Enhancing botnet detection using federated learning in iot networks

Abstract

A botnet can be defined as a network of compromised devices, usually controlled by a malicious actor. Botnets are utilized to launch cyberattacks, including Distributed Denial of Service (DDoS) attacks, theft of sensitive financial data, and cryptocurrency mining. These compromised devices listen for commands from the malicious actor and execute them when they are received, with the mechanism often provided by command-and-control (C2) servers. The true strength of a botnet lies in its scale, as it can consist of millions of compromised devices working in unison. Therefore, the rapid growth in the usage of Internet of Things (IoT) devices has significantly increased the presence of botnet threats, as many of them lack strong security. Devices such as smart home devices, wearable activity trackers, security cameras, and routers are particularly vulnerable due to their widespread internet connectivity and minimal user oversight. The reliance of botnets on extensive networks of compromised devices renders them particularly well-suited to exploit the expanding IoT landscape. Consequently, the ability to detect botnets is crucial for preventing cyberattacks and protecting sensitive data. However, traditional security methods often fail in IoT environments, making advanced detection techniques necessary. Fast and accurate detection is essential to minimize damage. Fast detection will allow us to prevent botnet attacks before any damage is done. This study explores techniques such as machine learning and optimized feature selection, enhancing botnet detection, boosting performance for rapid detection, improving accuracy, and strengthening IoT security against botnet threats. Our dataset N-BaIoT has Mirai and Gafgyt infected network traffic statistics as well as benign traffic from 9 different IoT devices. Since the dataset is imbalanced across the devices we have used CTGAN to generate synthetic data to balance the dataset. We have proposed a federated learning architecture to enhance botnet detection. The server has a global model that is aggregated with the updates coming from device local models. Using FedAvg, we have updated the global model in each training round R, where C clients were randomly chosen and updates were received from them. Every client has its own local data, local DNN model, and local GAN model. Clients train their GAN model with the local data and continuously retrain with the new incoming traffic. In each round, they used the GAN to generate synthetic data to resolve the class imbalance issue and low sample count. We have also used a hybrid feature selection method and have selected the 10 most important features. This is important since IoT devices have limited resources and applying dimensionality reduction helps to address this constraint. We have evaluated the generated synthetic data according to several metrics and measured with the DNN model to see the effect of synthetic data on accuracy. Overall, the proposed model has its own advantages, such as preserving privacy and balancing classes, which resulted in better performance with coordinated learning.