and Flow Level Analysis
No ratings yet
Exposing Bot Attacks Using Machine Learning and Flow Level Analysis
8 pages
Rq3 Paper 03
No ratings yet
Rq3 Paper 03
9 pages
m64421 F.farhad - Paper
No ratings yet
m64421 F.farhad - Paper
10 pages
Cybersecurity Threat Detectionusing Machine Learningand Deep Learning Techniques
No ratings yet
Cybersecurity Threat Detectionusing Machine Learningand Deep Learning Techniques
4 pages
Hybrid Machine Learning Model For Efficient Botnet Attack Detection in IoT
No ratings yet
Hybrid Machine Learning Model For Efficient Botnet Attack Detection in IoT
5 pages
ML Botnet Detection Analysis
No ratings yet
ML Botnet Detection Analysis
7 pages
IoT Botnet Detection with ML
No ratings yet
IoT Botnet Detection with ML
11 pages
Iwcmc 2024
No ratings yet
Iwcmc 2024
6 pages
IWCMC - 2024 - AI-Driven Fast and Early Detection of IoT Botnet
No ratings yet
IWCMC - 2024 - AI-Driven Fast and Early Detection of IoT Botnet
6 pages
Botnet Detection - IEEE - Doc2
No ratings yet
Botnet Detection - IEEE - Doc2
6 pages
ML-Based IoT Botnet Attack Detection
No ratings yet
ML-Based IoT Botnet Attack Detection
66 pages
Comprehensive Botnet Detection by Mitigating Adversarial Attacks 2024 Inform
No ratings yet
Comprehensive Botnet Detection by Mitigating Adversarial Attacks 2024 Inform
22 pages
Ieee Paper
No ratings yet
Ieee Paper
5 pages
Atchu
No ratings yet
Atchu
53 pages
TelematiqueVol21Issue1 616
No ratings yet
TelematiqueVol21Issue1 616
31 pages
Paper 6
No ratings yet
Paper 6
26 pages
Main El Body
No ratings yet
Main El Body
22 pages
Upgrade TA IoT Botnet Attacks Using Explainable Artificial Intelligence XAI - 5
No ratings yet
Upgrade TA IoT Botnet Attacks Using Explainable Artificial Intelligence XAI - 5
6 pages
Analysis of the Bot-IoT Dataset
No ratings yet
Analysis of the Bot-IoT Dataset
8 pages
Rq3 Paper 01
No ratings yet
Rq3 Paper 01
10 pages
1.A Novel Approach of Botnet Detection Using Hybrid Deep - 2024 - Alexandria Engi
No ratings yet
1.A Novel Approach of Botnet Detection Using Hybrid Deep - 2024 - Alexandria Engi
10 pages
Eeum Di Dissertacao pg13570 PDF
No ratings yet
Eeum Di Dissertacao pg13570 PDF
132 pages
Stage 1
No ratings yet
Stage 1
24 pages
Majp
No ratings yet
Majp
20 pages
Online Self-Supervised Deep Learning For Intrusion Detection Systems
No ratings yet
Online Self-Supervised Deep Learning For Intrusion Detection Systems
17 pages
Upgrade TA IoT Botnet Attacks Using Explainable Artificial Intelligence XAI - 2
No ratings yet
Upgrade TA IoT Botnet Attacks Using Explainable Artificial Intelligence XAI - 2
6 pages
Machine Learning Base IoT Botnet Detection Systems
No ratings yet
Machine Learning Base IoT Botnet Detection Systems
10 pages
AI for Botnet Prevention in IoT Devices
No ratings yet
AI for Botnet Prevention in IoT Devices
12 pages
Hybrid Metaheuristics With Machine Learning Based
No ratings yet
Hybrid Metaheuristics With Machine Learning Based
9 pages
Bot Detection via Graph Convolution
No ratings yet
Bot Detection via Graph Convolution
19 pages
Adversarial Explainability: Utilizing Explainable Machine Learning in Bypassing Iot Botnet Detection Systems
No ratings yet
Adversarial Explainability: Utilizing Explainable Machine Learning in Bypassing Iot Botnet Detection Systems
11 pages
N-BaIoTNetwork-Based Detection of IoT Botnet Attacks Using Deep Autoencoders
No ratings yet
N-BaIoTNetwork-Based Detection of IoT Botnet Attacks Using Deep Autoencoders
11 pages
Botnet Detection Techniques
No ratings yet
Botnet Detection Techniques
5 pages
Correlation-Based Botnet Detection
No ratings yet
Correlation-Based Botnet Detection
186 pages
1294-Manuscript (Without Author Details) - 5326-1-10-20201227
No ratings yet
1294-Manuscript (Without Author Details) - 5326-1-10-20201227
11 pages
A Data-Driven Approach For Classifying and Predicting DDoS Attacks With Machine Learning
100% (1)
A Data-Driven Approach For Classifying and Predicting DDoS Attacks With Machine Learning
13 pages
Upgrade TA IoT Botnet Attacks Using Explainable Artificial Intelligence XAI - 1
No ratings yet
Upgrade TA IoT Botnet Attacks Using Explainable Artificial Intelligence XAI - 1
6 pages
(An Empowered Autonomous Institute Affiliated To SPPU) (NAAC Accredited With A+ Grade) WAGHOLI, PUNE - 412207
No ratings yet
(An Empowered Autonomous Institute Affiliated To SPPU) (NAAC Accredited With A+ Grade) WAGHOLI, PUNE - 412207
10 pages
Sat - 48.Pdf - Malicious Attacks Detection Using Machine Learning
No ratings yet
Sat - 48.Pdf - Malicious Attacks Detection Using Machine Learning
11 pages
IoT Botnet Detection via LDA Optimization
No ratings yet
IoT Botnet Detection via LDA Optimization
12 pages
MalBoT-DRL Malware Botnet Detection Using Deep Reinforcement Learning in IoT Networks
No ratings yet
MalBoT-DRL Malware Botnet Detection Using Deep Reinforcement Learning in IoT Networks
20 pages
IoT Network Intrusion Detection Analysis
No ratings yet
IoT Network Intrusion Detection Analysis
69 pages
Botnet Detection for IoT in Smart Cities
No ratings yet
Botnet Detection for IoT in Smart Cities
49 pages
Revise 2
No ratings yet
Revise 2
26 pages
Detecting IoT Botnet Attacks Using Machine Learning Methods
No ratings yet
Detecting IoT Botnet Attacks Using Machine Learning Methods
7 pages
Machine Learning For HTTP Botnet Detection Using Classifier Algorithms
No ratings yet
Machine Learning For HTTP Botnet Detection Using Classifier Algorithms
4 pages
A Systematic Study of The Class Imbalance Problem in Convolutional Neural Networks
No ratings yet
A Systematic Study of The Class Imbalance Problem in Convolutional Neural Networks
21 pages
Improving Heart Disease Prediction Accuracy Using A Hybrid Machine Learning Approach: A Comparative Study of SVM and KNN Algorithms
No ratings yet
Improving Heart Disease Prediction Accuracy Using A Hybrid Machine Learning Approach: A Comparative Study of SVM and KNN Algorithms
6 pages
Music Genre Classification For Indian Mu
No ratings yet
Music Genre Classification For Indian Mu
9 pages
Network-Aware Credit Scoring System For Telecom Subscribers Using Machine Learning and Network Analysis
No ratings yet
Network-Aware Credit Scoring System For Telecom Subscribers Using Machine Learning and Network Analysis
21 pages
Fake Logo Detection
No ratings yet
Fake Logo Detection
11 pages
PDF 1741861530097
No ratings yet
PDF 1741861530097
6 pages
Introduction To Optimization Data Science
No ratings yet
Introduction To Optimization Data Science
9 pages
LocalGLMnet for Actuarial Data Analysis
No ratings yet
LocalGLMnet for Actuarial Data Analysis
35 pages
Mayank
No ratings yet
Mayank
38 pages
Machine Learning As A Surrogate For FEM Predicting Mechanical
No ratings yet
Machine Learning As A Surrogate For FEM Predicting Mechanical
17 pages
05 ANN Artificial Neural Networks
No ratings yet
05 ANN Artificial Neural Networks
221 pages
Li2022 Article BrainTumorSegmentationBasedOnR
No ratings yet
Li2022 Article BrainTumorSegmentationBasedOnR
11 pages
Bird Species
No ratings yet
Bird Species
60 pages
Project Proposal
0% (1)
Project Proposal
5 pages
Deep Learning Unit2
No ratings yet
Deep Learning Unit2
43 pages
IEEE Bone Fracture Detection Paper
No ratings yet
IEEE Bone Fracture Detection Paper
2 pages
The Role and Applications of Artificial Intelligence A I in Disaster Management
No ratings yet
The Role and Applications of Artificial Intelligence A I in Disaster Management
20 pages
Paragraph Structure PDF
No ratings yet
Paragraph Structure PDF
4 pages
Dissertation Akash
No ratings yet
Dissertation Akash
106 pages
NN&DL Unit-IV Regularization For Deep Learning
No ratings yet
NN&DL Unit-IV Regularization For Deep Learning
16 pages
Data Scientist/ Machine Learning Engineer: Summary
No ratings yet
Data Scientist/ Machine Learning Engineer: Summary
4 pages
Explainable AI: A Systematic Review
No ratings yet
Explainable AI: A Systematic Review
14 pages
Foundational AI in Insurance and Real Estate A Survey of Applications Challenges and Future Directions
No ratings yet
Foundational AI in Insurance and Real Estate A Survey of Applications Challenges and Future Directions
21 pages
ETI Notes For 1st Unit AI (Artificial Intelligence)
No ratings yet
ETI Notes For 1st Unit AI (Artificial Intelligence)
11 pages
Applied Acoustics: Özkan - Inik
No ratings yet
Applied Acoustics: Özkan - Inik
25 pages
Object Detection Project Report
67% (6)
Object Detection Project Report
86 pages
Disertatie
No ratings yet
Disertatie
5 pages
500 ETI MCQ Must Do
100% (1)
500 ETI MCQ Must Do
72 pages
Lones 2024
No ratings yet
Lones 2024
28 pages
DL Project Ideas
No ratings yet
DL Project Ideas
3 pages