缓解物联网僵尸网络攻击:早期可解释的基于网络的异常检测方法

IF 4.3 3区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Abdelaziz Amara Korba , Alaeddine Diaf , Mouhamed Amine Bouchiha , Yacine Ghamri-Doudane
{"title":"缓解物联网僵尸网络攻击:早期可解释的基于网络的异常检测方法","authors":"Abdelaziz Amara Korba ,&nbsp;Alaeddine Diaf ,&nbsp;Mouhamed Amine Bouchiha ,&nbsp;Yacine Ghamri-Doudane","doi":"10.1016/j.comcom.2025.108270","DOIUrl":null,"url":null,"abstract":"<div><div>As the Internet of Things (IoT) continues to expand, botnet-driven threats pose a growing and severe risk to the security of IoT-enabled infrastructures. These threats exploit large numbers of compromised devices to establish covert control channels and, eventually, launch large-scale cyberattacks such as Distributed Denial of Service (DDoS), capable of severely disrupting critical services and causing substantial economic damage. This paper highlights the urgent need for detecting botnets at an early stage, particularly by identifying stealthy command and control (C&amp;C) traffic that precedes the execution of such attacks. We propose an anomaly-based detection framework that combines semi-supervised learning with explainable Artificial Intelligence (XAI). Unlike most existing approaches, our method requires only benign traffic for training, thereby enabling the detection of previously unseen or evolving botnet threats without relying on labeled malicious data. The framework supports multiple traffic representations, including raw bytes, packet-level data, and unidirectional or bidirectional flows, enriched with diverse network features to enhance detection coverage and adaptability. Experimental evaluations using the IoT-23 dataset demonstrate a 99.51% detection rate and a 1.09% false positive rate for stealthy C&amp;C communications, underscoring the method’s effectiveness and robustness. The integration of XAI enhances transparency and interpretability, enabling security professionals to better understand model decisions and refine detection strategies.</div></div>","PeriodicalId":55224,"journal":{"name":"Computer Communications","volume":"241 ","pages":"Article 108270"},"PeriodicalIF":4.3000,"publicationDate":"2025-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Mitigating IoT botnet attacks: An early-stage explainable network-based anomaly detection approach\",\"authors\":\"Abdelaziz Amara Korba ,&nbsp;Alaeddine Diaf ,&nbsp;Mouhamed Amine Bouchiha ,&nbsp;Yacine Ghamri-Doudane\",\"doi\":\"10.1016/j.comcom.2025.108270\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>As the Internet of Things (IoT) continues to expand, botnet-driven threats pose a growing and severe risk to the security of IoT-enabled infrastructures. These threats exploit large numbers of compromised devices to establish covert control channels and, eventually, launch large-scale cyberattacks such as Distributed Denial of Service (DDoS), capable of severely disrupting critical services and causing substantial economic damage. This paper highlights the urgent need for detecting botnets at an early stage, particularly by identifying stealthy command and control (C&amp;C) traffic that precedes the execution of such attacks. We propose an anomaly-based detection framework that combines semi-supervised learning with explainable Artificial Intelligence (XAI). Unlike most existing approaches, our method requires only benign traffic for training, thereby enabling the detection of previously unseen or evolving botnet threats without relying on labeled malicious data. The framework supports multiple traffic representations, including raw bytes, packet-level data, and unidirectional or bidirectional flows, enriched with diverse network features to enhance detection coverage and adaptability. Experimental evaluations using the IoT-23 dataset demonstrate a 99.51% detection rate and a 1.09% false positive rate for stealthy C&amp;C communications, underscoring the method’s effectiveness and robustness. The integration of XAI enhances transparency and interpretability, enabling security professionals to better understand model decisions and refine detection strategies.</div></div>\",\"PeriodicalId\":55224,\"journal\":{\"name\":\"Computer Communications\",\"volume\":\"241 \",\"pages\":\"Article 108270\"},\"PeriodicalIF\":4.3000,\"publicationDate\":\"2025-07-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computer Communications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0140366425002270\",\"RegionNum\":3,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Communications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0140366425002270","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

随着物联网(IoT)的不断扩展,僵尸网络驱动的威胁对支持物联网的基础设施的安全构成了日益严重的风险。这些威胁利用大量受损设备建立隐蔽控制通道,并最终发起大规模网络攻击,如分布式拒绝服务(DDoS),能够严重破坏关键服务并造成重大经济损失。本文强调了在早期阶段检测僵尸网络的迫切需要,特别是通过识别在执行此类攻击之前的隐形指挥和控制(C&;C)流量。我们提出了一种基于异常的检测框架,该框架结合了半监督学习和可解释的人工智能(XAI)。与大多数现有方法不同,我们的方法只需要良性流量进行训练,从而能够检测以前未见过的或不断发展的僵尸网络威胁,而不依赖于标记的恶意数据。该框架支持多种流量表示,包括原始字节、包级数据、单向或双向流,丰富了多种网络特征,增强了检测覆盖和适应性。使用IoT-23数据集的实验评估表明,对隐身C&;C通信的检测率为99.51%,假阳性率为1.09%,强调了该方法的有效性和鲁棒性。XAI的集成增强了透明度和可解释性,使安全专业人员能够更好地理解模型决策并改进检测策略。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Mitigating IoT botnet attacks: An early-stage explainable network-based anomaly detection approach
As the Internet of Things (IoT) continues to expand, botnet-driven threats pose a growing and severe risk to the security of IoT-enabled infrastructures. These threats exploit large numbers of compromised devices to establish covert control channels and, eventually, launch large-scale cyberattacks such as Distributed Denial of Service (DDoS), capable of severely disrupting critical services and causing substantial economic damage. This paper highlights the urgent need for detecting botnets at an early stage, particularly by identifying stealthy command and control (C&C) traffic that precedes the execution of such attacks. We propose an anomaly-based detection framework that combines semi-supervised learning with explainable Artificial Intelligence (XAI). Unlike most existing approaches, our method requires only benign traffic for training, thereby enabling the detection of previously unseen or evolving botnet threats without relying on labeled malicious data. The framework supports multiple traffic representations, including raw bytes, packet-level data, and unidirectional or bidirectional flows, enriched with diverse network features to enhance detection coverage and adaptability. Experimental evaluations using the IoT-23 dataset demonstrate a 99.51% detection rate and a 1.09% false positive rate for stealthy C&C communications, underscoring the method’s effectiveness and robustness. The integration of XAI enhances transparency and interpretability, enabling security professionals to better understand model decisions and refine detection strategies.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Computer Communications
Computer Communications 工程技术-电信学
CiteScore
14.10
自引率
5.00%
发文量
397
审稿时长
66 days
期刊介绍: Computer and Communications networks are key infrastructures of the information society with high socio-economic value as they contribute to the correct operations of many critical services (from healthcare to finance and transportation). Internet is the core of today''s computer-communication infrastructures. This has transformed the Internet, from a robust network for data transfer between computers, to a global, content-rich, communication and information system where contents are increasingly generated by the users, and distributed according to human social relations. Next-generation network technologies, architectures and protocols are therefore required to overcome the limitations of the legacy Internet and add new capabilities and services. The future Internet should be ubiquitous, secure, resilient, and closer to human communication paradigms. Computer Communications is a peer-reviewed international journal that publishes high-quality scientific articles (both theory and practice) and survey papers covering all aspects of future computer communication networks (on all layers, except the physical layer), with a special attention to the evolution of the Internet architecture, protocols, services, and applications.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:604180095
Book学术官方微信