COMPREHENSIVE INTRUSION DETECTION FOR INVESTIGATING NETWORK TRAFFIC AND BOTNET ATTACKS

Abstract

Botnet attacks represent a significant threat in the Internet of Things (IoT) environment, typically beginning with scanning activities and culminating in distributed denial of service (DDoS) attacks. While existing research primarily focuses on detecting botnet attacks after IoT devices have been compromised and initiated DDoS attacks, many machine learning-based detection models are limited in performance due to their dependence on specific training datasets. Consequently, these solutions often struggle to generalize across diverse attack patterns. In this study, we address this challenge by creating a comprehensive dataset encompassing 33 types of scanning activities and 60 types of DDoS attacks. Additionally, we integrate samples from three publicly-available datasets to maximize attack coverage and improve the robustness of machine learning algorithms. Our approach involves a two-fold machine learning strategy for both prevention and detection of IoT botnet attacks. In the first fold, we utilize a state-of-the-art deep learning model, specifically ResNet18, to detect scanning activities indicative of potential botnet attacks in their early stages. In the second fold, another ResNet-18 model is trained to identify DDoS attacks, thereby detecting the full spectrum of IoT botnet activity. Overall, our proposed two-fold approach achieves impressive performance metrics, including 98.89% accuracy, 99.01% precision, 98.74% recall, and 98.87% F1-score for preventing and detecting IoT botnet attacks. To validate the efficacy of our approach, we compare it against three other ResNet-18 models trained on different datasets for scan and DDoS attack detection. Experimental results demonstrate the superior efficiency of our two-fold approach in preventing and detecting botnet attacks.