Enhancing IoT Security: Evaluating Tree-Based Machine Learning Algorithms for Botnet Detection

By Soham NandiReviewed by Susha Cheriyedath, M.Sc.Dec 13 2023

In an article published in the journal Nature, researchers explored Internet of Things (IoT) security, focusing on countering botnet attacks that pose significant threats to IoT ecosystems. They evaluated the efficacy of tree-based algorithms in detecting botnet attacks, providing insights into their performance and computational efficiency.

Background

The proliferation of IoT technology has ushered in transformative advancements across various domains, from smart homes to industrial automation. However, the expansive and diverse nature of IoT devices, coupled with their limited resources, exposes them to vulnerabilities, especially from sophisticated cyber threats like botnet attacks. Attacks such as these, compromise IoT systems, enabling malicious software to remotely control devices and launch more damaging assaults, such as distributed denial of service (DDoS).

Previously researched intrusion detection methods face challenges in the IoT environment. These challenges were tackled in the present study with the help of Machine Learning (ML) and Deep Learning (DL). ML algorithms provided a promising approach through their ability to handle high-dimensional data, non-linear relationships, and scalability—critical considerations in the complex landscape of IoT networks. Robust solutions were presented by Tree-based ML algorithms, which included Decision Trees (DT), Random Forest (RF), Bagging Meta Classifier (BMC), and other boosting techniques. Their effectiveness was in their capacity to create accurate models, handle noisy data, and adapt to the dynamic and diverse characteristics of IoT networks.

The researchers conducted a comprehensive empirical investigation, utilizing a public botnet dataset from the IoT environment. Results showcased the significant potential of these algorithms, with RF standing out for its multi-class classification accuracy. The comparative analysis shed light on their computational performance, offering valuable insights for fortifying IoT security against evolving cyber threats.

Methods

The authors focused on network intrusion detection using ML and proposed a comprehensive evaluation scheme. The chosen dataset was N-BaIoT17, collected from an IoT environment, containing benign and malicious traffic instances. The dataset included various attack types injected into commercially available IoT devices, offering a realistic evaluation scenario. Six tree-based algorithms, including DT, RF, BMC, AdaBoost (ADB), Gradient Descent Boosting (GDB), and XGBoost (XGB), are employed for empirical evaluation within the Colab notebook environment.

Dataset preprocessing involved cleaning and transforming raw data, addressing class imbalance by creating a balanced dataset with equal instances of benign, Mirai, and Gafgyt traffic. Feature distribution analysis using the Interquartile Range (IQR) identified outliers replaced by mean values. The dataset was shuffled to randomize the training data order. A confusion matrix was used to visualize model performance, with True Positive, True Negative, False Positive, and False Negative.

A systematic approach was proposed for evaluating ML models for network intrusion detection, which included using a well-selected dataset, preprocessing techniques, and comprehensive evaluation metrics, offering insights into the effectiveness of different tree-based algorithms in detecting and mitigating botnet attacks in an IoT environment.

Study Results

The empirical study focused on network intrusion detection using tree-based machine learning algorithms evaluated six models for multi-class classification on the N-BaIoT17 dataset. The best performance was demonstrated by the RF algorithm. It achieved an accuracy of 0.99 and had outstanding results in precision, recall, and F1 score. In terms of training time, the GDB algorithm had the longest training time due to the absence of multi-threading support, unlike the XGB algorithm.

A five-fold cross-validation was implemented to ensure the reliability of the results. Comparisons were made with a previous DL study, which utilized a convolutional neural network (CNN) and gated recurrent unit (GRU) for intrusion detection in wireless sensor networks. The RF model, when executed on the Colab platform using only Central Processing Unit (CPU), demonstrated competitive performance with a shorter training time compared to the CNN model. The RF model's detection time was significantly lower, representing only 10% of the time required by the CNN model. The results pointed out that the RF algorithm was effective for network intrusion detection in IoT environments and its performance was favorable when compared with DL approaches.

Conclusion

In conclusion, the study empirically evaluated six tree-based machine learning algorithms for detecting network intrusions in IoT, with the RF algorithm showing superior multi-class classification performance. Future research directions would involve developing models for identifying new malicious attacks in IoT, particularly addressing botnet attacks, and exploring comprehensive solutions with high detection accuracy and light resource consumption. Further evaluations on different datasets and a focus on model explainability were suggested to enhance transparency and trust in the results.