{"title":"Mitigating IoT botnet attacks: An early-stage explainable network-based anomaly detection approach","authors":"Abdelaziz Amara Korba , Alaeddine Diaf , Mouhamed Amine Bouchiha , Yacine Ghamri-Doudane","doi":"10.1016/j.comcom.2025.108270","DOIUrl":null,"url":null,"abstract":"<div><div>As the Internet of Things (IoT) continues to expand, botnet-driven threats pose a growing and severe risk to the security of IoT-enabled infrastructures. These threats exploit large numbers of compromised devices to establish covert control channels and, eventually, launch large-scale cyberattacks such as Distributed Denial of Service (DDoS), capable of severely disrupting critical services and causing substantial economic damage. This paper highlights the urgent need for detecting botnets at an early stage, particularly by identifying stealthy command and control (C&C) traffic that precedes the execution of such attacks. We propose an anomaly-based detection framework that combines semi-supervised learning with explainable Artificial Intelligence (XAI). Unlike most existing approaches, our method requires only benign traffic for training, thereby enabling the detection of previously unseen or evolving botnet threats without relying on labeled malicious data. The framework supports multiple traffic representations, including raw bytes, packet-level data, and unidirectional or bidirectional flows, enriched with diverse network features to enhance detection coverage and adaptability. Experimental evaluations using the IoT-23 dataset demonstrate a 99.51% detection rate and a 1.09% false positive rate for stealthy C&C communications, underscoring the method’s effectiveness and robustness. The integration of XAI enhances transparency and interpretability, enabling security professionals to better understand model decisions and refine detection strategies.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"241 ","pages":"Article 108270"},"PeriodicalIF":4.3000,"publicationDate":"2025-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425002270","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
As the Internet of Things (IoT) continues to expand, botnet-driven threats pose a growing and severe risk to the security of IoT-enabled infrastructures. These threats exploit large numbers of compromised devices to establish covert control channels and, eventually, launch large-scale cyberattacks such as Distributed Denial of Service (DDoS), capable of severely disrupting critical services and causing substantial economic damage. This paper highlights the urgent need for detecting botnets at an early stage, particularly by identifying stealthy command and control (C&C) traffic that precedes the execution of such attacks. We propose an anomaly-based detection framework that combines semi-supervised learning with explainable Artificial Intelligence (XAI). Unlike most existing approaches, our method requires only benign traffic for training, thereby enabling the detection of previously unseen or evolving botnet threats without relying on labeled malicious data. The framework supports multiple traffic representations, including raw bytes, packet-level data, and unidirectional or bidirectional flows, enriched with diverse network features to enhance detection coverage and adaptability. Experimental evaluations using the IoT-23 dataset demonstrate a 99.51% detection rate and a 1.09% false positive rate for stealthy C&C communications, underscoring the method’s effectiveness and robustness. The integration of XAI enhances transparency and interpretability, enabling security professionals to better understand model decisions and refine detection strategies.
期刊介绍:
Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms.
Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.