Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection

  • Amaal Al Shorman
  • Hossam FarisEmail author
  • Ibrahim Aljarah
Original Research


Recently, the number of Internet of Things (IoT) botnet attacks has increased tremendously due to the expansion of online IoT devices which can be easily compromised. Botnets are a common threat that takes advantage of the lack of basic security tools in IoT devices and can perform a series of Distributed Denial of Service (DDoS) attacks. Developing new methods to detect compromised IoT devices is urgent in order to mitigate the negative consequences of these IoT botnets since the existing IoT botnet detection methods still present some issues, such as, relying on labelled data, not being validated with newer botnets, and using very complex machine learning algorithms. Anomaly detection methods are promising for detecting IoT botnet attacks since the amount of available normal data is very large. One of the powerful algorithms that can be used for anomaly detection is One Class Support vector machine (OCSVM). The efficiency of the OCSVM algorithm depends on several factors that greatly affect the classification results such as the subset of features that are used for training OCSVM model, the kernel type, and its hyperparameters. In this paper, a new unsupervised evolutionary IoT botnet detection method is proposed. The main contribution of the proposed method is to detect IoT botnet attacks launched form compromised IoT devices by exploiting the efficiency of a recent swarm intelligence algorithm called Grey Wolf Optimization algorithm (GWO) to optimize the hyperparameters of the OCSVM and at the same time to find the features that best describe the IoT botnet problem. To prove the efficiency of the proposed method, its performance is evaluated using typical anomaly detection evaluation measures over a new version of a real benchmark dataset. The experimental results show that the proposed method outperforms all other algorithms in terms of true positive rate, false positive rate, and G-mean for all IoT device types. Also, it achieves the lowest detection time, while significantly reducing the number of selected features.


Internet of Things Anomaly detection Botnets Feature selection Intrusion detection system Grey wolf optimization algorithm Novelty detection One class support vector machine. 


Compliance with ethical standards

Conflict of interest

There is no conflict of interest to declare.

Ethical standards

This article does not contain any studies with human participants or animals performed by any of the authors.


  1. Angrishi K (2017) Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. arXiv preprint arXiv:170203681
  2. Bertino E, Islam N (2017a) Botnets and internet of things security. Computer 2:76–79CrossRefGoogle Scholar
  3. Bertino E, Islam N (2017b) Botnets and internet of things security. Computer 2:76–79CrossRefGoogle Scholar
  4. Blenn N, Ghiëtte V, Doerr C (2017) Quantifying the spectrum of denial-of-service attacks through internet backscatter. In: Proceedings of the 12th international conference on availability, reliability and security, ACM, pp 1–10Google Scholar
  5. Bostani H, Sheikhan M (2017) Hybrid of anomaly-based and specification-based ids for internet of things using unsupervised opf based on mapreduce approach. Compute Commun 98:52–71CrossRefGoogle Scholar
  6. Butun I, Kantarci B, Erol-Kantarci M (2015) Anomaly detection and privacy preservation in cloud-centric internet of things. In: Communication workshop (ICCW), 2015 IEEE international conference on, IEEE, pp 2610–2615Google Scholar
  7. Celebucki D, Lin MA, Graham S (2018) A security evaluation of popular internet of things protocols for manufacturers. In: Consumer electronics (ICCE), 2018 IEEE international conference on, IEEE, pp 1–6Google Scholar
  8. Dheeru D, Taniskidou EK (2017) UCI machine learning repository. Accessed July 2018
  9. Domingues R, Filippone M, Michiardi P, Zouaoui J (2018) A comparative evaluation of outlier detection algorithms: experiments and analyses. Pattern Recogn 74:406–421CrossRefzbMATHGoogle Scholar
  10. Emary E, Zawbaa HM, Grosan C (2018) Experienced Gray Wolf optimization through reinforcement learning and neural networks. IEEE Trans Neural Netw Learn Syst 29(3):681–694MathSciNetCrossRefGoogle Scholar
  11. Faris H, Aljarah I, Mirjalili S, Castillo PA, Guervós JJM (2016) Evolopy: an open-source nature-inspired optimization framework in python. In: IJCCI (ECTA), pp 171–177Google Scholar
  12. Faris H, Aljarah I, Al-Betar MA, Mirjalili S (2018) Grey wolf optimizer: a review of recent variants and applications. Neural Comput Appl 30:1–23Google Scholar
  13. Faris H, Mirjalili S, Aljarah I (2019) Automatic selection of hidden neurons and weights in neural networks using grey wolf optimizer based on a hybrid encoding scheme. Int J Mach Learn Cybern 2019:1–20Google Scholar
  14. García S, Zunino A, Campo M (2014a) Survey on network-based botnet detection methods. Secur Commun Netw 7(5):878–903CrossRefGoogle Scholar
  15. García S, Zunino A, Campo M (2014b) Survey on network-based botnet detection methods. Secur Commun Netw 7(5):878–903CrossRefGoogle Scholar
  16. Hallman R, Bryan J, Palavicini G, Divita J, Romero-Mariona J (2017) Ioddos the internet of distributed denial of service attacks. In: 2nd international conference on internet of things, big data and security. SCITEPRESS, pp 47–58Google Scholar
  17. Han J, Pei J, Kamber M (2011) Data mining: concepts and techniques. Elsevier, AmsterdamzbMATHGoogle Scholar
  18. Hatta N, Zain AM, Sallehuddin R, Shayfull Z, Yusoff Y (2018) Recent studies on optimisation method of grey wolf optimiser (gwo): a review (2014–2017). Artif Intell Rev 2018:1–33Google Scholar
  19. Hudaa S, Abawajy J, Alazab M, Abdollalihian M, Islam R, Yearwood J (2016) Hybrids of support vector machine wrapper and filter based framework for malware detection [J]. Future Gener Comput Syst 55:376–390CrossRefGoogle Scholar
  20. Khan MA, Salah K (2018) Iot security: review, blockchain solutions, and open challenges. Future Gener Comput Syst 82:395–411CrossRefGoogle Scholar
  21. Kohavi R, John GH (1997) Wrappers for feature subset selection. Artif Intell 97(1–2):273–324CrossRefzbMATHGoogle Scholar
  22. Kolias C, Kambourakis G, Stavrou A, Voas J (2017a) Ddos in the IoT: Mirai and other botnets. Computer 50(7):80–84CrossRefGoogle Scholar
  23. Kolias C, Kambourakis G, Stavrou A, Voas J (2017b) Ddos in the IoT: Mirai and other botnets. Computer 50(7):80–84CrossRefGoogle Scholar
  24. Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the 2003 SIAM international conference on data mining, SIAM, pp 25–36Google Scholar
  25. Lin K-C, Chen S-Y, Hung JC (2014) Botnet detection using support vector machines with artificial fish swarm algorithm. J Appl Math 2014:986428Google Scholar
  26. Mansfield-Devine S (2016) Ddos goes mainstream: how headline-grabbing attacks could make this threat an organisation’s biggest nightmare. Netw Secur 2016(11):7–13CrossRefGoogle Scholar
  27. Meidan Y, Bohadana M, Mathov Y, Mirsky Y, Breitenbacher D, Shabtai A, Elovici Y (2018) N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput 13(9):12–22CrossRefGoogle Scholar
  28. Midi D, Rullo A, Mudgerikar A, Bertino E (2017) Kalis—a system for knowledge-driven adaptable intrusion detection for the internet of things. In: Distributed computing systems (ICDCS), 2017 IEEE 37th international conference on IEEE, pp 656–666Google Scholar
  29. Mirjalili S, Mirjalili SM, Lewis A (2014) Grey Wolf optimizer. Adv Eng Softw 69:46–61CrossRefGoogle Scholar
  30. Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:180209089
  31. Nguyen MH, De la Torre F (2010) Optimal feature selection for support vector machines. Pattern Recogn 43(3):584–591CrossRefzbMATHGoogle Scholar
  32. Ozcelik M, Chalabianloo N, Gur G (2017) Software-defined edge defense against IoT-based ddos. In: 2017 IEEE International conference on computer and information technology (CIT), IEEE, pp 308–313Google Scholar
  33. Pa YMP, Suzuki S, Yoshioka K, Matsumoto T, Kasama T, Rossow C (2015) Iotpot: analysing the rise of IoT compromises. EMU 9:1Google Scholar
  34. Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001a) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471CrossRefzbMATHGoogle Scholar
  35. Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001b) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471CrossRefzbMATHGoogle Scholar
  36. Sedjelmaci H, Senouci SM, Al-Bahri M (2016) A lightweight anomaly detection technique for low-resource IoT devices: a game-theoretic methodology. In: Communications (ICC), 2016 IEEE international conference on IEEE, pp 1–6Google Scholar
  37. Shearer C (2000) The crisp\(-\)dm model: the new blueprint for data mining. J Data Warehosusing 5(4):13–22Google Scholar
  38. Summerville DH, Zach KM, Chen Y (2015) Ultra-lightweight deep packet anomaly detection for internet of things devices. In: Computing and communications conference (IPCCC), 2015 IEEE 34th international performance, IEEE, pp 1–8Google Scholar
  39. Wang H, Gu J, Wang S (2017) An effective intrusion detection framework based on svm with feature augmentation. Knowl Based Syst 136:130–139CrossRefGoogle Scholar
  40. Weston J, Mukherjee S, Chapelle O, Pontil M, Poggio T, Vapnik V (2001) Feature selection for svms. In: Advances in neural information processing systems, pp 668–674Google Scholar
  41. Whitmore A, Agarwal A, Da Xu L (2015) The internet of things—a survey of topics and trends. Inf Syst Front 17(2):261–274CrossRefGoogle Scholar
  42. Wolpert DH, Macready WG (1997) No free lunch theorems for optimization. IEEE Trans Evol Comput 1(1):67–82CrossRefGoogle Scholar
  43. Wu G, Chang EY (2003) Class-boundary alignment for imbalanced dataset learning. ICML 2003 workshop on learning from imbalanced data sets II., Washington DC, pp 49–56Google Scholar
  44. Wu M, Ye J (2009) A small sphere and large margin approach for novelty detection using training data with outliers. IEEE Trans Pattern Anal Mach Intell 31(11):2088–2092CrossRefGoogle Scholar
  45. Xiao Y, Wang H, Zhang L, Xu W (2014) Two methods of selecting gaussian kernel parameters for one-class svm and their application to fault detection. Knowl Based Syst 59:75–84CrossRefGoogle Scholar
  46. Xiao Y, Wang H, Xu W (2015) Parameter selection of gaussian kernel for one-class svm. IEEE Trans Cybern 45(5):941–953CrossRefGoogle Scholar
  47. Yang XS (2011) Review of metaheuristics and generalized evolutionary walk algorithm. Int J Bio-Inspired Comput 3(2):77–84CrossRefGoogle Scholar
  48. Zou X, Cao J, Guo Q, Wen T (2018) A novel network security algorithm based on improved support vector machine from smart city perspective. Comput Electr Eng 65:67–78CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  1. 1.King Abdullah II School for Information TechnologyThe University of JordanAmmanJordan

Personalised recommendations