Botnet Traffic Detection in the Internet of Things Based on Graph Convolutional Networks

Abstract

By using graph-based representation learning, it is possible to more effectively construct models of the various structural dependencies and relationships between different parts of IoT network traffic. This paper proposes a new botnet detection framework that uses Graph Convolutional Networks (GCNs) to learn the communication graph of nodes and the features of devices. First, the preprocessing, normalization, and feature engineering of all raw IoT data are completed. Finally, an attribute graph will be generated, which shows the topology and time of the IoT. To enhance discrimination ability and handle irregular graphs, a generalized GCN architecture with an attention module and node feature normalization is added. Experimental tests were conducted on the NSL-KDD and Bot-IoT datasets, covering cases of IoT-specific benchmarks and traditional benchmarks. The results show that the framework achieved an accuracy of 95.1% in attack traffic testing, with an F1 score of 0.95. Moreover, the framework also maintains relatively high accuracy in the presence of class imbalance and sparse training data, with accuracy decreasing by less than 3.5% when only 30% of the labeled samples are used. Ablation studies found that removing the attention layer or normalization can lead to a decrease in accuracy of up to 5.4% and an increase in the misclassification rate of minority classes. The proposed method demonstrates higher accuracy, recall, and stability in a stable confusion matrix compared to the baselines of random forests and deep neural networks. According to the above analysis, graph structure modeling based on adaptive deep learning has shown good results in the field of IoT botnet detection and can be applied to real-world situations.