2024 Second International Conference on Advance in Information Technology (ICAIT-2024)

Distributed Denial of Services (DDoS) & IoT

Botnet Malware Identification Using Machine
Learning & Deep Learning Models
Indrajeet Kumar
Graphic Era Hill University Manvi Bohra Noor Mohd
Dehradun, India-248002 Graphic Era Hill University Graphic Era Deemed to be University,
Adjunct Professor, Graphic Era Dehradun, India. Dehradun, India
Deemed to be University, [email protected] [email protected]
Dehradun, India-248001
[email protected]

Teekam Singh
Graphic Era Deemed to be University,
Dehradun, India
[email protected]

Abstract— In this work, distributed denial of services
(DDoS) and IoT botnet attacks detection has been performed
using machine learning (ML) and deep learning (DL) models.
For the implementation of the proposed work DDoS attacks
and IoT botnet datasets are used. These instances are collected
by the implementation of Mirai and BASHLITE. The used
dataset comprises of 7999 instances and each instance has 29
attributes. The collected instances are pre-processed and
eliminate the redundant attributes. Therefore, finally a set of
10 attributes are selected for the experiments. After this dataset
is divided into training and testing set. By using training set,
machine leaning models (KNN classifier, logistic regression,
SVM model, random forest model) and deep learning models
(CNN and LSTM) are trained and validated using testing set.
After the experiments it has been found that the deep learning-
based LSTM model obtained outstanding performance in
terms of accuracy. The obtained testing accuracy for LSTM
model is 99.80 % and 99.82 % for training accuracy.
Keywords— Internet of Things (IoTs), IoT botnet,
Distributed denial of services (DDoS) attacks, Machine
Learning, CNN, LSTM.
office, a smart refrigerator that records the available balances
in it and orders whenever necessary, automating a smart
city’s traffic regulation systems, etc. IoT devices can also
communicate with each other and other systems, and, as a
result, enable collaborative actions and complex interactions.
An IoT botnet is a group of Internet of Things devices
that have been compromised by malware and are being used
by an attacker from a distant location. Attacker utilization of
the botnet can include DDoS assaults [1], [2], spam
promotion email, data theft, and other nefarious activities.
The most important issue is security and privacy. IoT devices
are prone to hacking and unauthorized data breaches, which
makes people at risk of either spreading their personal
information or gaining control over their systems. Moreover,
due to the high amount of the data devices handle, the
question of data privacy is challenging, as well. Another
issue related to security in the realm of IoT is lack of
established standards and principles of interoperability and
security online. Figure 1 represents the structure of IoT
environment.

I. INTRODUCTION
The Internet of Things (IoTs) is a system of organized
computation electronic gadgets, power-driven and digital
machines, individuals, and persons or human-generated
objects that are able to perform significant task in well-
defined manner and preserve an capability to send or receive
data over a network oriented platform without intervention of
human-to-computer involvement. IoT catalyses new
computer solution architectures that are more long-term, real-
time and autonomously implemented. IoT devices are
connected to the internet and thus can send and receive data.
They collect data from the environment via various sensors,
including temperature, motion, and sound, among others. The
data can be analysed to develop insights, basis for decision-
making, and used in automation. IoT also makes it possible
to automate various activities easily [1]. For example, a
homeowner can set an optimum temperature for the home or

979-8-3503-8386-7/24/$31.00 ©2024 IEEE

2024 Second International Conference on Advance in Information Technology (ICAIT-2024)

Fig. 1. Structure of IoTs environment
IoT environments also are deeply affected by DDoS
attacks [3]. “In a DDoS attack, a goal is bombarded with
traffic so large that their normal operation is disrupted
multiple times”. Due to the wide deployment of the device,
the lack of security, and the restriction in terms of computing
power, IoT devices are prime candidates for being infected
and used in a botnet for DDoS attacks. To perform DDoS
attacks, a criminal creates an IoT botnet. In this case many
IoT devices that have fallen under the attacker’s control due
to software vulnerabilities or weak passwords join the botnet.
Further, the DDoS criminal establishes control over the
botnet. And perform the necessary actions like creates a
command-and-control (C&C) server, with which he can
communicate with other infected IoT devices and make a
network request to send traffic to the target so that it exceeds
its limits. The last step is the selection of a target to place a
load on it [4], [5]. The cleared botnet should send traffic to an
attacker-selected target to cause the target to malfunction.
The major impact of DDoS attacks is like Service disruption,
financial loss, extensive use of resources etc.
II. LITERATURE SURVEY
This section has shown the advancement in employing
ML and DL methods (CNN & LSTM) to identify DDoS
assaults in IOT networks. Investigation is still being
conducted on new models and algorithms to better advance
the detection and avoidance of these attacks on internet of
things networks. More recently performed works have shown
promising outcomes for the use of ML and DL methods
(CNN & LSTM) models in identifying DDoS assaults in
different network environments, particularly in IOT [5].
Numerous algorithms and feature selection methods have
been implemented due to varying levels of detection
accuracy and timing.
The study recognizes the need to improve intrusion
detection systems in lightweight IoT networks, innovates a
novel data pre-processing technique. This approach ideally
resolves the peculiarities of IoT networks and further
enhances the goal of promoting cybersecurity through
successful detection of DDoS attacks because of the
accumulation of each IoT devices’ set of constraints. The
experiment utilized the TON-IOT and BOTNET-IOT
datasets [6]. However, the experiment used the binary
classification and multiple-class classification models to
separate the DDoS attacks from the other two types of
attacks.
This study is investigating the utilization of machine
learning and deep learning techniques in identifying and
distinguishing the impacts of DDoS assault in IoT networks.
In order to establish if the network has experienced or not
experienced the attack, adequate detection techniques must
be followed [7]. The detection uses suitable techniques such
as artificial intelligence which heavily relies on Machine
Learning and Deep Learning. Supervised machine learning
based models or algorithms used structured data to learn,
detect or identify the outcomes of the work, and recognize
patterns.
This paper [8] has shown that an autonomous defence
system using edge computing and a 2D-CNN can achieve
autonomous and correct recognition of attacking patterns,
transmitting modes, and normal mode. In this work, an
independent self-governing defence model that uses edge
computing and a 2-D-CNN is used and able to recognize the
attacks of type DDoS in IoT environment. The 2D-CNN
attained the training accuracy of 99.50 % and 99.8 % for
network packet traffic and network packet features
identification, respectively.
In this study [9] the novel intrusion detection system
based on ML based model and CNN models implicitly
differentiated over the records timestamps and henceforth
accomplished an average accuracy > 99 % with three distinct
attribute sets for two class and more than two classifications.
The procedure in this work does not avoid territories between
features, as triggered by the flow data generator.
The study [10], detect the eleven DDoS attacks from
multiple DDoS attack datasets, the use of 6 ML classification
algorithms was used. This study used the CICDDoS2019,
one of the datasets obtained from the CICDS. The
classification methods were experimented with each DDoS
attack to determine the optimal classification algorithms.
Generally, it would be possible to conduct work to assess the
efficiency of the ML based classification algorithms in the
detection of DDoS attacks. This work used performance
matrices (accuracy, precision, recall, and F1-score) to
determine the suitability of each model.
III. MATERIALS & METHODOLOGY
A. Dataset Description
The used dataset is collected from Mirai type botnet
attacking an emulated IoT network in OpenStack. Mirai
botnet is a famous botnet that seizes the mentioned
vulnerabilities of Internet of Things, such as the default
password at creation, obsolete firmware, and compromising
network services. According to CISA the attackers behind
Mirai access multiple vulnerable IoT devices in large
numbers [5]. The actor thereafter uses this acquired power to
launch DDoS attacks and other malicious activities. The used
dataset set comprised of 7999 cases. Each case is consisting
of twenty-nine attributes. All attributes are not important for
the detection of attacks, therefore only ten attributes are
selected. The correlation matrix of these selected attributes
age given in Figure 2.
Fig. 2. Correlation matrix selected feature set.

979-8-3503-8386-7/24/$31.00 ©2024 IEEE

2024 Second International Conference on Advance in Information Technology (ICAIT-2024)

B. Proposed model
The proposed model comprises of data preprocessing,
dataset bifurcation, model training and decision of the model.
The flowchart of proposed model is given in Figure 3. The
description of each stage is given in details as:
C. Data preprocessing
Data preprocessing is one of the essential steps in the
development of model for identification of DDoS attacks and
IoT botnet attacks using machine learning, and it converts
raw data into clean and formatted data for modelling. High-
quality data preprocessing can contribute to the significantly
improved performance of the learning model and provide
accurate and valid results. Data preprocessing covers data
collection, data cleaning, data normalization, and data
splitting. Data Collection is a process of gathering data from
different sources such as databases, APIs, or files. Ensure
that the data is representative of the problem you wish to
solve. In data cleaning replaces the missing values with a
given value like the mean, median, or mode and delete the
rows or columns having missing values, or outliers can be
removed or transformed. Data Normalization includes
normalization, which scales data to a standardized range of
0-1. Splitting Data – split the data into training and testing
sets in the ratio of 80:20.

Fig. 3. Experimental work flow chart

D. Classification Models
KNN classifier: K-Nearest Neighbours (KNN) is the
simple and straightforward supervision ML algorithm used
for classification tasks. KNN identifies [11] the category of a
new observation based on its proximity to known
observations. It’s implemented during a supervised learning
task where a learning algorithm is assigned a labelled data
set. Meaning, it’s going to label input data, assigning it to a
label like, binary category, category name, anomaly, etc., to
supply a model which will be wont to predict a target
outcome. Steps involved in this model is given as:
 Input: A dataset with feature values and the
corresponding labels.
 Normalize Data: It may be useful, but not necessary, to
standardize or normalize the data so that the distance
metric makes sense.
 Choose k: For k-means, it is necessary to select an odd
value of k to completely bypass situations with a tie in
classification.
 Find Nearest Neighbours: For any data point, the
distance to the rest of the data points is calculated and
we select the k-nearest neighbours.

979-8-3503-8386-7/24/$31.00 ©2024 IEEE

2024 Second International Conference on Advance in Information Technology (ICAIT-2024)
 Classification: Now, a new label is predicted for k-
nearest neighbours using the majority class by
classification.
Logistic regression: Logistic regression (LR) is a simple, yet
widely used, ML algorithm that is used for both binary and
multiclass classification [12]. In logistic regression the
objective of this ML is to guess the probability that a known
input goes to a certain class. It is mainly utilized for binary
classification, which means classifying a certain set of data
into only two classes. It can be wattled simply for predicting
multi-class classification difficulties utilizing an analytical
technique like one-vs-all, one-vs-one or directly SoftMax
regression. LR uses logistic function or Sigmoid Function for
classification task [12]. The output of LR is modelled as the
probability value that an input belongs to a certain class.
Logistic function, an S shaped curve, maps the output of a
linear function to a probability value in the range of 0 to 1.
Any real number is squashed to within the range of values 0
to 1. It is defined as follows:
(1)
Support Vector Machine: SVM is one of the most
conventional approaches used for supervised learning for
classification tasks [13]. However, it can also be used in
regression. SVM is particularly useful when it comes to high-
dimensional feature spaces. SVM creates the best decision
boundary, especially when the classes are linearly separable.
The SVM tries to detect the best hyperplane that separates
the classes. This is defined as the one that has the maximum
distance between the closest training data and the hyperplane.
The closest vectors that have the maximum impact on the
best separating hyperplane are known as support vectors.
SVM can also apply to non-linear dataset using a kernel trick
which converts the data into a distinguished dimension where
it is easier to classify [13]. Common kernels include a linear,
polynomial, radial basis kernel function and sigmoid kernel.
Random Forest: Random Forest (RF) classifier [14] is an
combination learning model that is widely used to perform
classification as well as regression tasks. It utilizes several
decision trees to create a strong and accurate model. Random
Forest is a great method that consistently achieves strong
results in classification tasks. It uses various decision trees to
make the model tighter and more flexible. It works well in
situations where there is a combination of decent data [14].
By tuning hyperparameters and selecting appropriate
features, higher accuracy can be achieved for this problem.
The following are critical random forest principles:
 Ensemble Learning: In general, Random Forest
combines the output of more than one decision tree.
This reduces the possibility of overfitting while
enhancing overall accuracy.
 Bagging: In Bagging, also known as Bootstrap
Aggregation, each decision tree receives a randomly
drawn bootstrap sample from the original dataset. This
step enables different models to achieve varying results.
 Random Feature Selection: Unlike traditional decision
trees that use data subsets, Random Forest assembles
979-8-3503-8386-7/24/$31.00 ©2024 IEEE
the dataset when training each decision tree into each
bootstrapped sample.
Convolutional Neural Network:
Convolutional neural networks (CNN) are DL based
model used for tasks that involve image data most frequently
[15]. Although being used for other types of data such as
NLP and time-series, they have shown outstanding
performance in the context of spatial data. As for the
methods and techniques, it is one of the automatic feature
extraction algorithms that succinctly describes the features of
data. CNNs [15] are powerful neural networks that are
particularly useful for processing and analysing spatial data,
most notably images. They are effective in finding complex
patterns and relationships about the data and can be
transferred to other domains; however, they have mastered
the architecture and advanced techniques to perform well.
Figure 4 shows the architecture of CNN.
Fig. 4. CNN architecture.
Long Short-Term Memory (LSTM)
Long Short-Term Memory (LSTM) [16] is a class of
recurrent neural networks that is developed to model and
process sequence data such as time series, speech, and text.
LSTMs are highly effective at modelling long-term
dependencies and overwhelming the declining gradient
problem in traditional RNNs. LSTMs are a key tool for
processing sequential data, especially with long-term
dependencies. The LSTM model possesses versatility and
strength in many uses, such as time series, speech analysis, or
natural language processing [16]. When the parameters are
effectively tuned and a variety of regularization capabilities
are used, an LSTM process can be trained to perform well on
a specific implementation. The structural design of LSTM
model is given in Figure 5.
E. Performance Analysis Metrics
The performance of a classifier can be evaluated by
several metrics that check for accuracy, precision, recall, and
f1-score. Metric measures help identify how good a classifier
may be, in terms of getting instances correct as well as
minimizing false positives and false negatives. The value of
these parameters has been computed according to the
obtained confusion matrix (CM). The sample confusion
matrix is given in Figure 6 and mathematical formula for the
parameters is given in Equation 2 to Equation 5.
2024 Second International Conference on Advance in Information Technology (ICAIT-2024)

92.68 % on the testing set. A Logistic Regression calculated

score is 94.27 % of accuracy on the training dataset and
90.87% on the testing dataset. Although, SVM produced
lower performance metrics on the testing set with high
precision but low recall.
Table 1: Obtained outcomes for used classification model.
Mod Confusion Matrix Precisi Reca F1- Accuracy (%)
el on (%) ll scor
Clas Clas (%) e Traini Testi
s0 s1 (%) ng ng
KNN Clas 116
68
s0 1 95.9 95.2
94.47 93.57 92.68
Clas 5 0
49 322
s1
LR Clas 120
27
s0 2 90.9 94.2
97.80 90.43 90.87
Clas 9 7
119 252
Fig. 5. Architecture of LSTM model s1
SVM Clas 122
0
s0 9 76.8 86.8
100 75.82 76.82
Clas 1 9
371 0
s1
RF Clas 122
0
s0 9 94.6 97.2
100 95.76 95.43
Clas 8 7
69 302
s1
CNN Clas 113
90
s0 9 97.6 97.9
98.29 97.79 96.88
Clas 6 7
157 229
s1
LST Clas 122
2
M s0 7 99.9 99.8
99.84 99.83 99.80
Clas 2 8
1 370
s1
Random Forest scored highly on all performance metrics
with high precision and recall compared to the models with
strong performance. CNN model factored in a 97.97% F1-
score on the training set and 96.88% on the testing set.
Relative to the other algorithms, LSTM model performance
Fig. 6. Confusion matrix representation. was exceptional as it scored all parameters extremely high on
the training and testing sets. Hence close to a perfect 100 %.

(2)

(3)

(4)

(5)

IV. RESULT ANALYSIS

The results given in Table1 describe the performance
metrics of six ML models that have been trained and tested
on a problem of classification. This information includes the
confusion matrix and other pieces of information, namely
precision, recall, F1-score, and accuracy rates for both
training set and testing sets. The extensive experiments have
been carried out for the detection of DDoS attacks and IoT
botnet attacks using six classifiers KNN classifier, LR model,
SVM, RF model, CNN model and LSTM model as a
classifier.
The percentage of correct predictions from all the models
on the training and testing data has been also recorded. KNN Fig. 7. Accuracy curve and loss curve for best performing model
Classifier scored 95.20 % of accuracy on the training set and

979-8-3503-8386-7/24/$31.00 ©2024 IEEE

2024 Second International Conference on Advance in Information Technology (ICAIT-2024)
(LSTM).
Conclusion
In conclusion, IoT botnet is compromised by malware
and then used from a distant location by an attacker.
Specifically, attacker usage of the botnet can include DDoS
promotion through spam email, email, data theft, and other
activities that are harmful. It is essential that security and
privacy are maintained. Indeed, the IOT devices are hacked,
and their penetration of personal data is maintained. Hence, it
is an instance of either people spreading personal information
or a serious problem of an increased tendency to have their
systems taken. DDoS attacks and IoT botnet datasets are
employed for the implementation of the proposed work.
These instances are generated through implementing the
Mirai and BASHLITE. Then the dataset is separated into the
training dataset and testing dataset. The training set is used to
train the machine leaning models and deep learning models
on other hand the testing set is used to validate the trained
models. The experiments result show that the proposed deep
learning-based LSTM model reaches a excellent performance
in form of accuracy, precision, recall, and f1-score. Further
similar kind of work can be extended for the other attacks in
IoT environments and 5G networks.
REFERENCES
[1] J. M. Kizza, “Internet of things (iot): growth, challenges, and
security.”, Guide to Computer Network Security, pp. 557–573, Apr.
2024.
[2] T. A. Tuan, H. V. Long, L. H. Sơn, R. Kumar, I. Priyadarshini, and N.
T. K. Son, “Performance evaluation of Botnet DDoS attack detection
using machine learning,” Evolutionary Intelligence, vol. 13, no. 2, pp.
283–294, Nov. 2019.
[3] W. Chen, H. Zhang, X. Zhou, and Y. Weng, “Intrusion detection for
modern DDOS attacks classification based on convolutional neural
networks,” in Studies in computational intelligence, 2021, pp. 45–60.
[4] S. Peneti and H. E, "DDOS Attack Identification using Machine
Learning Techniques," 2021 International Conference on Computer
Communication and Informatics (ICCCI), Coimbatore, India, 2021,
pp. 1-5.
[5] K. L. K. Sudheera, D. M. Divakaran, R. P. Singh and M. Gurusamy,
"ADEPT: Detection and Identification of Correlated Attack Stages in
979-8-3503-8386-7/24/$31.00 ©2024 IEEE
IoT Networks," IEEE Internet of Things Journal, vol. 8, no. 8, pp.
6591-6607, 15 April15, 2021.
[6] S. Sadhwani, B. Manibalan, R. Muthalaguand P. Pawar, “A
Lightweight Model for DDoS Attack Detection Using Machine
Learning Techniques”, Applied Sciences, vol. 13, no. 17, p. 9937,
Apr. 2023.
[7] A. A. Alahmadi, “DDoS Attack Detection in IoT-Based Networks
Using Machine Learning Models: A Survey and Research
Directions”, Electronics, vol. 12, no. 14, p. 3103, Apr. 2023.
[8] S. H. Lee, Y. L. Shiue, C. H. Cheng, Y. H. Liand Y. F. Huang,
“Detection and prevention of DDoS attacks on the IoT”, Applied
Sciences, vol. 12, no. 23, p. 12407, Apr. 2022.
[9] J. G. Almaraz-Rivera, J. A. Perez-Diazand J. A. Cantoral-Ceballos,
“Transport and application layer DDoS attacks detection to IoT
devices by using machine learning and deep learning models”,
Sensors, vol. 22, no. 9, p. 3367, Apr. 2022.
[10] K. B. Dasari and N. Devarakonda, “Detection of Different DDoS
Attacks Using Machine Learning Classification Algorithms”,
Ingénierie des Systèmes d Inf., vol. 26, no. 5, pp. 461–468, Apr. 2021.
[11] Y. Liao and V. R. Vemuri, “Use of k-nearest neighbor classifier for
intrusion detection”, Computers & security, vol. 21, no. 5, pp. 439–
448, Apr. 2002.
[12] C. Ioannou and V. Vassiliou, “An intrusion detection system for
constrained WSN and IoT nodes based on binary logistic regression”,
in Proceedings of the 21st ACM International Conference on
Modeling, Analysis and Simulation of Wireless and Mobile Systems,
pp. 259-263, Oct. 2018.
[13] M. Mohammadi, “A comprehensive survey and taxonomy of the
SVM-based intrusion detection systems”, Journal of Network and
Computer Applications, vol. 178, p. 102983, Apr. 2021.
[14] J. Zhang, M. Zulkernine and A. Haque, "Random-Forests-Based
Network Intrusion Detection Systems," in IEEE Transactions on
Systems, Man, and Cybernetics, Part C (Applications and Reviews),
vol. 38, no. 5, pp. 649-659, Sept. 2008.
[15] J. Kim, J. Kim, H. Kim, M. Shim, & E. Choi, “CNN-based network
intrusion detection against denial-of-service attacks.” Electronics,
9(6), 916, 2020.
[16] . A. Althubiti, E. M. Jones and K. Roy, "LSTM for Anomaly-Based
Network Intrusion Detection," 2018 28th International
Telecommunication Networks and Applications Conference (ITNAC),
Sydney, NSW, Australia, 2018, pp. 1-3,
[17] S. Goel, S. Gupta, A. Panwar, S. Kumar, M. Verma, S. Bourouis, &
M. Ullah, «Deep learning approach for stages of severity
classification in diabetic retinopathy using color fundus retinal
images. Mathematical Problems in Engineering”, 2021, 1-8.
[18] I. Kumar, A. Kumar, V. Kumar, R. Kannan, V. Vimal, K.U. Singh &
M. Mahmud, “Dense tissue pattern characterization using deep neural
network”. Cognitive computation, 14(5), 1728-1751, 2022.