Recently, the number of Internet of Things (IoT) botnet attacks has increased tremendously due to the expansion of online IoT devices which can be easily compromised. Botnets are a common threat that takes advantage of the lack of basic security tools in IoT devices and can perform a series of Distributed Denial of Service (DDoS) attacks. Developing new methods to detect compromised IoT devices is urgent in order to mitigate the negative consequences of these IoT botnets since the existing IoT botnet detection methods still present some issues, such as, relying on labelled data, not being validated with newer botnets, and using very complex machine learning algorithms. Anomaly detection methods are promising for detecting IoT botnet attacks since the amount of available normal data is very large. One of the powerful algorithms that can be used for anomaly detection is One Class Support vector machine (OCSVM). The efficiency of the OCSVM algorithm depends on several factors that greatly affect the classification results such as the subset of features that are used for training OCSVM model, the kernel type, and its hyperparameters. In this paper, a new unsupervised evolutionary IoT botnet detection method is proposed. The main contribution of the proposed method is to detect IoT botnet attacks launched form compromised IoT devices by exploiting the efficiency of a recent swarm intelligence algorithm called Grey Wolf Optimization algorithm (GWO) to optimize the hyperparameters of the OCSVM and at the same time to find the features that best describe the IoT botnet problem. To prove the efficiency of the proposed method, its performance is evaluated using typical anomaly detection evaluation measures over a new version of a real benchmark dataset. The experimental results show that the proposed method outperforms all other algorithms in terms of true positive rate, false positive rate, and G-mean for all IoT device types. Also, it achieves the lowest detection time, while significantly reducing the number of selected features.
This is a preview of subscription content, log in to check access.
Buy single article
Instant access to the full article PDF.
Price includes VAT for USA
Subscribe to journal
Immediate online access to all issues from 2019. Subscription will auto renew annually.
This is the net price. Taxes to be calculated in checkout.
Angrishi K (2017) Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets. arXiv preprint arXiv:170203681
Bertino E, Islam N (2017a) Botnets and internet of things security. Computer 2:76–79
Bertino E, Islam N (2017b) Botnets and internet of things security. Computer 2:76–79
Blenn N, Ghiëtte V, Doerr C (2017) Quantifying the spectrum of denial-of-service attacks through internet backscatter. In: Proceedings of the 12th international conference on availability, reliability and security, ACM, pp 1–10
Bostani H, Sheikhan M (2017) Hybrid of anomaly-based and specification-based ids for internet of things using unsupervised opf based on mapreduce approach. Compute Commun 98:52–71
Butun I, Kantarci B, Erol-Kantarci M (2015) Anomaly detection and privacy preservation in cloud-centric internet of things. In: Communication workshop (ICCW), 2015 IEEE international conference on, IEEE, pp 2610–2615
Celebucki D, Lin MA, Graham S (2018) A security evaluation of popular internet of things protocols for manufacturers. In: Consumer electronics (ICCE), 2018 IEEE international conference on, IEEE, pp 1–6
Dheeru D, Taniskidou EK (2017) UCI machine learning repository. http://archive.ics.uci.edu/ml. Accessed July 2018
Domingues R, Filippone M, Michiardi P, Zouaoui J (2018) A comparative evaluation of outlier detection algorithms: experiments and analyses. Pattern Recogn 74:406–421
Emary E, Zawbaa HM, Grosan C (2018) Experienced Gray Wolf optimization through reinforcement learning and neural networks. IEEE Trans Neural Netw Learn Syst 29(3):681–694
Faris H, Aljarah I, Mirjalili S, Castillo PA, Guervós JJM (2016) Evolopy: an open-source nature-inspired optimization framework in python. In: IJCCI (ECTA), pp 171–177
Faris H, Aljarah I, Al-Betar MA, Mirjalili S (2018) Grey wolf optimizer: a review of recent variants and applications. Neural Comput Appl 30:1–23
Faris H, Mirjalili S, Aljarah I (2019) Automatic selection of hidden neurons and weights in neural networks using grey wolf optimizer based on a hybrid encoding scheme. Int J Mach Learn Cybern 2019:1–20
García S, Zunino A, Campo M (2014a) Survey on network-based botnet detection methods. Secur Commun Netw 7(5):878–903
García S, Zunino A, Campo M (2014b) Survey on network-based botnet detection methods. Secur Commun Netw 7(5):878–903
Hallman R, Bryan J, Palavicini G, Divita J, Romero-Mariona J (2017) Ioddos the internet of distributed denial of service attacks. In: 2nd international conference on internet of things, big data and security. SCITEPRESS, pp 47–58
Han J, Pei J, Kamber M (2011) Data mining: concepts and techniques. Elsevier, Amsterdam
Hatta N, Zain AM, Sallehuddin R, Shayfull Z, Yusoff Y (2018) Recent studies on optimisation method of grey wolf optimiser (gwo): a review (2014–2017). Artif Intell Rev 2018:1–33
Hudaa S, Abawajy J, Alazab M, Abdollalihian M, Islam R, Yearwood J (2016) Hybrids of support vector machine wrapper and filter based framework for malware detection [J]. Future Gener Comput Syst 55:376–390
Khan MA, Salah K (2018) Iot security: review, blockchain solutions, and open challenges. Future Gener Comput Syst 82:395–411
Kohavi R, John GH (1997) Wrappers for feature subset selection. Artif Intell 97(1–2):273–324
Kolias C, Kambourakis G, Stavrou A, Voas J (2017a) Ddos in the IoT: Mirai and other botnets. Computer 50(7):80–84
Kolias C, Kambourakis G, Stavrou A, Voas J (2017b) Ddos in the IoT: Mirai and other botnets. Computer 50(7):80–84
Lazarevic A, Ertoz L, Kumar V, Ozgur A, Srivastava J (2003) A comparative study of anomaly detection schemes in network intrusion detection. In: Proceedings of the 2003 SIAM international conference on data mining, SIAM, pp 25–36
Lin K-C, Chen S-Y, Hung JC (2014) Botnet detection using support vector machines with artificial fish swarm algorithm. J Appl Math 2014:986428
Mansfield-Devine S (2016) Ddos goes mainstream: how headline-grabbing attacks could make this threat an organisation’s biggest nightmare. Netw Secur 2016(11):7–13
Meidan Y, Bohadana M, Mathov Y, Mirsky Y, Breitenbacher D, Shabtai A, Elovici Y (2018) N-baiot: Network-based detection of IoT botnet attacks using deep autoencoders. IEEE Pervasive Comput 13(9):12–22
Midi D, Rullo A, Mudgerikar A, Bertino E (2017) Kalis—a system for knowledge-driven adaptable intrusion detection for the internet of things. In: Distributed computing systems (ICDCS), 2017 IEEE 37th international conference on IEEE, pp 656–666
Mirjalili S, Mirjalili SM, Lewis A (2014) Grey Wolf optimizer. Adv Eng Softw 69:46–61
Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv preprint arXiv:180209089
Nguyen MH, De la Torre F (2010) Optimal feature selection for support vector machines. Pattern Recogn 43(3):584–591
Ozcelik M, Chalabianloo N, Gur G (2017) Software-defined edge defense against IoT-based ddos. In: 2017 IEEE International conference on computer and information technology (CIT), IEEE, pp 308–313
Pa YMP, Suzuki S, Yoshioka K, Matsumoto T, Kasama T, Rossow C (2015) Iotpot: analysing the rise of IoT compromises. EMU 9:1
Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001a) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471
Schölkopf B, Platt JC, Shawe-Taylor J, Smola AJ, Williamson RC (2001b) Estimating the support of a high-dimensional distribution. Neural Comput 13(7):1443–1471
Sedjelmaci H, Senouci SM, Al-Bahri M (2016) A lightweight anomaly detection technique for low-resource IoT devices: a game-theoretic methodology. In: Communications (ICC), 2016 IEEE international conference on IEEE, pp 1–6
Shearer C (2000) The crisp\(-\)dm model: the new blueprint for data mining. J Data Warehosusing 5(4):13–22
Summerville DH, Zach KM, Chen Y (2015) Ultra-lightweight deep packet anomaly detection for internet of things devices. In: Computing and communications conference (IPCCC), 2015 IEEE 34th international performance, IEEE, pp 1–8
Wang H, Gu J, Wang S (2017) An effective intrusion detection framework based on svm with feature augmentation. Knowl Based Syst 136:130–139
Weston J, Mukherjee S, Chapelle O, Pontil M, Poggio T, Vapnik V (2001) Feature selection for svms. In: Advances in neural information processing systems, pp 668–674
Whitmore A, Agarwal A, Da Xu L (2015) The internet of things—a survey of topics and trends. Inf Syst Front 17(2):261–274
Wolpert DH, Macready WG (1997) No free lunch theorems for optimization. IEEE Trans Evol Comput 1(1):67–82
Wu G, Chang EY (2003) Class-boundary alignment for imbalanced dataset learning. ICML 2003 workshop on learning from imbalanced data sets II., Washington DC, pp 49–56
Wu M, Ye J (2009) A small sphere and large margin approach for novelty detection using training data with outliers. IEEE Trans Pattern Anal Mach Intell 31(11):2088–2092
Xiao Y, Wang H, Zhang L, Xu W (2014) Two methods of selecting gaussian kernel parameters for one-class svm and their application to fault detection. Knowl Based Syst 59:75–84
Xiao Y, Wang H, Xu W (2015) Parameter selection of gaussian kernel for one-class svm. IEEE Trans Cybern 45(5):941–953
Yang XS (2011) Review of metaheuristics and generalized evolutionary walk algorithm. Int J Bio-Inspired Comput 3(2):77–84
Zou X, Cao J, Guo Q, Wen T (2018) A novel network security algorithm based on improved support vector machine from smart city perspective. Comput Electr Eng 65:67–78
Conflict of interest
There is no conflict of interest to declare.
This article does not contain any studies with human participants or animals performed by any of the authors.
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
About this article
Cite this article
Al Shorman, A., Faris, H. & Aljarah, I. Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection. J Ambient Intell Human Comput 11, 2809–2825 (2020). https://doi.org/10.1007/s12652-019-01387-y
- Internet of Things
- Anomaly detection
- Feature selection
- Intrusion detection system
- Grey wolf optimization algorithm
- Novelty detection
- One class support vector machine.