SINERGI Vol. 28, No.

1, February 2024: 31-42

http://publikasi.mercubuana.ac.id/index.php/sinergi
http://doi.org/10.22441/sinergi.2024.1.004

Effective and efficient approach in IoT Botnet detection

Susanto1, Deris Stiawan2*, M. Agus Syamsul Arifin1, Mohd Yazid Idris3, Rahmat Budiarto4
1
Faculty of Engineering Science, Universitas Bina Insan, Indonesia
2
Faculty of Computer Science, Universitas Sriwijaya, Indonesia
3
Faculty of Computing, Universiti Teknologi Malaysia, Malaysia
4
College of Computer Science, Albaha University, Saudi Arabia

Abstract Keywords:
The Internet of Things (IoT) enables the interaction of physical Dimensionality reduction;
systems connected to the internet network, resulting in the IoT;
generation of extensive data traffic with high dimensions. While IoT LDA;
applications offer benefits and convenience to users, network Article History:
security remains uncertain. One example is vulnerability to cyber- Received: May 16, 2023
attacks, such as botnets targeting consumers' IoT devices. In the Revised: July 23, 2023
realm of network security analysis, dealing with high-dimensional Accepted: July 28, 2023
data poses distinct challenges for researchers. These challenges Published: February 2, 2024
include the curse of dimensionality, which can complicate feature
definitions; predominantly unordered datasets; combinations of Corresponding Author:
clusters; and exponential data growth. In this study, we applied Deris Stiawan
Faculty of Computer Science,
feature reduction using the Linear Discriminant Analysis (LDA)
Universitas Sriwijaya, Indonesia
method to minimize features on the IoT network to detect botnet. Email: deris@unsri.ac.id
The reduction process is carried out on the N-BaIoT dataset which
has 115 features reduced to 2 features. Performing feature
reduction with detection systems has become more effective and
efficient. Experimental result showed that the application of LDA
combined with machine learning on the classification Decision Tree
method was able to detect with accuracy that reached 100% in
98.58s with only two features.

This is an open access article under the CC BY-SA license

INTRODUCTION traffic can impact the performance of machine

The Internet of Things (IoT) enables the learning during the data analysis process [4].
interaction of physical systems connected to the Set of data with high scalability may have
internet network, resulting in the generation of useless and unrelated features that tend to
extensive data traffic with high dimensions [1]. disguise the main features, which in turn
While IoT applications offer benefits and decrease the data analysis performance such as
convenience to users, network security remains classification accuracy [5]. On the other hand,
uncertain. One example is vulnerability to cyber- further ineffective dimension reduction will
attacks, such as botnets targeting consumers' jeopardize efficiency of machine learning for
IoT devices [2]. In the realm of network security pattern recognition and increase the workload of
analysis, dealing with high-dimensional data data analysis process [6]. One of the methods
poses distinct challenges for researchers. These that commonly used, effective and efficient to
challenges include the curse of dimensionality, reduce the number of data attributes is the
which can complicate feature definitions; dimension reduction method [7]. The dimension
predominantly unordered datasets; combinations reduction method is able to project data that have
of clusters; and exponential data growth [3]. high dimensions into low-dimension data while
Additionally, the substantial dimensions of data preserving the original information [8]. In addition,

Susanto et al., Effective and efficient approach in IoT Botnet detection 31

SINERGI Vol. 28, No. 1, February 2024: 31-42

it is very efficient in memory space required for With the same N-BaIoT dataset, Nomm
data storage [9]. and Bahsi [17] performed feature reduction of 3,
Many studies have utilized dimensionality 5, and 10 features by using comparative
reduction method for data analysis on attack unsupervised method, i.e.: entropy, Hopkins
detection [10]–[12], however, most of the statistics and variance, then continue with the
methods are unsuccessful in utilizing lower SVM classification method and isolation forest.
dimension scale, because data dimension The authors reported that the entropy-SVM
reduction does not necessarily increase the method increased the accuracy up to 93.15%
classification [13]. This research work contributes when fewer features were used. The result is
towards an analysis of IoT botnet dataset opposite to variance-SVM and Hopkins-SVM
scalability reduction. The best data dimensional method, which significantly lowered the accuracy,
obtained from the experiment are used as whereas with the Hopkins-isolation forest, the
selected features for the detection system. The decrement was not significant but had low
level of effectiveness and efficiency is measured accuracy. Different results were obtained for the
through detection accuracy level as well as variance-isolation forest and entropy-isolation
detection time. The measurement results are forest methods, which have variant accuracy
compared to a detection system without the when using low features.
selected features. Moreover, the experiment Using the same N-BaIoT dataset, Liu et al.
results are also compared to existing detection [18] used a triangle area map-based multivariate
systems. Metrics used for comparison include: correlation analysis algorithm (TAM-based MCA)
accuracy, execution time, detection rate, false method to reduce features into 23 dimensions.
positive rate (FPR), false negative rate (FNR), Using the convolutional neural network (CNN)
sensitivity, specificity, and precision. method, their approach offered very high
The rest of this paper is divided into five accuracy, up to 99.57%. Alqahtani et al. [19]
sections as follows. In Section 2, we present optimized performance classification GXGBoost
related works on dimensionality reduction method by reducing data into three features using Fisher
on IoT botnet detection. Section 3 describes the Score. In the experiment, IoT Botnet detection
dataset, LDA, classification algorithm, evaluation using the N-BaIoT dataset was effective and
performance, and analysis tools. Section 4 efficient with an accuracy of 99.96%.
presents the results of the experimental analysis In another study with the IoT network
and a comparison with other works. Section 5 intrusion detection dataset, Desai et al. [20] used
presents the Discussion. Section 6 presents the dimensionality reduction method and optimized
conclusions and further work on dimensionality the classification function on IoT botnet detection.
reduction method in the IoT botnet. Principal component analysis (PCA) method was
chosen by the authors to reduce the data
RELATED WORK dimension. IoT network intrusion detection
The development of IoT technology has dataset, which has 115 features, was reduced to
increased the research need to develop effective 10, 15, and 20 features, and then are classified
security protection from an attack. The attack using multi-classification. The results from the
may caused by network traffic of heterogeneous experiment showed an accuracy level reaching
IoT devices, which generates high-scale data, 99.97% using Random Forest classifier. This
thus retaining the chance of attack [14]. Few result is superior to the Decision Tree and SVM
researchers have used the dimensionality classification methods.
reduction method to detect IoT botnet. The first Besides using the N-BaIoT dataset, there
step to creating botnet attack protection toward are also studies that have used the
an IoT network that has high-scale data traffic is dimensionality reduction method on IoT botnet
to use dimensional reduction. Bahsi et al. [15] with another dataset. Alshamkhany et al. [21]
performed feature reduction on an N-BaIoT reduced data dimension using the PCA method
dataset [16] from 115 features to 2, 3, and 10 and machine learning. Their experiments with the
features using the Fisher Score method. The UNSW-NB15 dataset [22] and Bot-IoT [23], which
proposed method uses fewer features to reach a were classified using the machine learning SVM-
high accuracy level. A slight decrease in RBF method, achieved a very high accuracy
accuracy was observed when using the result of 99.9%. The PCA method was used to
classification Decision Tree method while reduce number of features from 43 into 20
applying fewer features, although still above 98% features. Popoola et al. [24] reduced features in
for each feature. With k-NN, there is an increase the Bot-IoT dataset to six features using the long
in accuracy for each lower number of features, short-term memory autoencoder (LAE) method.
reaching up to 98.05% accuracy. The method showed that classification of deep

32 Susanto et al., Effective and efficient approach in IoT Botnet detection

 p-ISSN: 1410-2331 e-ISSN: 2460-1217

bidirectional long short-term memory performed Table 2. Distribution of medBIoT dataset

well. New
Total
Device Label File
Data
METHODS Feature
Dataset bashlite_leg_fan 209715
Experiments in this work uses the N-BaIoT bashlite_leg_light 195363
dataset [16], which was extracted into CSV bashlite_leg_lock 209715
format by using a statistics method [25]. The N- bashlite_leg_switch 209715
BaIoT dataset was selected due to its high data mirai_leg_fan 58620
dimension that demands more computational mirai_leg_light 52769
power; it encompasses a large number of mirai_leg_lock 52836
Benign
features, necessitating the removal of mirai_leg_switch 43911
unnecessary ones; and finally, reducing the data torii_leg_fan 15389
dimensions is crucial to achieving better torii_leg_light 4376
performance [17]. In this work, only 20% of the torii_leg_lock 2181
data was used by randomly selecting from each torii_leg_raspberry1 25910
dataset file. Data distribution of sets that were torii_leg_raspberry2 943
completely used is shown in Table 1. The dataset Twenty torii_leg_switch 6380
is created from a network representing an IoT Lock, bashlite_mal_CC_fan 37770
twenty
system in real world. The IoT system consists of bashlite_mal_CC_light 33457
two
nine IoT devices, i.e.: four security cameras, one bashlite_mal_CC_lock 31428
switch,
baby monitor camera, two doorbells, one twenty bashlite_mal_CC_switch 22845
Bashlite
thermostat, and one webcam). Botnet attacks fan, bashlite_mal_spread_fan 206221
were injected into the network. The dataset has a twenty bashlite_mal_spread_light 180027
total of 7062606 records with 115 features. one bashlite_mal_spread_lock 152360
Moreover, to facilitate result comparison, the light bashlite_mal_spread_switch 177722
medBIoT dataset was also employed [26]. The mirai_mal_CC_fan 593329
medBioT dataset surpasses the N-BaIoT dataset mirai_mal_CC_light 18636
in terms of traffic volume. It comprises data mirai_mal_CC_lock 11357
gathered from both physical and virtual IoT mirai_mal_CC_switch 21205
devices, totaling 83 devices. Within this dataset, Mirai
mirai_mal_spread_fan 23966
there is one category of benign traffic and three mirai_mal_spread_light 14248
types of attack traffic (bashlite, mirai, and torii), mirai_mal_spread_lock 18590
amounting to a total of 17,845,567 data records. mirai_mal_spread_switch 32527
In contrast, this research utilizes approximately torii_mal_fan 27496
15% of the medBioT dataset, resulting in a total torii_mal_light 70
of 2,728,266 data records, which is nearly twice Torii torii_mal_lock 33
the number of N-BaIoT datasets used. torii_mal_raspberry1 9245
A detailed breakdown of the medBIoT torii_mal_ raspberry2 528
dataset's distribution can be found in Table 2. torii_mal_switch 27383
Data variables (attributes) with different scales Total 2728266
were standardized using StandardScaler to
reduce dimensions, which was continued by Random data separation was performed to split
training and then testing the classification model. the dataset into a training set, having 70% of the
data, and a testing set, having 30% of the data.
Table 1. Distribution of N-BaIoT dataset
Device File Label Total LDA
Data
The LDA technique projects the original
Four security Benign Benign 111179
cameras, Combo 103030 data matrix to a lower dimension space. To reach
baby Junk 52158 this goal, three steps must be performed. The
monitors, two Scan Bashlite 51022 first step is to calculate the distance between
doorbells, Tcp 171969 different classes, which is called variants
thermostats, Udp 192873
and Ack 128764 between classes and matrix between classes.
webcams Scan 107596 The second step is calculating the distance
Syn Mirai 146660 between mean and sample from each class,
Udp 246001 which is called variant within class or matrix
Udpplain 104660
Total 1415912 within-class. In the third step, a lower-dimension

Susanto et al., Effective and efficient approach in IoT Botnet detection 33

SINERGI Vol. 28, No. 1, February 2024: 31-42

room is created to maximize the variant between Decision Tree

classes and minimize the variant within classes Decision Tree is a predictive model that
[27]. LDA is performed to obtain appropriate maps observations on data [33]. Tariq and Baig
training data by giving new space because its [34] used the Decision Tree classification method
reduction technique is created by maximizing the in detecting botnet. The results in better level
distance of class [28]. detection compared to other approaches with the
LDA reaches transformation linear optimal same heterogeneity level in testing, with
W, which reduces the distance within classes and accuracy reaches 94.8%. Mata et al. [35] applied
extends simultaneously the distance between feature selection using a Decision Tree in botnet
classes. Criteria J (XW), which is being detection, yielding very efficient results with an
maximized, as presented in (1). average time detection of 0.78 microseconds.

(1) K-nearest neighbor

K-NN classifier is used to classified
where SB is the between-class matrix and SW is unlabelled observation group into class from the
the within-class matrix and determined by (2) and similarity of label. Observation characteristic
(3). which grouped are used to train and testing. By
using parameter k in determining how many
(2)
selected neighbour. Correct selection k will
(3) impacted significant toward performance
diagnostic KNN algorithm. K reduce impact of
LDA reduction process on the N-BaIoT variants that caused by random false, but this will
dataset: risk to ignore the small pattern but important. Key
1. Determine the number of classes in the to select correct k value is to reach balanced
dataset. The N-BaIoT dataset has 3 classes between overfitting and underfitting [36][37]. In
2. Determine the maximum amount of data detecting HTTP botnet Dollah et al [38] using k-
reduction that can be used in the LDA NN classification algorithm. Proposed method
method according to the statement of able to classified HTTP Botnet in network traffic
Tsymbal et al. [29], for LDA-based with average accuracy 92,93%.
dimensional reduction, the maximum feature
reduction is the total number of classes –1. Random Forest
Thus, since the N-BaIoT dataset has three Random forest consists of Decision Tree.
classes, the maximum feature reduction is Random operation is introduced in the creation
(3–1=2) features. process, including selecting sample subsets and
3. The LDA reduction process on the N-BaIoT feature subsets to guarantee the independence
dataset which has a total of 115 of each Decision Tree, increase classification
features/columns is transformed into a 2- accuracy, and obtains enhanced generalization
column matrix. ability. Random operation in random forests
The advantage of LDA compared to other significantly improves classification performance.
techniques in dimension reduction is in the Given that the process of each Decision Tree is
process of reducing dimensions while very fast, parallelization in creating a random
maintaining the global structure of the data so forest can be made, which improves classification
that distances in low-dimensional structures are speed [39][40]. Hoang and Nguyen [41] detected
found to be significant [29]. In addition to the level botnets using a machine learning technique, i.e.:
of accuracy resulting from LDA data reduction, random forest method for effective botnet
the test accuracy is better than PCA [30]. detection with accuracy reached 90%. Moubayed
et al. [42] optimized the random forest method in
Classification Algorithm botnet detection using the hyperparameter
Machine learning applications have great method, resulting in a genetic algorithm that had
potential for botnet classification, which is mainly good framework effectiveness in detecting botnet
not in the IoT environment [31]. Hossain et al. attacks from bad hosts.
[32] stated that classification using machine
learning is effective in botnet detection. In this Adaboost
study, we used a classification Decision Tree AdaBoost algorithm is a learning algorithm
(DT) algorithm, and then compared it with several ensemble that consists of sub-classifiers used to
other classification algorithms, such as AdaBoost overcome the weakness of bad classification
(AB), K-nearest neighbor (k-NN), Random Forest from each sub-classifier [43]. Javed et al. [44]
(RF), and Gradient Boosting (GB). used Adaboost to detect botnet attacks on

34 Susanto et al., Effective and efficient approach in IoT Botnet detection

 p-ISSN: 1410-2331 e-ISSN: 2460-1217

network traffic using Adaboost to achieve a true

positive rate that reached 99.7%. This (7)
methodology was efficient in detecting botnet.
5. False positive rate is ratio between negative
samples which false classified with total
Gradient Boosting
sample.
Gradient boosting is an algorithm like
boosting, which is used for regression. Boosting
algorithm combines weak learning, that is, (8)
learning that is slightly better than random, with
6. False negative rate is ratio between positive
performing reduplication from learning [45]. sample which false classified with total
Ongun et al. [46] used machine learning to detect
sample
botnets from network traffic by using a gradient
boosting classification method to reach better (9)
detection accuracy, even in imbalance data
scenarios. Experimental Setup
This research compares the system
Evaluation Performance detection of IoT botnets on machine learning with
The performance of botnet detection was and without the LDA dimensionality reduction
evaluated using a confusion matrix table, as method. In this study, we use the N-BaIoT
shown in Table 3 [47]. The confusion matrix for dataset CSV version [16]. Figure 1 shows the
botnet detection consists of the following. proposed framework.
1. TP (true positive) is the correct number of Figure 1 shows all performance
actual data that are predicted to be normal. evaluations, namely accuracy, precision,
2. FP (false positive) is number actual data sensitivity, specificity, FPR, FNR, and execution
normal which predict as botnet attack. time in this experiment which was carried out
3. FN (false negative) is the number of actual resulting from the training data set.
data attacks that false predict as normal.
4. TN (true negative) is number actual data
normal which false predict as botnet attack.

Table 3. Confusion Matrix

Predicted class
Positive (P) Negative (N)
Actual class True (T) TP FP
False (F) FN TN

The definitions in the confusion matrix, which was

mostly used in calculating the classification
matrix, are as follows.
1. Accuracy is the ratio between the total data
classified correctly and the total sample.

(4)

2. Precision is the ratio between negative

sample classified correctly with total sample
negative prediction.

(5)

3. Sensitivity is the ratio between a positive

sample classified correctly and a total sample.

(6)

4. Specificity is the ratio between negative

samples classified correctly with total sample. Figure 1. Proposed research framework

Susanto et al., Effective and efficient approach in IoT Botnet detection 35

SINERGI Vol. 28, No. 1, February 2024: 31-42

Table 4. Accuracy Each Class with LDA

Detection k-NN DT RF AB GB
Bashlite 0.9997 1 1 0.9849 0.9956
Benign 0.9919 1 0.9999 0.9803 0.9901
Mirai 0.9981 1 1 0.9941 0.9949

Table 5. Performance Metric with LDA

Metric k-NN DT RF AB GB
Accuracy 99.82 100 99.99 98.93 99.48
Precision 0.9984 1 0.9999 0.9908 0.9948
Sensitivity 0.995 1 0.9999 0.9852 0.9939
Specificity 0.9999 1 1 0.9992 0.9993
FPR 6.255 0 0 0.0008 0.0007
FNR 0.005 0 1.2841 0.0148 0.006

Table 6. Accuracy Each Class without LDA

Detection k-NN DT RF AB GB
Bashlite 0,9999 1 1 0,9998 0,9999
Benign 0,9990 1 1 0,9998 0,9994
Mirai 0,9999 1 1 0,9996 0,9999
Figure 2. Dimensionality reduction LDA
Table 7. Performance Metric without LDA
The data reduction process with LDA is Metric k-NN DT RF AB GB
described in pseudocode as presented in Figure Accuracy 99,99 100 100 99,97 99,99
2. Precision 0,9998 1 1 0,9997 0,9999
Sensitivity 0,9993 1 1 0,9998 0,9994
Hardware and Software Setup Specificity 0,9999 1 1 0,9999 0,9999
In this experiment, we perform a simulation FPR 1,2511 0 0 8,2619 5,0043
using a computer with a specification Intel core i7 FNR 0,0007 0 0 0,0002 0,0006
processor 9th gen, 16 GB DDR4 RAM, 512 GB
SSD, and NVIDIA GTX1660 Ti GPU. The The performance of the accuracy results
operating system was Windows 10, and Python without LDA for each class is presented in Table
3.7.4 was used for the analysis. 6. DT and RF also have the highest value in
detecting Bashlite, Benign, and Mirai, each with
RESULTS AND DISCUSSION the value of 1. The average performance of the
Experiment Result results of classification without LDA is shown in
We evaluate the performance of dimension Table 7. The best performance result is DT equal
reduction by comparing the results with and to RF for each measurement value. DT and RF
without the LDA method using five classification were both superior compared to other
algorithms. The performance was measured classification methods. Next, k-NN, AB, and GB
using eight metrics, i.e.: accuracy, precision, have highest FPR, with the highest value for AB
sensitivity, specificity, FPR, FNR, and execution reaches up to 8.2619.
time. The performance of accuracy results with
LDA for each class is presented in Table 4 DT Result Analysis
also has the highest value in detecting Bashlite, Experimental results showed that the
Benign, and Mirai, each with value of 1. The proposed LDA dimension reduction functions
average performance of Classification with LDA well. Implementation of dimensional reduction
is presented in Table 5. DT has the highest speeds up the botnet detection process.
accuracy that reaches 100%. DT also shows Nevertheless, the use of low scale dimension of
superior precision value and sensitivity, high data slightly decreases the classification
specificity and low FPR but with value equal to accuracy of AB, k-NN and GB. DT and RF are
that of RF, although its FNR value was lower not affected.
than that of RF. The highest FPR value is The precession values of AB and GB
achieved by k-NN, i.e.: 6.255. The highest value decrease significantly, while k-NN decrease
for FNR is achieved by RF, which reaches slightly. DT and RF are again not affected. Next,
1.2841. Significantly, DT has better performance for sensitivity and specificity values, DT and RF
than the other classification methods. still are not affected, while k-NN is not affected

36 Susanto et al., Effective and efficient approach in IoT Botnet detection

 p-ISSN: 1410-2331 e-ISSN: 2460-1217

only for specificity value. In contrast, the values Table 11. Comparison of specificity values
for AB and GB relatively decrease. Method Without LDA With LDA
The experimental results clearly show that k-NN 0.9999 0.9999
the use of the LDA method on data dimension DT 1 1
RF 1 1
reduction gives an impact on IoT botnet AB 0.9999 0.9992
detection, as shown in Table 8. DT and RF show GB 0.9999 0.9993
the highest accuracy and stability, with or without
using the LDA method, with accuracy level
reaches 100%. k-NN, AB, and GB, show a slight Table 12. Comparison of FPR values
decrease in accuracy level when using the LDA. Method Without LDA With LDA
The use of the LDA method also has an k-NN 1.2511 6.255
impact on the precision value. Table 9 shows a DT 0 0
comparison between using the LDA method and RF 0 0
AB 8.2619 0.0008
without LDA. The dimension reduction with LDA GB 5.0043 0.0007
does not have an impact on DT and RF, which
has a stable value of 1. However, k-NN, AB, and
GB experience a slight decrease in precision. Table 13. Comparison of FNR values
We further evaluate the sensitivity of the
Method Without LDA With LDA
proposed method. Table 10 shows a comparison k-NN 0.0007 0.005
of the sensitivity values when the LDA method DT 0 0
was used and without LDA. DT and RF has RF 0 0
stable sensitivity values with and without the LDA AB 0.0002 0.0148
GB 0.0006 0.006
method, while k-NN, AB, and GB show a
decrease with the LDA method.
FPR performance was evaluated with
The results of the performance evaluation
similar condition, as shown in Table 12. Two
of specificity values are shown in Table 11. The
classification methods show decreased FPR
table shows a summary of the specificity values
values. Nevertheless, k-NN shows improvement
that impacted by the use of LDA method. On k-
with the LDA method, and exhibit significant
NN, DT, and RF the specificity values are stable
increase, which reaches 6.255. AB and GB show
and are not impacted. In contrast, AB and GB
an opposite trend, with a significant decrease in
experience a decrease in specificity value when
FPR, whereas DT and RF remained at 0.
using LDA method.
Performance evaluation results on FNR
are displayed in Table 13. While FNR DT and RF
Table 8. Comparison of accuracy values
still on 0 whether using LDA or without LDA, k-
Method Without LDA With LDA
NN and GB show decrement FPR values. This is
k-NN 99.99 99.82
DT 100 100 opposite to AB which has slightly increment FPR
RF 100 100 value.
AB 99.97 98.93 The use of LDA for dimensional reduction
GB 99.99 99.48 overall has positive impact on execution time as
shown in Table 14. The times to execute the
classification using k-NN, DT, RF, AB, and GB
Table 9. Comparison of precision values classifiers decrease. Executing classification
Method Without LDA With LDA using k-NN without LDA requires 30908.87
k-NN 0.9998 0.9984 seconds and decrease drastically to 73.95
DT 1 1
RF 1 1 seconds when incorporating LDA dimensional
AB 0.9997 0.9908 reduction. Execution time of DT decreases
GB 0.9999 0.9948 almost double, while for AB and GB, the
execution times are faster significantly when
incorporating the LDA dimensional reduction. The
Table 10. Comparison of sensitivity values fastest processing time for classification is
Method Without LDA With LDA achieved by k-NN, which only needs 73.95
k-NN 0.9993 0.995 seconds.
DT 1 1
RF 1 1 The experimental results show that the
AB 0.9998 0.9852 performance of each classification model has
GB 0.9994 0.9939 good results. Then validation was carried out to
detect overfitting problems using K-fold cross-
validation [48]. In Intrusion Detection System

Susanto et al., Effective and efficient approach in IoT Botnet detection 37

SINERGI Vol. 28, No. 1, February 2024: 31-42

(IDS) research cross-validation has been widely Table 17. Comparison results with other works
used, such as for validating the KNN, NB, SVM, Ref & No. of
Method Accuracy
and RF classification models in detecting DDoS (Year) Feature
attacks [49], validating the LSTM deep learning [15] Fisher Score + DT 2 98.43
[17] Entropy + SVM 3 93.15
model to detect different types of attacks Fisher Score +
between R2L and U2R [50], and validating the [19] 3 99.96
XGBoost
convolution neural network model for anomaly This
LDA + DT 2 100
attack detection [51]. In this experiment's Work
validation, a value of k=10 is utilized for each
classification model. In each iteration, the Discussion
sampled data used will be shuffled, and then We have presented detection systems with
each subset will contain an equal number of a high accuracy level and low FPR level for the
samples [52]. The results of the performance identification of IoT botnets. Classification models
evaluation with cross-validation are presented in used in the proposed system without LDA shows
Table 15. that DT and RF had the highest accuracy level,
reaching 100%. With LDA, only DT that remains
Comparison with other datasets and other stable, while RF shows a slight decrease in
work accuracy. A comparison of the classification
To determine the effectiveness of the use methods without using the dimensionality
of the proposed LDA method, we compare it with reduction LDA method reveals that DT has a
100% dataset N-BaIoT, and other datasets on stable accuracy of 100%, whereas the other
the DT classification method and previous classification methods experience decreased
research works that use the same dataset and accuracy with LDA. Overall, the achieved levels
also implement dimensional reduction methods. of accuracy show that the use of the
Here, only results of implementation of lower dimensionality reduction LDA method was very
dimensional data were considered. Results of the effective and efficient for IoT botnet detection for
comparison of other datasets are shown in Table classification. DT generates more accurate
16 and comparisons of other work are shown in results than other classifiers, i.e.; AB, k-NN, RF,
Table 17. and GB.
A detection system is better when it
Table 14. Comparison of execution time achieves a high accuracy level and a very low
FPR value. Models with a high accuracy level
Method Without LDA With LDA
k-NN 30908.87 s 73.95 s and high FPR cannot be used. With or without
DT 163.75 s 98.58 s LDA, DT and RF both show an FPR value of 0.
RF 675.74 s 270.36 s Combining dimensionality reduction LDA with DT
AB 1143.27 s 289.11 s and RF generates high accuracy level. Thus, this
GB 5404.97 s 665.13 s
fact shows that the proposed system has a good
performance because a more accurate classifier
was built when a lower FPR was generated.
Table 15 Evaluation with cross-validation Precision shows the reliability of the
Method Average Accuracy (%) Error (%) detection model in the classified sample as
k-NN 99.76 0.0001 positive. DT and RF have an excellent ability to
DT 100 0.0001
RF 100 0.0001 classify samples as positive, with a value of 1,
AB 98.95 0.0006 whether using LDA or without LDA. This is
GB 99.48 0.0003 different from k-NN, AB, and GB, which have no
decrement of precision value when using the
LDA.
Table 16. Comparison results with other datasets Specificity represents how much correct
20% of N- 100% of 30% of data are predicted by detection system. DT and
Metric
BaIoT N-BaIoT MedBIoT RF have a good ability to classify samples as
Accuracy 100 100 100 positive, with or without LDA. This result is
Precision 1 1 1 different for AB and GB, which show a decrease
Sensitivity 1 1 1 in the specificity value with LDA. k-NN has a flat
Specificity 1 1 1 specificity value with or without LDA.
FPR 0 0 0 FNR, which is the critical level when facing
FNR 0 0 0 the detection model, is reflected from model
sensitivity. DT and RF have the highest sensitivity
levels with or without LDA, and their FNR values

38 Susanto et al., Effective and efficient approach in IoT Botnet detection

 p-ISSN: 1410-2331 e-ISSN: 2460-1217

were 0. k-NN sensitivity value increases when the LDA method and DT and RF classifiers in IoT
LDA was used, while the FNR value decreases. Botnet detection system provides the best
The reverse was the case for AB and GB, which accuracy of 100% with a FPR value of 0.
has a decrease in the sensitivity value when LDA Detection times for DT and RF are 98.58
was used, with an increase in FNR value. Thus, seconds and 270.36 seconds, respectively.
in term of sensitivity value of 1 and FNR of 0, DT We propose that future studies should
and RF using LDA are the best models for the investigate the efficiency level of using LDA
IoT botnet detection system, because the models method from the perspective of energy
will cover all chances of detecting botnets. consumption and memory used. We also
The efficiency of the detection system is consider extending the framework of the research
observed by the speed of the execution time. for detecting botnet in real time fashion, using
During the experiments of IoT botnet detection, balanced data, which can boost execution time
we observe an increase in execution speed, and maximize the accuracy.
which was significant for k-NN, DT, RF, AB, and
GB classifiers with or without LDA. If we consider REFERENCES
the high accuracy level and lowest FPR, then DT [1] M. S. Mahdavinejad, M. Rezvan, M.
has the fastest time of execution, as it only Barekatain, P. Adibi, P. Barnaghi, and A. P.
requires 98.58s. Sheth, “Machine learning for internet of
Compared to other studies of the same things data analysis: a survey,” Digital
theme that use N-BaIoT dataset and with Communications and Networks, vol. 4, no.
dimensionality reduction LDA method, the 3, pp. 161–175, 2018, doi:
proposed system in this paper shows the highest 10.1016/j.dcan.2017.10.002.
accuracy, and DT classification had the highest [2] K. Somasundaram and K. Selvam, “IOT –
score, i.e.: 100%. Bahsi et al. [15] use the Fisher Attacks and Challenges,” International
Score dimensionality reduction method to reduce Journal of Engineering Research &
data dimension into two features, and in Technology, vol. 8, no. 9, pp. 9–12, 2018,
detecting botnet by using the DT classification doi: 10.31873/ijetr.8.9.67.
method, their accuracy level reaches 98.43%. [3] X. S. Yang, S. Lee, S. Lee, and N. Theera-
Nomm et al. [17] use the entropy method to Umpon, “Information Analysis of High-
reduce data dimension into three features, while Dimensional Data and Applications,”
SVM is used for its detection process, reaching Mathematical Problems in Engineering., vol.
only 93.15% accuracy level. Alqahtani et al. [19] 2015, no. ii, pp. 2–4, 2015, doi:
also use Fisher Score to reduce data into three 10.1155/2015/126740.
features, and select the XGBoost classification [4] A. Ullah, F. H. Khan, U. Qamar, and S.
method to detect botnet, with the accuracy level Bashir, “Dimensionality reduction
reaching 99.96%. approaches and evolving challenges in high
The effectiveness of the detection system dimensional data,” ACM International
can be observed at the level of its accuracy. This Conference Proceeding Series, pp. 1–8,
accuracy is indicated by the use of the number of 2017, doi: 10.1145/3109761.3158407.
features. Without the LDA method with 115 [5] J. Wang, S. Yue, X. Yu, and Y. Wang, “An
features compared to using the LDA method, efficient data reduction method and its
which had only two features, the accuracy level application to cluster analysis,”
of our models remains the same. This fact Neurocomputing, vol. 238, pp. 234–244,
suggests that the reduction in the number of 2017, doi: 10.1016/j.neucom.2017.01.059.
features used in the IoT botnet detection system [6] Z. Cheng and Z. Lu, “A novel efficient
was very effective. Compared to previous feature dimensionality reduction method and
studies, the proposed system is more effective in its application in engineering,” Complexity,
detecting IoT botnets, which is indicated by a vol. 2018, pp. 1-14 2018, doi:
higher level of accuracy. 10.1155/2018/2879640.
[7] T. Zhang and B. Yang, “Dimension reduction
CONCLUSION for big data,” Statistics and its Interface, vol.
The LDA dimensionality reduction method 11, no. 2, pp. 295–306, 2018, doi:
has been implemented and used to detecting IoT 10.4310/SII.2018.v11.n2.a7.
botnets effectively and efficiently. We showed [8] J. Yan et al., “Effective and efficient
that detection system with a very low feature dimensionality reduction for large-scale and
numbers can reach a very high accuracy level, streaming data preprocessing,” IEEE
and those fewer features can boost up time Transactions on Knowledge and Data
execution as well. We observed that combining Engineering, vol. 18, no. 3, pp. 320–332,

Susanto et al., Effective and efficient approach in IoT Botnet detection 39

SINERGI Vol. 28, No. 1, February 2024: 31-42

2006, doi: 10.1109/TKDE.2006.45. Ismail, “IoT botnet attack detection based on

[9] S. I. Popoola, B. Adebisi, R. Ande, M. optimized extreme gradient boosting and
Hammoudeh, and A. A. Atayero, “Memory- feature selection,” Sensors (Switzerland),
efficient deep learning for botnet attack vol. 20, no. 21, pp. 1–21, 2020, doi:
detection in iot networks,” Electronics, vol. 10.3390/s20216336.
10, no. 9, pp. 1–18, 2021, doi: [20] M. G. Desai, Y. Shi, and K. Suo, “IoT Bonet
10.3390/electronics10091104. and Network Intrusion Detection using
[10] V. V. Platonov and P. O. Semenov, Dimensionality Reduction and Supervised
“Dimension reduction in network attacks Machine Learning,” 2020 11th IEEE Annu.
detection systems,” Nonlinear Phenomena Ubiquitous Comput. Electron. Mob.
in Complex Systems, vol. 17, no. 3, pp. Commun. Conf. UEMCON 2020, pp. 0316–
284–289, Mar. 2014. 0322, 2020, doi:
[11] H. I. Alsaadi, R. M. Almuttairi, O. Bayat, and 10.1109/UEMCON51285.2020.9298146.
O. N. Ucani, “Computational intelligence [21] M. Alshamkhany, W. Alshamkhany, M.
algorithms to handle dimensionality Mansour, M. Khan, S. Dhou, and F. Aloul,
reduction for enhancing intrusion detection “Botnet Attack Detection using Machine
system,” Journal of Information Science and Learning,” in Proc. 14th International
Engineering, vol. 36, no. 2, pp. 293–308, Conference on Innovations in Information
Jan. 2020, doi: 10.6688/JISE. Technology, IIT, 2020, no. November, pp.
202003_36(2).0009. 203–208, doi:
[12] S. H. Abbas, “Ids Feature Reduction Using 10.1109/IIT50501.2020.9299061.
Two,” International Journal of Civil [22] N. Moustafa and J. Slay, “UNSW-NB15: A
Engineering and Technology vol. 8, no. 3, comprehensive data set for network
pp. 468–478, Mar. 2017. intrusion detection systems (UNSW-NB15
[13] J.Kittler, “Feature selection and extraction,” network data set),” Proc. Mil. Commun. Inf.
in Handbook of Pattern and Image Proc., 1st Syst. Conf. MilCIS, pp. 1-6 2015, doi:
ed., San Diego, USA, 1986, pp. 59–83, doi: 10.1109/MilCIS.2015.7348942.
10.1002/0470854774.ch9. [23] N. Koroniotis, N. Moustafa, E. Sitnikova, and
[14] N. Koroniotis, N. Moustafa, and E. Sitnikova, B. Turnbull, “Towards the development of
“Forensics and Deep Learning Mechanisms realistic botnet dataset in the Internet of
for Botnets in Internet of Things: A Survey of Things for network forensic analytics: Bot-
Challenges and Solutions,” IEEE Access, IoT dataset,” Future Generation Computer
vol. 7, pp. 61764–61785, 2019, doi: Systems, vol. 100, pp. 779–796, 2019, doi:
10.1109/ACCESS.2019.2916717. 10.1016/j.future.2019.05.041.
[15] H. Bahsi, S. Nomm, and F. B. La Torre, [24] S. I. Popoola, B. Adebisi, M. Hammoudeh,
“Dimensionality Reduction for Machine G. Gui, and H. Gacanin, “Hybrid Deep
Learning Based IoT Botnet Detection,” in Learning for Botnet Attack Detection in the
Proc. 2018 15th International Conference on Internet-of-Things Networks,” IEEE Internet
Control, Automation, Robotics and Vision, Things J., vol. 8, no. 6, pp. 4944–4956, Mar.
ICARCV, 2018, pp. 1857–1862, doi: 2021, doi: 10.1109/JIOT.2020.3034156.
10.1109/ICARCV.2018.8581205. [25] Y. Mirsky, T. Doitshman, Y. Elovici, and A.
[16] Y. Meidan et al., “N-BaIoT-Network-based Shabtai, “Kitsune: An ensemble of
detection of IoT botnet attacks using deep autoencoders for online network intrusion
autoencoders,” IEEE Pervasive Computing, detection,” arXiv, no. February, pp. 18–21,
vol. 17, no. 3, pp. 12–22, Sep. 2018, doi: 2018, doi: 10.48550/arxiv.1802.09089.
10.1109/MPRV.2018.03367731. [26] A. Guerra-Manzanares, J. Medina-Galindo,
[17] S. Nomm and H. Bahsi, “Unsupervised H. Bahsi, and S. Nõmm, “MedBIoT:
Anomaly Based Botnet Detection in IoT Generation of an IoT botnet dataset in a
Networks,” in Proc.- 17th IEEE International medium-sized IoT network,” ICISSP 2020 -
Conference on Machine Learning and Proc. 6th Int. Conf. Inf. Syst. Secur. Priv.,
Applications, ICMLA, 2019, pp. 1048–1053, pp. 207–218, 2020, doi:
doi: 10.1109/ICMLA.2018.00171. 10.5220/0009187802070218.
[18] J. Liu, S. Liu, and S. Zhang, “Detection of [27] A. Tharwat, T. Gaber, A. Ibrahim, and A. E.
IoT botnet based on deep learning,” in Hassanien, “Linear discriminant analysis: A
Chinese Control Conference, CCC, 2019, detailed tutorial,” AI Community, vol. 30, no.
vol. 2019–July, no. 1, pp. 8381–8385, doi: 2, pp. 169–190, 2017, doi: 10.3233/AIC-
10.23919/ChiCC.2019.8866088. 170729.
[19] M. Alqahtani, H. Mathkour, and M. M. Ben [28] M. A. Salam, A. T. Azar, M. S. Elgendy, and

40 Susanto et al., Effective and efficient approach in IoT Botnet detection

 p-ISSN: 1410-2331 e-ISSN: 2460-1217

K. M. Fouad, “The Effect of Different algorithms,” Journal of Telecommunication,

Dimensionality Reduction Techniques on Electronic and Computer Engineering., vol.
Machine Learning Overfitting Problem,” 10, no. 1–7, pp. 27–30, 2018.
International Journal of Advanced Computer [39] A. Parmar, R. Katariya, and V. Patel, “A
Science and Applications, vol. 12, no. 4, pp. Review on Random Forest: An Ensemble
641–655, 2021, doi: Classifier,” Lect. Notes Data Eng. Commun.
10.14569/IJACSA.2021.0120480. Technol., vol. 26, pp. 758–763, 2019, doi:
[29] F. J. H. Heras and G. G. de Polavieja, 10.1007/978-3-030-03146-6_86.
“Supervised dimensionality reduction by a [40] S. Amalia, I. Deborah, and I. N. Yulita,
Linear Discriminant Analysis on pre-trained “Comparative analysis of classification
CNN features,” pp. 1-12 2020, doi: algorithm: Random Forest, SPAARC, and
10.48550/arxiv.2006.12127. MLP for airlines customer satisfaction,”
[30] Z. Guo and Y. Zhang, “A Similar Distribution SINERGI, vol. 26, no. 2, p. 213, 2022, doi:
Discriminant Analysis with Orthogonal and 10.22441/sinergi.2022.2.010.
Nearly Statistically Uncorrelated [41] X. D. Hoang and Q. C. Nguyen, “Botnet
Characteristics,” Mathematical Problems in detection based on machine learning
Engineering, vol. 2019, pp. 1-10, 2019, doi: techniques using DNS query data,” Future
10.1155/2019/3145973. Internet, vol. 10, no. 5, pp. 1–11, 2018, doi:
[31] S. Lee, A. Abdullah, N. Jhanjhi, and S. Kok, 10.3390/FI10050043.
“Classification of botnet attacks in IoT smart [42] A. Moubayed, M. N. Injadat, and A. Shami,
factory using honeypot combined with “Optimized Random Forest Model for Botnet
machine learning,” PeerJ Computer Detection Based on DNS Queries,” in Proc.
Science, vol. 7, pp. 1–23, 2021, doi: International Conference on
10.7717/PEERJ-CS.350. Microelectronics, ICM, 2020, vol. 2020–
[32] M. I. Hossain, S. Eshrak, M. J. Auvik, S. F. Decem, pp. 1-4, doi:
Nasim, R. Rab, and A. Rahman, “Efficient 10.1109/ICM50269.2020.9331819.
Feature Selection for Detecting Botnets [43] S. Chen, B. Shen, X. Wang, and S. J. Yoo,
Based on Network Traffic and Behavior “A strong machine learning classifier and
Analysis,” in Proc. 7th International decision stumps based hybrid adaboost
Conference on Networking, Systems and classification algorithm for cognitive radios,”
Security, 2020, pp. 56–62, doi: Sensors (Switzerland), vol. 19, no. 23, pp. 1-
10.1145/3428363.3428378. 15, 2019, doi: 10.3390/s19235077.
[33] A. Bijalwan, N. Chand, E. S. Pilli, and C. [44] A. Rehman Javed, Z. Jalil, S. Atif Moqurrab,
Rama Krishna, “Botnet analysis using S. Abbas, and X. Liu, “Ensemble Adaboost
ensemble classifier,” Perspectives in classifier for accurate and fast detection of
Science, vol. 8, pp. 502–504, 2016, doi: botnet attacks in connected vehicles,”
10.1016/j.pisc.2016.05.008. Transactions on Emerging
[34] F. Tariq and S. Baig, “Machine Learning Telecommunications Technologies, no.
Based Botnet Detection in Software Defined June, pp. 1–18, 2020, doi: 10.1002/ett.4088.
Networks,” International Journal of Security [45] C. Bentéjac, A. Csörgő, and G. Martínez-
and Its Applications, vol. 11, no. 11, pp. 1– Muñoz, A comparative analysis of gradient
12, 2017, doi: 10.14257/ijsia.2017.11.11.01. boosting algorithms, vol. 54, no. 3. Springer
[35] J. Velasco-Mata, V. González-Castro, E. Netherlands, pp. 1937-1967, 2021, doi:
Fidalgo, and E. Alegre, “Efficient Detection 10.1007/s10462-020-09896-5.
of Botnet Traffic by features selection and [46] T. Ongun, T. Sakharaov, S. Boboila, A.
Decision Trees,” arXiv, pp. 1-20, 2021, doi: Oprea, and T. Eliassi-Rad, “On Designing
10.48550/arxiv.2107.02896. Machine Learning Models for Malicious
[36] Z. Zhang, “Introduction to machine learning: Network Traffic Classification,” arXiv, pp. 1-
K-nearest neighbors,” Annals of 9, 2019, doi: 10.48550/arxiv.1907.04846.
Translational Medicine, vol. 4, no. 11, pp. 1– [47] A. Tharwat, “Classification assessment
7, 2016, doi: 10.21037/atm.2016.03.37. methods,” Applied Computing and
[37] Y. E. Wella et al.," Service quality dealer Informatics, vol. 17, no. 1, pp. 168–192,
identification: the optimization of K-Means 2021, doi: 10.1016/j.aci.2018.08.003.
clustering," SINERGI, vol. 27, no.3, pp. 433- [48] H. Shafique, A. A. Shah, M. A. Qureshi, and
442, 2023, doi: 10.22441/sinergi.2023.3.014 M. K. Ehsan, “Machine Learning
[38] R. F. M. Dollah, M. A. Faizal, F. Arif, M. Z. Empowered Efficient Intrusion Detection
Mas’ud, and L. K. Xin, “Machine learning for Framework,” VFAST Transactions on
HTTP botnet detection using classifier Software Engineering, vol. 10, no. 2, pp. 27–

Susanto et al., Effective and efficient approach in IoT Botnet detection 41

SINERGI Vol. 28, No. 1, February 2024: 31-42

35, 2022. lightweight approach for network intrusion

[49] M. Aamir and S. M. A. Zaidi, “DDoS attack detection in industrial cyber-physical
detection with feature engineering and systems based on knowledge distillation and
machine learning: the framework and deep metric learning,” Expert Systems with
performance evaluation,” International Applications vol. 206, p. 117671, 2022, doi:
Journal of Information Security, vol. 18, no. doi: 10.1016/j.eswa.2022.117671.
6, pp. 761–785, 2019, doi: 10.1007/s10207- [52] M. Artur, “Review the performance of the
019-00434-1. Bernoulli Naïve Bayes Classifier in Intrusion
[50] Y. Imrana, Y. Xiang, L. Ali, and Z. Abdul- Detection Systems using Recursive Feature
Rauf, “A bidirectional LSTM deep learning Elimination with Cross-validated selection of
approach for intrusion detection,” Expert the best number of features,” Procedia
Systems with Applications, vol. 185, no. Computer Science, vol. 190, no. 2019, pp.
June 2020, p. 115524, 2021, doi: 564–570, 2021, doi: 10.1016/j.procs.2021.
10.1016/j.eswa.2021.115524. 06.066.
[51] Z. Wang, Z. Li, D. He, and S. Chan, “A

42 Susanto et al., Effective and efficient approach in IoT Botnet detection