{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,16]],"date-time":"2026-02-16T08:50:56Z","timestamp":1771231856905,"version":"3.50.1"},"reference-count":55,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,12,3]],"date-time":"2023-12-03T00:00:00Z","timestamp":1701561600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,12,3]],"date-time":"2023-12-03T00:00:00Z","timestamp":1701561600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"\n Abstract<\/jats:title>\n Intrusion detection systems have been proposed for the detection of botnet attacks. Various types of centralized or distributed cloud-based machine learning and deep learning models have been suggested. However, the emergence of the Internet of Things (IoT) has brought about a huge increase in connected devices, necessitating a different approach. In this paper, we propose to perform detection on IoT-edge devices. The suggested architecture includes an anomaly intrusion detection system in the application layer of IoT-edge devices, arranged in software-defined networks. IoT-edge devices request information from the software-defined networks controller about their own behaviour in the network. This behaviour is represented by communication graphs and is novel for IoT networks. This representation better characterizes the behaviour of the device than the traditional analysis of network traffic, with a lower volume of information. Botnet attack scenarios are simulated with the IoT-23 dataset. Experimental results show that attacks are detected with high accuracy using a deep learning model with low device memory requirements and significant storage reduction for training.\n<\/jats:p>\n <\/jats:sec>\n Graphical abstract<\/jats:title>\n \n <\/jats:sec>","DOI":"10.1186\/s42400-023-00169-6","type":"journal-article","created":{"date-parts":[[2023,12,3]],"date-time":"2023-12-03T04:11:59Z","timestamp":1701576719000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":17,"title":["A novel botnet attack detection for IoT networks based on communication graphs"],"prefix":"10.1186","volume":"6","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7366-6370","authenticated-orcid":false,"given":"David Concejal","family":"Mu\u00f1oz","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7334-2317","authenticated-orcid":false,"given":"Antonio del-Corte","family":"Valiente","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,12,3]]},"reference":[{"key":"169_CR1","doi-asserted-by":"publisher","first-page":"123","DOI":"10.1007\/s40860-015-0008-0","volume":"1","author":"U Ahmed","year":"2015","unstructured":"Ahmed U, Raza I, Hussain SA, Syed A, Amjad A, Muddesar I (2015) Modelling cyber security for software-defined networks those grow strong when exposed to threats. J Reliable Intell Environ 1:123\u2013146","journal-title":"J Reliable Intell Environ"},{"key":"169_CR2","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1016\/j.jnca.2017.04.002","volume":"88","author":"FA Alaba","year":"2017","unstructured":"Alaba FA, Othman M, Hashem IAT, Alotaibi F (2017) Internet of things security: a survey. J Netw Comput Appl 88:10\u201328","journal-title":"J Netw Comput Appl"},{"issue":"5","key":"169_CR3","doi-asserted-by":"publisher","first-page":"9042","DOI":"10.1109\/JIOT.2019.2926365","volume":"6","author":"E Anthi","year":"2019","unstructured":"Anthi E, Williams L, S\u0142owi\u0144ska M, Theodorakopoulos G, Burnap P (2019) A supervised intrusion detection system for smart home iot devices. IEEE Internet Things J 6(5):9042\u20139053","journal-title":"IEEE Internet Things J"},{"key":"169_CR4","doi-asserted-by":"publisher","first-page":"2023","DOI":"10.1007\/s11277-020-07137-0","volume":"112","author":"MJ Babu","year":"2020","unstructured":"Babu MJ, Reddy AR (2020) Sh-ids: specification heuristics based intrusion detection system for iot networks. Wireless Pers Commun 112:2023\u20132045","journal-title":"Wireless Pers Commun"},{"key":"169_CR5","unstructured":"Bank D, Koenigstein N, Giryes R (2020) Autoencoders. arXiv:2003.05991"},{"key":"169_CR6","doi-asserted-by":"publisher","first-page":"5803","DOI":"10.1002\/sec.1737","volume":"9","author":"K Benzekki","year":"2016","unstructured":"Benzekki K, El Fergougui A, Elbelrhiti Elalaoui A (2016) Software-defined networking (sdn): a survey. Secur Comm Netw 9:5803\u20135833","journal-title":"Secur Comm Netw"},{"key":"169_CR7","doi-asserted-by":"publisher","first-page":"163","DOI":"10.1080\/0022250X.2001.9990249","volume":"25","author":"U Brandes","year":"2001","unstructured":"Brandes U (2001) A faster algorithm for betweenness centrality. J Math Sociol 25:163\u2013177","journal-title":"J Math Sociol"},{"issue":"7","key":"169_CR8","doi-asserted-by":"publisher","first-page":"2303","DOI":"10.1142\/S0218127407018403","volume":"17","author":"U Brandes","year":"2007","unstructured":"Brandes U, Pich C (2007) Centrality estimation in large networks. Int J Bifurc Chaos 17(7):2303\u20132318","journal-title":"Int J Bifurc Chaos"},{"key":"169_CR9","unstructured":"Check Point: Check Point Software\u2019s 2023 Cyber Security Report (2023). https:\/\/pages.checkpoint.com\/cyber-security-report-2023.html Accessed 20 Feb 2023"},{"key":"169_CR10","doi-asserted-by":"crossref","unstructured":"Choi H, Lee H, Lee H, Kim H(2007) Botnet detection by monitoring group activities in dns traffic. In: 7th IEEE international conference on computer and information technology (CIT 2007), pp 715\u2013720","DOI":"10.1109\/CIT.2007.90"},{"key":"169_CR11","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1186\/s40537-017-0074-7","volume":"4","author":"S Chowdhury","year":"2017","unstructured":"Chowdhury S, Khanzadeh M, Akula R (2017) Botnet detection using graph-based feature clustering. J Big Data 4:14","journal-title":"J Big Data"},{"key":"169_CR12","unstructured":"Daya AA, Salahuddin M, Limam N, Boutaba R (2019) A graph-based machine learning approach for bot detection. arXiv"},{"key":"169_CR13","doi-asserted-by":"crossref","unstructured":"Douceur JR (2002) The sybil attack. In: Springer (ed.) International workshop on peer-to-peer systems. Lecture notes in computer science: 2002; Heidelberg, vol 2429","DOI":"10.1007\/3-540-45748-8_24"},{"key":"169_CR14","unstructured":"Garcia S, Parmisano A, Erquiaga MJ (2020) IoT-23: A labeled dataset with malicious and benign IoT network traffic (Version 1.0.0) . https:\/\/www.stratosphereips.org\/datasets-iot23 Accessed 10 Feb 2022"},{"issue":"1","key":"169_CR15","first-page":"42","volume":"3","author":"A Geetha","year":"2016","unstructured":"Geetha A, Sreenath N (2016) Byzantine attacks and its security measures in mobile adhoc networks. Int J Comput Commun Instrum Eng (IJCCIE) 3(1):42\u201347","journal-title":"Int J Comput Commun Instrum Eng (IJCCIE)"},{"key":"169_CR16","doi-asserted-by":"crossref","unstructured":"Hafeez I, Antikainen M, Tarkoma S ( 2019) Protecting iot-environments against traffic analysis attacks with traffic morphing. In: 2019 IEEE international conference on pervasive computing and communications workshops (PerCom Workshops), pp 196\u2013 201","DOI":"10.1109\/PERCOMW.2019.8730787"},{"key":"169_CR17","doi-asserted-by":"crossref","unstructured":"Horrow S, Sardana A ( 2012) Identity management framework for cloud based internet of things. In: Proceedings of the first international conference on security of internet of things (SecurIT \u201912), pp 200\u2013 203","DOI":"10.1145\/2490428.2490456"},{"key":"169_CR18","unstructured":"Hu YC, Perrig A, Johnson DB (2003) Packet leashes: a defense against wormhole attacks in wireless networks. In: IEEE INFOCOM 2003. Twenty-second annual joint conference of the IEEE computer and communications societies (IEEE Cat. No.03CH37428), vol 3, pp 1976\u2013 1986"},{"issue":"1","key":"169_CR19","doi-asserted-by":"publisher","first-page":"16","DOI":"10.1016\/j.jnca.2012.09.004","volume":"36","author":"L Hung-Jen\u00a0Liao","year":"2013","unstructured":"Hung-Jen\u00a0Liao L, Chun-Hung RL, Ying-Chih L, Kuang-Yuan T (2013) Intrusion detection system: a comprehensive review. J Netw Comput Appl 36(1):16\u201324","journal-title":"J Netw Comput Appl"},{"key":"169_CR20","doi-asserted-by":"publisher","DOI":"10.1016\/j.compind.2021.103509","volume":"132","author":"T Huong","year":"2021","unstructured":"Huong T, Bac T, Long D, Luong T, Dan N, Quang L, Cong L, Thang B, Tran K (2021) Detecting cyberattacks using anomaly detection in industrial control systems: a federated learning approach. Comput Ind 132:103509","journal-title":"Comput Ind"},{"key":"169_CR21","unstructured":"Ioffe S, Weiqing S(2015) Batch normalization: accelerating deep network training by reducing internal covariate shift. arXiv"},{"key":"169_CR22","doi-asserted-by":"crossref","unstructured":"Jindal K, Dalal S, Sharma KK( 2014) Analyzing spoofing attacks in wireless networks. In: 2014 fourth international conference on advanced computing & communication technologies, pp 398\u2013 402","DOI":"10.1109\/ACCT.2014.46"},{"key":"169_CR23","doi-asserted-by":"crossref","unstructured":"Kang U, Papadimitriou S, Sun J, Tong H (2011) Centralities in large networks: Algorithms and observations, pp 119\u2013 130","DOI":"10.1137\/1.9781611972818.11"},{"key":"169_CR24","doi-asserted-by":"publisher","first-page":"943","DOI":"10.1631\/jzus.C1300242","volume":"15","author":"A Karim","year":"2014","unstructured":"Karim A, Salleh R, Shiraz M, Shah S, Awan I, Anuar N (2014) Botnet detection techniques: review, future trends, and issues. J Zhejiang Univ Sci C 15:943\u2013983","journal-title":"J Zhejiang Univ Sci C"},{"issue":"1","key":"169_CR25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s42400-019-0038-7","volume":"2","author":"A Khraisat","year":"2019","unstructured":"Khraisat A, Gondal I, Vamplew P, Kamruzzaman J (2019) Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2(1):1\u201322","journal-title":"Cybersecurity"},{"key":"169_CR26","first-page":"1","volume":"13","author":"G Kibirige","year":"2015","unstructured":"Kibirige G, Sanga C (2015) A survey on detection of sinkhole attack in wireless sensor network. Int J Comput Sci Inf Secur 13:1\u20139","journal-title":"Int J Comput Sci Inf Secur"},{"issue":"1","key":"169_CR27","first-page":"51","volume":"5","author":"R Limarunothai","year":"2015","unstructured":"Limarunothai R, Munlin MA (2015) Trends and challenges of botnet architectures and detection techniques. J Inf Syst Telecommun 5(1):51\u201357","journal-title":"J Inf Syst Telecommun"},{"key":"169_CR28","doi-asserted-by":"crossref","unstructured":"Lin K, Huang W(2020) Using federated learning on malware classification. In: 2020 22nd international conference on advanced communication technology (ICACT), pp 585\u2013 589","DOI":"10.23919\/ICACT48636.2020.9061261"},{"issue":"8","key":"169_CR29","doi-asserted-by":"publisher","first-page":"6348","DOI":"10.1109\/JIOT.2020.3011726","volume":"8","author":"Y Liu","year":"2021","unstructured":"Liu Y, Garg S, Nie J, Zhang Y, Xiong Z, Kang J, Hossain M (2021) Deep anomaly detection for time-series data in industrial iot: a communication-efficient on-device federated learning approach. IEEE Internet Things J 8(8):6348\u20136358","journal-title":"IEEE Internet Things J"},{"key":"169_CR30","doi-asserted-by":"crossref","unstructured":"Lu Z, Lu X, Wang W, Wang C (2010) eview and evaluation of security threats on the communication networks in the smart grid. In: 2010 Military Communications Conference, pp. 1830\u2013 1835","DOI":"10.1109\/MILCOM.2010.5679551"},{"key":"169_CR31","doi-asserted-by":"crossref","unstructured":"Luo T, Nagarajan SG ( 2018) Distributed anomaly detection using autoencoder neural networks in wsn for iot. In: 2018 IEEE International Conference on Communications (ICC), pp. 1\u2013 6","DOI":"10.1109\/ICC.2018.8422402"},{"key":"169_CR32","doi-asserted-by":"crossref","unstructured":"Malladi S, Alves-Foss J, Heckendorn RB (2002) On preventing replay attacks on security protocols. Department of Computer Science University of Idaho","DOI":"10.21236\/ADA462295"},{"key":"169_CR33","doi-asserted-by":"crossref","unstructured":"Mendes LDP, Aloi J, Pimenta TC( 2019) Analysis of iot botnet architectures and recent defense proposals. In: 2019 31st international conference on microelectronics (ICM), pp 186\u2013 189","DOI":"10.1109\/ICM48031.2019.9021715"},{"key":"169_CR34","doi-asserted-by":"crossref","unstructured":"Mirsky Y, Doitshman T, Elovici Y, Shabtai A (2018) Kitsune: an ensemble of autoencoders for online network intrusion detection. arXiv:1802.09089, pp 665\u2013674","DOI":"10.14722\/ndss.2018.23204"},{"key":"169_CR35","doi-asserted-by":"publisher","first-page":"98","DOI":"10.1016\/j.buildenv.2014.01.011","volume":"75","author":"SN Murray","year":"2014","unstructured":"Murray SN, Walsh BP, Kelliher D, O\u2019Sullivan DTJ (2014) Multi-variable optimization of thermal energy efficiency retrofitting of buildings using static modelling and genetic algorithms\u2013a case study. Build Environ 75:98\u2013107","journal-title":"Build Environ"},{"key":"169_CR36","doi-asserted-by":"crossref","unstructured":"Nguyen TD, Marchal S, Miettinen H M\u00a0andFereidooni Asokan N, Sadeghi AR (2019) D\u00cfot: A federated self-learning anomaly detection system for iot. In: International conference on distributed computing systems, pp 756\u2013 767","DOI":"10.1109\/ICDCS.2019.00080"},{"key":"169_CR37","first-page":"2","volume":"4","author":"Q Niyaz","year":"2017","unstructured":"Niyaz Q, Weiqing S, Javaid AY (2017) A deep learning based ddos detection system in software-defined networking (sdn). EAI Endorsed Trans Secur Saf 4:2","journal-title":"EAI Endorsed Trans Secur Saf"},{"key":"169_CR38","doi-asserted-by":"publisher","first-page":"503","DOI":"10.1016\/j.procs.2015.04.126","volume":"48","author":"MV Pawar","year":"2015","unstructured":"Pawar MV, Anuradha J (2015) Network security and types of attacks in network. Procedia Comput Sci 48:503\u2013506","journal-title":"Procedia Comput Sci"},{"key":"169_CR39","unstructured":"Rumelhart DE, Hinton GE, Williams RJ (1986) Learning internal representations by error propagation. In: Parallel distributed processing: explorations in the microstructure of cognition pp 318\u2013362"},{"issue":"2","key":"169_CR40","doi-asserted-by":"publisher","first-page":"58","DOI":"10.1109\/MITP.2020.2992710","volume":"23","author":"T Saba","year":"2021","unstructured":"Saba T, Sadad T, Rehman A, Mehmood Z, Javaid Q (2021) Intrusion detection system through advance machine learning for the internet of things networks. IT Prof 23(2):58\u201364","journal-title":"IT Prof"},{"issue":"24","key":"169_CR41","doi-asserted-by":"publisher","first-page":"7326","DOI":"10.3390\/s20247326","volume":"20","author":"AK Sarica","year":"2020","unstructured":"Sarica AK, Angin P (2020) Explainable security in sdn-based iot networks. Sensors 20(24):7326","journal-title":"Sensors"},{"key":"169_CR42","doi-asserted-by":"crossref","unstructured":"Sengupta T, De, S, Banerjee I (2021) A closeness centrality based p2p botnet detection approach using deep learning. In: 12th international conference on computing communication and networking technologies (ICCCNT), pp 1\u2013 7","DOI":"10.1109\/ICCCNT51525.2021.9579547"},{"key":"169_CR43","doi-asserted-by":"crossref","unstructured":"Shafee A, Baza M, Talbert DA, Fouda MM, Nabil M, Mahmoud M (2020) Mimic learning to generate a shareable network intrusion detection model. In: 2020 IEEE 17th annual consumer communications networking conference (CCNC), pp 1\u2013 6","DOI":"10.1109\/CCNC46108.2020.9045236"},{"issue":"5","key":"169_CR44","doi-asserted-by":"publisher","first-page":"866","DOI":"10.3390\/sym13050866","volume":"13","author":"K Shinan","year":"2021","unstructured":"Shinan K, Alsubhi K, Alzahrani A, Ashraf MU (2021) Machine learning-based botnet detection in software-defined network: A systematic review. Symmetry 13(5):866","journal-title":"Symmetry"},{"key":"169_CR45","doi-asserted-by":"publisher","first-page":"378","DOI":"10.1016\/j.comnet.2012.07.021","volume":"57","author":"S Silva","year":"2013","unstructured":"Silva S, Silva R, Pinto R, Salles R (2013) Botnets: a survey. Comput Netw 57:378\u2013403","journal-title":"Comput Netw"},{"key":"169_CR46","volume-title":"Computer Networks","author":"A Tanenbaum","year":"2011","unstructured":"Tanenbaum A, Wetherall D (2011) Computer Networks, 5th edn. Pearson, Boston","edition":"5"},{"key":"169_CR47","doi-asserted-by":"publisher","first-page":"3211","DOI":"10.1007\/s11831-020-09496-0","volume":"28","author":"A Thakkar","year":"2019","unstructured":"Thakkar A, Lohiya R (2019) Review on machine learning and deep learning perspectives of ids for iot: recent updates, security issues, and challenges. Arch Computat Methods Eng 28:3211\u20133243","journal-title":"Arch Computat Methods Eng"},{"key":"169_CR48","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102344","volume":"108","author":"P Tian","year":"2021","unstructured":"Tian P, Chen Z, Yu W, Liao W (2021) Towards asynchronous federated learning based threat detection: a dc-adam approach. Comput Secur 108:102344","journal-title":"Comput Secur"},{"key":"169_CR49","doi-asserted-by":"publisher","first-page":"247","DOI":"10.1007\/s11416-015-0250-2","volume":"11","author":"B Venkatesh","year":"2015","unstructured":"Venkatesh B, Choudhury SH, Nagaraja S (2015) Botspot: fast graph based identification of structured p2p bots. J Comput Virol Hack Tech 11:247\u2013261","journal-title":"J Comput Virol Hack Tech"},{"key":"169_CR50","unstructured":"Xu B, Szegedy C (2015) Empirical evaluation of rectified activations in convolution network. arXiv:1505.00853"},{"key":"169_CR51","doi-asserted-by":"crossref","unstructured":"Zeidanloo HR, Manaf AA (2009) Botnet command and control mechanisms. In: 2009 second international conference on computer and electrical engineering, pp 564\u2013 568","DOI":"10.1109\/ICCEE.2009.151"},{"key":"169_CR52","doi-asserted-by":"publisher","DOI":"10.1016\/j.phycom.2020.101157","volume":"42","author":"R Zhao","year":"2020","unstructured":"Zhao R, Yin Y, Shi Y, Xue Z (2020) Intelligent intrusion detection based on federated learning aided long short-term memory. Phys Commun 42:101157","journal-title":"Phys Commun"},{"key":"169_CR53","doi-asserted-by":"crossref","unstructured":"Zhao K, Ge L( 2013) A survey on the internet of things security. In: 2013 ninth international conference on computational intelligence and security, pp 663\u2013 667","DOI":"10.1109\/CIS.2013.145"},{"issue":"2","key":"169_CR54","doi-asserted-by":"publisher","first-page":"1606","DOI":"10.1109\/JIOT.2018.2847733","volume":"6","author":"W Zhou","year":"2019","unstructured":"Zhou W, Jia Y, Peng A, Zhang Y, Liu P (2019) The effect of iot new features on security and privacy: new threats, existing solutions, and challenges yet to be solved. IEEE Internet Things J 6(2):1606\u20131616","journal-title":"IEEE Internet Things J"},{"key":"169_CR55","doi-asserted-by":"crossref","unstructured":"Zhou C, Paffenroth R(2017) Anomaly detection with robust deep autoencoders. In: Proceedings of the 23rd ACM SIGKDD international conference, pp 665\u2013 674","DOI":"10.1145\/3097983.3098052"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00169-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-023-00169-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00169-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,12,3]],"date-time":"2023-12-03T04:12:22Z","timestamp":1701576742000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-023-00169-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,12,3]]},"references-count":55,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["169"],"URL":"https:\/\/doi.org\/10.1186\/s42400-023-00169-6","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,12,3]]},"assertion":[{"value":"7 March 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"14 June 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 December 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"33"}}