Combining Deep Learning Models for Enhancing the Detection of Botnet Attacks in Multiple Sensors Internet of Things Networks

Abdulkareem A. Hezam - Center of Intelligent and Autonomous Systems (CIAS), Faculty of Computer Science and Information Technology, Universiti Tun Hussein Onn Malaysia, Parit Raja, Johor, Malaysia.
Salama A. Mostafa - Center of Intelligent and Autonomous Systems (CIAS), Faculty of Computer Science and Information Technology, Universiti Tun Hussein Onn Malaysia, Parit Raja, Johor, Malaysia.
Zirawani Baharum -
Alde Alanda - Department of Information Technology, Politeknik Negeri Padang, West Sumatera, Indonesia
Mohd Zaki Salikon - Faculty of Computer Science and Information Technology, Universiti Tun Hussein Onn Malaysia, Parit Raja 86400, Johor, Malaysia

Citation Format:



Distributed-Denial-of-Service impacts are undeniably significant, and because of the development of IoT devices, they are expected to continue to rise in the future. Even though many solutions have been developed to identify and prevent this assault, which is mainly targeted at IoT devices, the danger continues to exist and is now larger than ever. It is common practice to launch denial of service attacks in order to prevent legitimate requests from being completed. This is accomplished by swamping the targeted machines or resources with false requests in an attempt to overpower systems and prevent many or all legitimate requests from being completed. There have been many efforts to use machine learning to tackle puzzle-like middle-box problems and other Artificial Intelligence (AI) problems in the last few years. The modern botnets are so sophisticated that they may evolve daily, as in the case of the Mirai botnet, for example. This research presents a deep learning method based on a real-world dataset gathered by infecting nine Internet of Things devices with two of the most destructive DDoS botnets, Mirai and Bashlite, and then analyzing the results. This paper proposes the BiLSTM-CNN model that combines Bidirectional Long-Short Term Memory Recurrent Neural Network and Convolutional Neural Network (CNN). This model employs CNN for data processing and feature optimization, and the BiLSTM is used for classification. This model is evaluated by comparing its results with three standard deep learning models of CNN, Recurrent Neural Network (RNN), and long-Short Term Memory Recurrent Neural Network (LSTM–RNN). There is a huge need for more realistic datasets to fully test such models' capabilities, and where N-BaIoT comes, it also includes multi-device IoT data. The N-BaIoT dataset contains DDoS attacks with the two of the most used types of botnets: Bashlite and Mirai. The 10-fold cross-validation technique tests the four models. The obtained results show that the BiLSTM-CNN outperforms all other individual classifiers in every aspect in which it achieves an accuracy of 89.79% and an error rate of 0.1546 with a very high precision of 93.92% with an f1-score and recall of 85.73% and 89.11%, respectively. The RNN achieves the highest accuracy among the three individual models, with an accuracy of 89.77%, followed by LSTM, which achieves the second-highest accuracy of 89.71%. CNN, on the other hand, achieves the lowest accuracy among all classifiers of 89.50%.


DDoS; deep learning; classification; IoT; RNN; LSTM-RNN; BiLSTM-CNN.

Full Text:



B. A. Khalaf, S. A. Mostafa, A. Mustapha, and N. Abdullah, "An Adaptive Model for Detection and Prevention of DDoS and Flash Crowd Flooding Attacks," Int. Symp. Agents, Multi-Agent Syst. Robot. 2018, ISAMSR 2018, no. march, pp. 1–6, 2018.

A. Dorri, S. S. Kanhere, R. Jurdak, and P. Gauravaram, "Blockchain for IoT security and privacy: The case study of a smart home," in 2017 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom Workshops 2017, 2017, pp. 618–623.

K. Alieyan, A. Almomani, R. Abdullah, B. Almutairi, and M. Alauthman, "Botnet and Internet of Things (IoTs)," no. February, pp. 304–316, 2019.

R. Want, B. N. Schilit, and S. Jenson, "Enabling the internet of things," Computer (Long. Beach. Calif)., vol. 48, no. 1, pp. 28–35, 2015.

P. Desai, A. Sheth, and P. Anantharam, "Semantic Gateway as a Service Architecture for IoT Interoperability," Proc. - 2015 IEEE 3rd Int. Conf. Mob. Serv. MS 2015, pp. 313–319, 2015.

F. Dahlqvist, M. Patel, A. Rajko, and J. Shulman, "Growing opportunities in the Internet of Things (IoT)," McKinsey & Company, 2019.

S. Hilton, " 'oracle,'” [Online]. Available:

C. Seaman, (2016). Threat advisory: Mirai botnet. Akamai Threat Advisory.

B. A. Khalaf, S. A. Mostafa, A. Mustapha, M. A. Mohammed, and W. M. Abduallah, "Comprehensive review of artificial intelligence and statistical approaches in distributed denial of service attack and defense methods," IEEE Access, vol. 7, pp. 51691–51713, 2019.

M. Ejaz Ahmed and H. Kim, "DDoS attack mitigation in internet of things using software defined networking," Proc. - 3rd IEEE Int. Conf. Big Data Comput. Serv. Appl. BigDataService 2017, pp. 271–276, 2017.

R. Doshi, N. Apthorpe, and N. Feamster, "Machine learning DDoS detection for consumer internet of things devices," in Proceedings - 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018, Aug. 2018, pp. 29–35.

H. Griffioen and C. Doerr, "Examining Mirai's Battle over the Internet of Things," Proc. ACM Conf. Comput. Commun. Secur., no. October 2020, pp. 743–755, 202.

C. F. M. Maseer, Z. K., Yusof, R., Bahaman, N., Mostafa, S. A., & Foozy, "Benchmarking of machine learning for anomaly based intrusion detection systems in the CICIDS2017 dataset," IEEE Access, vol. 9, pp. 22351–22370, 2021.

N. A. and N. F. R. Doshi, "Machine Learning DDoS Detection for Consumer Internet of Things Devices," IEEE, 2018.

Y. Meidan et al., "N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders," IEEE Pervasive Comput., vol. 17, no. 3, pp. 12–22, May 2018.

Z. Al-Othman, M. Alkasassbeh, and S. A.-H. Baddar, "A State-of-the-Art Review on IoT botnet Attack Detection," 2020.

Y. Meidan et al., "N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders," May 2018.

O. F. Rashid, Z. A. Othman, and S. Zainudin, "A novel DNA sequence approach for network intrusion detection system based on cryptography encoding method." International Journal on Advanced Science, Engineering and Information Technology, 7(1), 183-189, 2017.

H. Suo, J. Wan, C. Zou, and J. Liu, "Security in the internet of things: A review," Proc. - 2012 Int. Conf. Comput. Sci. Electron. Eng. ICCSEE 2012, vol. 3, pp. 648–651, 2012.

C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, and I. Fellow, "DDoS in the IoT," Computer (Long. Beach. Calif)., vol. 50, no. 7, pp. 80–84, 201.

Y. Jia, F. Zhong, A. Alrawais, B. Gong, and X. Cheng, "FlowGuard: An Intelligent Edge Defense Mechanism against IoT DDoS Attacks," IEEE Internet Things J., vol. 7, no. 10, pp. 9552–9562, 2020.

Y. N. Soe, Y. Feng, P. I. Santosa, R. Hartanto, and K. Sakurai, "Machine learning-based IoT-botnet attack detection with sequential architecture," Sensors (Switzerland), vol. 20, no. 16, pp. 1–15, 2020.

S. Sriram, R. Vinayakumar, M. Alazab, and K. P. Soman, "Network flow based IoT botnet attack detection using deep learning," IEEE INFOCOM 2020 - IEEE Conf. Comput. Commun. Work. INFOCOM WKSHPS 2020, pp. 189–194, 2020.

M. Ozcelik, N. Chalabianloo, and G. Gur, "Software-Defined Edge Defense Against IoT-Based DDoS," IEEE CIT 2017 - 17th IEEE Int. Conf. Comput. Inf. Technol., pp. 308–313, 2017.

D. H. Summerville, K. M. Zach, and Y. Chen, "Ultra-lightweight deep packet anomaly detection for Internet of Things devices," 2015 IEEE 34th Int. Perform. Comput. Commun. Conf. IPCCC 2015, 2016.

M. Zhang et al., "Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches," no. February, 2020.

E. van der Velden, “Master Thesis,” arXiv, no. October, 2018.

A. Wani and S. Revathi, "DDoS Detection and Alleviation in IoT using SDN (SDIoT-DDoS-DA)," J. Inst. Eng. Ser. B, vol. 101, no. 2, pp. 117–128, 2020.

G. De La Torre Parra, P. Rad, K. K. R. Choo, and N. Beebe, "Detecting Internet of Things attacks using distributed deep learning," J. Netw. Comput. Appl., vol. 163, no. April, 2020.

R. Wirth and J. Hipp, "CRISP-DM: towards a standard process model for data mining. Proceedings of the Fourth International Conference on the Practical Application of Knowledge Discovery and Data Mining, 29-39," no. 24959, 2000.

M. F. Ab Aziz, S. A. Mostafa, C. F. M. Foozy, M. A. Mohammed, M. Elhoseny, & A. Abualkishik, (2021). Integrating Elman Recurrent Neural Network with Particle Swarm Optimization Algorithms for an Improved Hybrid Training of Multidisciplinary Datasets. Expert Systems with Applications, 115441.

S. Kiranyaz, O. Avci, O. Abdeljaber, T. Ince, M. Gabbouj, and D. J. Inman, "1D convolutional neural networks and applications: A survey," Mech. Syst. Signal Process., vol. 151, p. 107398, 202.

S. A. Kashinath, S. A. Mostafa, A. Mustapha, H. Mahdin, D. Lim, M. A. Mahmoud, ... and T. J. Yang, (2021). Review of Data Fusion Methods for Real-Time and Multi-Sensor Traffic Flow Analysis. IEEE Access.

P. K. Bediako, "Long Short-Term Memory Recurrent Neural Network for detecting DDoS flooding attacks within TensorFlow Implementation framework," p. 31, 2017.

A. Azzouni, and G. Pujolle, "A long short-term memory recurrent neural network framework for network traffic matrix prediction," arXiv preprint arXiv:1705.05690, 2017.

X. Liang, and T. Znati, "A long short-term memory enabled framework for DDoS detection," In 2019 IEEE Global Communications Conference (GLOBECOM) (pp. 1-6). IEEE, December 2019.

L. Shang, W. Zhao, J. Zhang, Q. Fu, Q., Zhao, and Y. Yang, "Network Security Situation Prediction Based on Long Short-Term Memory Network," In 2019 20th Asia-Pacific Network Operations and Management Symposium (APNOMS) (pp. 1-4). IEEE, September 2019.

B. A. Azizan, A. H., Mostafa, S. A., Mustapha, A., Foozy, C. F. M., Abd Wahab, M. H., Mohammed, M. A., & Khalaf, "A Machine Learning Approach for Improving the Performance of Network Intrusion Detection Systems," Ann. Emerg. Technol. Comput., vol. 5, no. 5, 2021.

A. M. Kadhum, and M. K. Hasan, "Assessing the determinants of cloud computing services for utilizing health information systems: A case study. International Journal on Advanced Science, Engineering and Information Technology, 7(2), 503-510, 2017.


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

JOIV : International Journal on Informatics Visualization
ISSN 2549-9610  (print) | 2549-9904 (online)
Organized by Department of Information Technology - Politeknik Negeri Padang, and Institute of Visual Informatics - UKM and Soft Computing and Data Mining Centre - UTHM
W :
E :,,

View JOIV Stats

Creative Commons License is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.