A Lightweight Method for Botnet Detection in Internet of Things Environment

Botnets pose a significant threat to Internet of Things (IoT) environments due to the limited computational resources of IoT devices, making traditional detection methods difficult to implement. These constraints not only hinder effective real-time detection but also leave networks vulnerable to large-scale DDoS and botnet attacks, posing a critical threat to modern connected systems. Aiming to design a lightweight botnet detection method for IoT networks, we propose a novel cloud–edge–node framework that decouples the computationally intensive training phase from the real-time detection phase. In our framework, the node layer comprises resource-constrained IoT devices that collect raw network data, the edge layer hosts lightweight detection modules for rapid analysis, and the cloud layer performs heavy-duty model training and incremental updates. Additionally, we propose a two-step feature selection process, in which the first step uses the cumulative density function (CDF) to rank features based on their distribution characteristics, and the second step applies Gini importance to further refine the feature set. This process effectively reduces computational overhead while retaining highly discriminative features for lightweight botnet detection. Experimental results on a public IoT dataset reveal that our method reduces detection time by up to 52% and energy consumption by up to 71% while maintaining high detection accuracy. These significant improvements not only validate the efficiency of our approach but also underline its potential to transform IoT security by enabling scalable, low-cost, and real-time botnet detection in diverse practical scenarios.