Sensors 23 06305 v2
Sensors 23 06305 v2
Article
Botnet Detection and Mitigation Model for IoT Networks Using
Federated Learning
Francisco Lopes de Caldas Filho 1, * , Samuel Carlos Meneses Soares 1 , Elder Oroski 2 ,
Robson de Oliveira Albuquerque 1 , Rafael Zerbini Alves da Mata 1 , Fábio Lúcio Lopes de Mendonça 1
and Rafael Timóteo de Sousa Júnior 1
Abstract: The Internet of Things (IoT) introduces significant security vulnerabilities, raising concerns
about cyber-attacks. Attackers exploit these vulnerabilities to launch distributed denial-of-service
(DDoS) attacks, compromising availability and causing financial damage to digital infrastructure.
This study focuses on mitigating DDoS attacks in corporate local networks by developing a model
that operates closer to the attack source. The model utilizes Host Intrusion Detection Systems (HIDS)
to identify anomalous behaviors in IoT devices and employs network-based intrusion detection
approaches through a Network Intrusion Detection System (NIDS) for comprehensive attack identi-
fication. Additionally, a Host Intrusion Detection and Prevention System (HIDPS) is implemented
in a fog computing infrastructure for real-time and precise attack detection. The proposed model
integrates NIDS with federated learning, allowing devices to locally analyze their data and contribute
Citation: de Caldas Filho, F.L.; to the detection of anomalous traffic. The distributed architecture enhances security by preventing vol-
Soares, S.C.M.; Oroski, E.; de Oliveira
umetric attack traffic from reaching internet service providers and destination servers. This research
Albuquerque, R.; da Mata, R.Z.A.; de
contributes to the advancement of cybersecurity in local network environments and strengthens the
Mendonça, F.L.L.; de Sousa Júnior,
protection of IoT networks against malicious traffic. This work highlights the efficiency of using
R.T. Botnet Detection and Mitigation
a federated training and detection procedure through deep learning to minimize the impact of a
Model for IoT Networks Using
Federated Learning. Sensors 2023, 23,
single point of failure (SPOF) and reduce the workload of each device, thus achieving accuracy of
6305. https://doi.org/10.3390/ 89.753% during detection and increasing privacy issues in a decentralized IoT infrastructure with a
s23146305 near-real-time detection and mitigation system.
attacks and cannot detect unknown or zero-day attacks. Zero-day attacks exploit new
vulnerabilities or old vulnerabilities in a different way, making identification by signatures
ineffective for detection [5]. Another method is anomaly-based detection, which involves
detecting abnormal behavior by comparing it with expected or normal behavior. This
method can detect a wide range of malicious intrusions; however, it also has limitations
such as the potential for false positives. Anomaly-based techniques can be divided into
statistical methods, machine learning methods and other techniques based on data mining
and game theory models.
Host-Based Intrusion Detection Systems (HIDS) are security systems that run on the
devices themselves and can detect and correct problems in the operating system. These
systems can be used on IoT devices to identify and mitigate failures in the operating system
and prevent them from being exploited and used in botnets [6]. However, despite the
increased computational capacity of IoT devices, they still have limitations compared to
servers and network devices, which may limit their ability to run certain security solutions,
such as Network Intrusion Detection Systems (NIDS).
Network Intrusion Detection Systems (NIDS) can analyze traffic from all hosts on
a network and detect abnormal behavior, such as excessive attempts at connections to a
server. These systems can generate alerts or perform attack mitigation, behaving similarly
to Network Intrusion Prevention Systems (NIPS). NIDS software such as Suricata and Snort
can process a large volume of data and generate alerts or activate external security systems.
They can also send events to Big Data platforms for further analysis to identify patterns of
attacks that could not be identified in real time [7].
Different machine learning (ML) and deep learning (DL) techniques have been em-
ployed to identify attacks, employing supervised and unsupervised learning. Deep learning
algorithms can be trained to perceive different types of attacks and trigger security elements
such as firewalls or SDN controllers to block anomalous data flows [8].
Additionally, an emerging approach in the field of cybersecurity is federated learning.
This technology enables the training of machine learning models on distributed devices,
such as IoT devices, without the need to share raw data among devices or send them to a
central server. This approach preserves data privacy and allows IoT devices to contribute
to the learning process by aggregating local knowledge to enhance the performance of the
global model. In the context of attack identification, federated learning can be applied to
train intrusion detection models on IoT devices, enabling them to learn from their own
data and share only model updates with the central server. This not only improves the
efficiency and scalability of the training process but also preserves the privacy of sensitive
data. Thus, federated learning represents a promising approach to enhance cybersecurity
in distributed systems, such as the IoT.
To identify anomalous traffic, the model proposes an analysis of the network data
flow using an approach known as federated learning. Instead of sending the data to a
central server, the model is sent to local devices, where they are trained individually. Then,
only the updated model parameters are sent back to the central server to aggregate the
information and generate a global model. This process enables the analysis of anomalous
traffic to be performed locally on the devices, preserving data privacy and reducing the
dependence on a continuous connection to a central server. By employing federated
learning, the proposed model can identify suspicious traffic patterns and contribute to the
detection of denial-of-service attacks in the network.
Upon identifying anomalous data flows that need to be blocked, the federated learning
server makes an API request to a fog computing orchestrator, responsible for distributing
the rules to IoT devices and ensuring that they block the traffic at its source. In addition to
rules obtained through the federated learning framework, the fog computing orchestrator
can receive signature rules to block not only anomalous traffic but also processes and any
other parameters that characterize an IoT device as part of a botnet.
We can list the main contributions of this model as follows.
Sensors 2023, 23, 6305 3 of 35
• The main contribution of this model is the construction of a fog computing archi-
tecture, in which end devices perform security-focused tasks determined by the
orchestrator. This work has created a real environment with IoT devices to validate
the proposed model.
• The definition of a set of tools capable of converting network data flows into data
that can be processed using federated learning is another significant contribution of
this model.
• The evolution of the proposed model of communication between HIDS systems and
the orchestrator, presented in [9], is noteworthy. In this model, the orchestrator receives
updates not only from an administrator but also from the federated learning server
after identifying data flows that need to be blocked. This enhanced communication
framework improves the overall effectiveness and responsiveness of the system in
detecting and mitigating security threats.
To carry out the validation of the proposed model, we created a scenario with a real
botnet, in addition to all the security components proposed in this work. In this way, it was
possible, in addition to validating the proposed model, to obtain accurate measurements of
the reaction times of the safety components.
Furthermore, the proposed model is not restricted to conventional networks but can
be applied to Software-Defined Networks (SDNs), enabling network reconfiguration to
proactively mitigate anomalous traffic closer to its origin. This capability enhances the
system’s efficacy in detecting and responding to attacks, thereby bolstering the overall
network security.
Besides this Introduction, this paper is organized as follows. In Section 1.1, we present
the background regarding the technologies and methodologies used in the paper. In
Section 2, we present a literature overview of related works. In Section 3, we present the
structural view of the proposed solution and its behavior. In Section 4, we present the
testing methodology used to implement the proposed solution. In Section 5, we present
the results obtained from the testing methodology. Finally, in Section 6, we present our
conclusions and suggestions for future work.
1.1. Background
This section presents and discusses academic and industry concepts and views focused
on the security of the IoT domain. This work presents a diversity of topics related to IDS
and IPS: botnets [10], HIDS [11], NIDS [12]. However, the most important topics that need
to be specified and detailed are described thereafter.
1.1.3. 1D-CNN
A convolutional neural network is a deep learning algorithm that is used to learn by
extracting features from an input through filters, assigning importance levels to differentiate
training objects and features and then performing the final classification using an activation
function [16]. It is a low processing classification algorithm and can work on architectures
with recurrent or feedforward training. As for the One-Dimensional Convolutional Neural
Network (1D-CNN), it is commonly used to train and classify sequential data, i.e., data
structured in only one dimension, such as network data captured through a sniffer.
The 1D-CNN algorithm employs convolutional layers with filters (also known as
kernels) to extract features from a given dataset. These features are analyzed using matrix
and operational functions to identify the most significant data points and perform feature
mapping. Feature mapping plays a crucial role in ensuring the robustness of the model
and simplifying data management for subsequent training steps.
The depth of feature extraction increases with the number of filters used, allowing for a
more comprehensive analysis of the input data and capturing finer details. By incorporating
a larger number of filters, the algorithm becomes capable of detecting more intricate patterns
and features within the input data.
An important step in the 1D-CNN procedure is to perform the pooling of the data [17].
From the operational functions generated with the feature mapping, there is a simplification
and reduction of the map area to perform the summarization of information. Specifically,
the pooling step serves to select the main information of the filtering performed by the
previous convolutional layer [17].
Finally, 1D-CNN also uses fully connected layers via neural networks to carry out
the information processing by neurons in all intermediate layers. In the end, an activation
function such as Softmax or Sigmoid is used to generate a classification vector and assign a
category to the input that was trained from the data filtered by the convolutional layers [16].
ing the so-called global model. Thus, this technique provides training rounds via machine
learning with more privacy and data security due to the fact that there is no sharing of
information, besides providing access to heterogeneous data [18].
Federated learning, which can use techniques such as neural networks and deep
learning to perform data classification, is applied to several nodes that will perform the
training and generate parameters or weights to be used in the training process of the global
model [20]. Specifically, all nodes will perform their individual training and send the results
to a central server, in order to be joined and aggregated to update the main model [20].
2. Related Works
Botnets and DDoS attacks have become a matter of great concern, especially consider-
ing the continually increasing number of devices connected to the internet and the sensitive
information about the real world carried by these devices.
Within this scenario, this work considers papers that investigate IDS and IPS for IoT
devices, either as a victim or as an agent of attacks. We discuss the different approaches
that have been taken referring to this issue throughout this section.
by analyzing the DNS queries that are transmitted through the network. The researchers
in [25,26] employ complex event processing (CEP) to analyze the IoT network data stream and
its monitoring of any security events. According to [27], agents collect network and device
behavior data and then apply some artificial intelligence techniques, such as artificial neural
networks in the former and a naïve Bayes (NB) classifier algorithm in the latter. In [28], the
authors suggest the Abnormal Behavior Analysis Methodology, in which the network nodes’
operation is monitored and compared to regular operation. Then, they trigger actions when
abnormal behavior is detected.
We recognize the importance of these intrusion detection proposals; however, our
work does not focus on the intrusion detection mechanism. It focuses on providing the
host with an analysis engine, as well as on taking the necessary measures for prevention
and repair.
the necessity of improving the detection performance of AIDS, especially considering the
emergence of new zero-day attacks on IoT networks.
The work [31] proposes a Network Intrusion Detection System (NIDS) with deep
learning methods. The deep learning methods used are 1D-CNN and long short-term
memory (LSTM), to classify multi-categorical captured data in a cyber-attack scenario.
The authors suggest an architecture containing a FreeBSD firewall with signature-based
IDS software to capture anomalous data in real time. Then, a learning dataset is built
through generated logs and trained through deep learning for active anomaly detection.
Their approach was tested in a six-category multi-class dataset, and they showed good
performance when detecting anomalous data between benign traffic, especially when
comparing its results with regular machine learning and neural network algorithms.
Another similar work is presented in [32], which applies a 1D-CNN-based IDS with an
unbalanced and balanced UNSW NB15 dataset using a different number of 1D-CNN layers
in each iteration. The authors present performance comparisons with regular machine
learning methods, such as random forest (RF) and support vector machine (SVM), showing
that the 1D-CNN solution gives higher accuracy, recall and F1 scores when it trains on
balanced datasets, in comparison with the RF and SVM algorithms.
The work [33] involves the use of an Intrusion Detection and Prevention System in
a cloud computing infrastructure. Its application, similar to this project, involves the use
of a NIDS and a HIDS, forming a hybrid architecture. The architecture uses the K-nearest
neighbor and neural network (KNN-NN) algorithms in the cloud, to train and classify
network data from the NSL-KDD dataset. Thus, the objective of this work is to structure a
Cloud-IDS with hybrid algorithms to classify network anomalies in a large data flow in
the cloud.
Federated
Technology IoT HIDS NIDS Fog Computing
Learning
Enhanced Preserves data
Network-wide
automation and privacy and
Provides detailed visibility and Low latency and
efficiency, security, enables
Advantages visibility at the detection, improved response
optimization of collaborative
host level monitors network times
processes and learning without
traffic in real time
resources data sharing
Limited coverage
Security and Performance Communication Limited scalability,
for network-based
privacy concerns, impact on network, and complexity in
Disadvantages attacks, increased
zero-day false positives and synchronization managing dis-
overhead on the
vulnerabilities negatives overhead tributed resources
host
Collaborative
Smart homes and Detection of file Intrusion detection
predictive Real-time data
Application cities, system anomalies, in network traffic,
modeling, mobile processing at the
Scenarios environmental compliance network anomaly
and edge device edge
monitoring monitoring detection
applications
3. Proposed Solution
This paper presents a hybrid detection and prevention architecture, as shown in
Figure 1.
This architecture is divided into the HIDPS structure, the NIDS structure, the fed-
erated learning structure and the mitigation structure. It contains a signature-based dis-
tributed Host Intrusion Detection and Prevention System (HIDPS) and an anomaly-based
distributed Network Intrusion Detection System (NIDS) that, when integrated, form an
Intrusion Response System through anomaly detection using a distributed learning method
called federated learning.
Sensors 2023, 23, 6305 9 of 35
First of all, the HIDPS solution used in this work was developed with the goal of
mitigating signature-based denial-of-service attacks and can be applied to IoT devices or
gateways [6]. Anomaly signatures are defined by an administrator in a fog computing
orchestration portal, queried periodically by hosts [9]. The HIDPS copies the rules to its
local base, where they contain the behavior that must be observed and the action required
to carry out the mitigation.
The HIDPS will be able to receive signatures from the fog orchestrator, indicating
the behaviors and traffic that must be mitigated, and the detection of anomalies will be
performed by analyzing the network traffic.
In the NIDS structure, the captured traffic will be exported to a stream, which can be
from different sources, such as port mirroring. The received flows will be processed by a
decentralized network of nodes, responsible for classifying and identifying hosts that are
infected by a botnet and promoting denial-of-service attacks.
The federated learning structure will distribute the traffic-based dataset using an
adversarial model as a pre-configured botnet to hybrid clients coordinated by multiple
servers. These clients will use the 1D-CNN deep learning method to individually classify
unknown events based on their nature.
We position the edges and the federated learning server on the local network, bringing
the benefit of reducing data transmission to external networks. Another benefit of this
model is that if the signatures defined in the HIDPS orchestrator fail and the IoT devices
initiate a denial-of-service attack, the same will be detected by the anomaly caused.
We developed a module that interconnects the federated learning server with the IoT
devices that use the HIDPS software, making it capable of triggering rules to interrupt the
data flow identified as anomalous. For this work, we developed an interface to interconnect
only the server with the HIDPS software.
Finally, using the mitigation structure in order to connect both IDS structures and to
build the finished version of the architecture, the federated learning component of the NIDS
will be responsible for detecting and classifying captured events to build a final model in
the central server, capable of generating new operational rules to be used in the HIDPS,
especially in prevention mode. Therefore, the NIDS segment will work in parallel with the
HIDPS, updating its database with new rules generated through malicious activity pattern
recognition in distributed deep learning.
In order to summarize all activities performed by each structure in the proposed
solution, as explained before, Figure 2 shows a flowchart emphasizing the functions and
interconnections between the architecture’s segments presented in Figure 1.
Sensors 2023, 23, 6305 10 of 35
In this section, the architecture is separated into the following entities: the HIDPS
structure, the NIDS structure, the federated learning structure and the mitigation structure.
Figure 2. Logical flowchart summarizing each structure’s activity in the proposed hybrid solution.
In this logical architecture, several components are used: a HIDPS agent running on a
smart device, a local database and a HIDPS controller with a remote database communicat-
ing with the HIDPS agent through an IoT middleware over the internet, being executed by
an API.
The HIDPS agent, which will run on an IoT smart device, has a local database con-
taining local rules that will be used to trigger and send events to the HIDPS controller
from the internet. The HIDPS controller manages the HIDPS agents by updating, inserting
and maintaining rules in the agent’s local database from its remote database. The IoT
middleware serves as a method of communication between the HIDPS controller and a
smart device acting as the HIDPS agent.
Sensors 2023, 23, 6305 11 of 35
Thus, Figure 3 represents the logical communication of the HIDPS structure used in
this project on a real IoT network.
The HIDPS agent, fog orchestrator, HIDPS controller and rules are described hereafter.
and report the findings. The rule registration process can be performed by an application
running on the server or via the web API. Some of the functions are described as follows.
The HIDPS controller has a function to register new rules on its local database.
The rules on the database are mirrored to the web server page and then updated by
each HIDPS agent.
The definition of assertion function defines the expected output from the test case that
is executed by the HIDPS agents to verify the existence of threats and vulnerabilities.
The HIDPS controller has the function event report analysis, which is continually
analyzing the event reports that arrive at the HIDPS controller coming from the HIDPS
agents associated with it.
The event report analysis function analyzes the event reports received by the HIDPS
controller coming from the HIDPS agents’ rule execution.
Based on the event report, the threat treatment performs some action to counter the
reported vulnerabilities.
3.1.4. Rules
A rule is an information block that assists the HIDPS agent in taking some previously
defined actions, an abstraction that has the following six main fields.
• Name: Rule name;
• ID: Uniquely identifies a rule;
• Date: Date of creation;
• Assumption: Value taken as accurate for a given condition or characteristic of the
system;
• Test case: Evaluation code that finds the characteristic or condition to be tested and
returns it for verification;
• Action: If the value found in the test case is different from the value found in the
assumption, the action defined in this field must be taken.
The registered rules must prevent anomalies commonly found in IoT systems. For the
sake of simplifying the application, these rules are classified into different contexts: network,
resources and known vulnerabilities.
In the context network, the HIDPS agent’s connection with the IoT gateway is obtained
through a traditional network infrastructure that potentially presents several well-known
vulnerabilities and attacks. These vulnerabilities can serve as entry points for malicious
agents to access and control the device that hosts the HIDPS agent. Thus, the HIDPS rules
were developed, intending to detect vulnerabilities and attacks related to the network
context, including, for instance, those shown in Table 2.
In the context of resources, it is essential to be concerned about these, as smart devices
have resource constraints. Thus, overloading of these resources can represent a target of
attacks that aim to reduce the resource allocation for legitimate applications. To detect this
type of attack, rules based on this context have been created, including the ones presented
in Table 2.
An awareness of the context of known IoT vulnerabilities made it possible to create
new rules based on these vulnerabilities, specific to IoT environments and regarding smart
device configuration best practices. Rules implemented in this context are described in
Table 2.
To report to the HIDPS agent when a detection occurs, an event report is established
in the HIDPS agent. The event report is an information schema created by the HIDPS
agent and shared with the HIDPS controller. This report is generated and sent when a
vulnerability is detected by the rules present in the HIDPS agent.
The HIDPS agent uses an algorithm that defines the behavior of the application on the
smart device that wishes to send data to the HIDPS controller cloud application that will
handle the received data.
Sensors 2023, 23, 6305 13 of 35
Context Rule
Port scan detection
Network DDoS attack detection
DNS attack detection
Processes with excessive memory use
Processes with excessive processing usage
Resource
Processes with excessive usage of HD memory
High temperature
Default passwords
Known vulnerabilities Standard open ports
Configuration files in standard and unprotected directories
The HIDPS agent needs to perform the algorithm, step-by-step, to detect, track
and treat vulnerabilities and attacks. The algorithm steps shown in Figure 4 define its life
cycle. We present the actions performed by each HIDPS agent, at the moment that it needs
to send data to the HIDPS controller cloud application, which will handle the received data
as follows:
1. Register the HIDPS agent on the HIDPS controller;
2. Download the HIDPS source code;
3. Request updated rules to the HIDPS controller;
4. Validate the HIDPS agent request and respond with the updated rules;
5. Update the local rule database;
6. Runs preventive tests for each local database rule;
7. Perform the actions provided in the rules;
8. Send event report;
9. Handle received event reports.
Figure 4. Application life cycle from the perspective of the HIDPS agent on a smart device.
Sensors 2023, 23, 6305 14 of 35
The first step is to register the HIDPS agent on the HIDPS controller. If the smart
device is new to the IoT network, and it is due to enter it, it needs to register itself in the IoT
middleware to be able to send data to the middleware and also interact with other devices.
Thus, the device must perform its self-registration process in the UIoT, as described in
Section 2. After completing this process, the IoT middleware considers this new device
ready to interact with the network. Then, as soon as this process is completed, the smart
device will be registered in the HIDPS controller as an associated smart device.
At the end of the self-registration process, the IoT middleware sends the HIDPS agent
to be installed by the smart device. Then, the device should download the HIDPS agent and
install and implement it. From this point, the smart device runs an instance of the HIDPS
agent and can be accepted as a valid device in the IoT network instance. It is important to
mention that the IoT middleware blocks all IoT devices without a running instance of the
HIDPS agent.
Since the smart device is registered and set to work, it can begin to send its sensor
data to the middleware, as with any other regular device in the network. During its normal
lifetime, it can perform rule updating and evaluate the device status. Both events can be
triggered by a scheduled job or by the CLI.
Occasionally, the HIDPS agent requests updated rules from the HIDPS controller. It
makes this request using its local communication API and waits for the controller’s answer.
The HIDPS controller validates the requesting HIDPS agent based on its identification,
previously registered, during the self-registration process. Thus, the instance is validated,
and then the HIDPS controller responds with the set of updated rules.
Once the updated rules have been received in the HIDPS agent, it updates the local
rule database.
As the local rule database is updated, the HIDPS agent runs preventive tests for each
local database rule. Thus, each rule is tested to evaluate whether the resulting output is
different from the one expected for each specific rule.
For each rule that fails on the test runs, the HIDPS agent will perform the actions
provided in the rule.
For each testing mismatch result, the HIDPS agent sends the event report to the
associated HIDPS controller. Through the event report, the administrator can evaluate the
status and execute actions on the HIDPS agents.
The HIDPS controller handles the event report received. First, it stores this event in the
database. Then, it performs actions to counter the vulnerabilities reported by the HIDPS
agent. An example action would be to create IPTables rules to interrupt the connection
between a device and any other action that the administrator evaluates as correct, to stop
any irregular behavior.
Feature Description
flow_id Integer type, referring to flow identification.
src_ip String type, referring to the source IP address of the network packet.
dest_ip String type, referring to the destination IP address of the network packet.
src_port Integer type, referring to the source port of the packet.
dest_port Integer type, referring to the destination port of the packet.
String type, referring to the application protocol that the packet is
proto
associated with.
severity Integer type, referring to the severity level of the captured event.
hour Integer type, referring to the capture hour of the event.
minute Integer type, referring to the capture minute of the event.
seconds Integer type, referring to the capture second of the event.
pkts_to_server Integer type, referring to the number of packets sent to the destination server.
pkts_to_client Integer type, referring to the number of packets sent to the client.
Sensors 2023, 23, 6305 18 of 35
Table 3. Cont.
Feature Description
bytes_to_server Integer type, referring to the number of bytes sent to the destination server.
bytes_to_client Integer type, referring to the number of bytes sent to the client.
As shown in Figure 9, federated learning performs the training locally on each prede-
fined user, i.e., they apply individual training, having performance differences among the
other clients, in such a way that the final model will have contributions from all participants.
The entire training process will be coordinated by a server that will have all the learning
strategies, i.e., all the methods to be used, such as how to aggregate the results, how to pass
parameters to clients, the number of clients that will participate, the number of rounds and
the number of epochs for each client, among other characteristics to be defined later.
The clients will possess the model locally, and by dividing the training sets and
learning via the One-Dimensional Convolutional Neural Network (1D-CNN) deep learning
algorithm, they will perform the entire procedure of training and evaluating the dataset.
To improve the communication security between the server and the clients, a Secure Sockets
Layer (SSL) protocol is implemented between them in such a way that each participant
needs to be authenticated through a digital certificate, thus increasing the privacy during all
training processes. The federated learning framework, server and training and prediction
are described hereafter.
3.3.2. Server
The server plays a vital role in ensuring the efficient and secure execution of the
federated learning process. It is responsible for defining training strategies for clients,
establishing communication with them through a gRPC server, creating an SSL security
layer by generating certificates, sending training parameters along with an initial evaluation
and aggregating the results of subsequent training. The server’s code is written in Python
and utilizes the TensorFlow and Keras libraries from the Flower framework.
One of the key responsibilities of the server is to manage client selection for each step of
the federated learning process, including initialization, fitting and evaluation. By utilizing
the previously implemented strategies, the server can determine the number of clients
required to initiate the federated learning process and assign specific tasks to a fraction of
clients, enabling a highly customizable training process in terms of management.
The central server is responsible for initiating all processes and coordinating the
activities of each client based on strategy specifications, such as configuration parameters
and round administration, among others. The communication steps required to initialize
the server and commence the training process with the clients are based on the guidelines
provided in the Flower framework documentation (referenced as [36]).
Figure 11. Federated mitigation rule activation diagram between server and clients.
The server has the role of sending a new unclassified model, obtained from the active
capture of the detection model in the IDS controller, to each of the clients. The goal of
sending a new capture is to actively detect network traffic after its capture. Therefore, edges
will predict and classify each event based on the training of the base model, i.e., following
the knowledge, in terms of behavior patterns, learned by each edge.
Then, after predicting the new events, each edge will use the classification answers
to check which rules should be activated by the HIDPS in order to perform the proper
preventive actions. Each edge performs this task through a shell script, so the threshold
metrics used are the accuracy and loss values during training. These values are used to
determine whether it is valid for the edge to determine which rule should be activated and
whether its classification is reliable. Then, from what was detected after the classification,
each edge individually determines which rules should be activated by the HIDPS.
At the end of the federated activation, each edge sends its results back to the server.
The server tries to reach a consensus among all the proposed rules to determine which ones
should be activated by the HIDPS. After the evaluation, the server decides which rules
should be activated and integrates them with the HIDPS in order for it to apply preventive
actions from its database.
Figure 12 shows the step-by-step process by means of a flowchart.
Sensors 2023, 23, 6305 22 of 35
Figure 12. Federated mitigation rule activation flowchart between server and clients.
4. Methodology
To validate the proposed model, an isolated local network was created, consisting
of a botnet with devices infected by the Mirai software and its controller running on a
local server. This network was set up in an isolated environment to prevent a massive
infection and to ensure that the academic environment was not affected by excessive
denial-of-service traffic.
The Mirai botnet was chosen due to the ease of obtaining its source code and controller
configuration. By creating a local botnet, it was possible to accurately measure the response
time to mitigate a denial-of-service attack.
The validation of the proposed solution involves conducting several denial-of-service
attacks between the infected devices and a web server. The tests are divided into two
scenarios. In the first scenario, the detection of a denial-of-service attack is validated
using federated learning with the Flower framework. Uninfected Raspberry Pi devices are
used for the distributed processing and real-time classification of anomalous traffic. The
identification of attacks is detailed in Figure 12.
In the second scenario, we validate the integrated solution, where attacks are identified
using the results obtained in scenario one and the hosts receive rules from the HIDPS
controller to suppress anomalous traffic. The reaction times to suppress the attacks are
measured, generating graphs, tables and forms of the obtained results. The HIDPS solution
is detailed in Figure 12.
• A Layer 2 switch with port mirroring to interconnect all devices. All the elements
were configured on the same VLAN.
All devices were configured within the same network. A DNS server was installed on
the NIDS controller to resolve the domain name from internal devices, required by the bots
to resolve the Mirai controller’s address. The interconnection of the devices follows the
topology shown in Figure 13.
Figure 13. Real test scenario with NIDS and Mirai controller.
Thus, the IoT devices installed on each Raspberry Pi 3’s board were ready to receive
Python 3’s requests and reply packets from the IDPS and Mirai controllers. We then carried
out a Mirai attack, on our private network, and transformed the IoT devices into bots on
the Mirai botnet.
The bots received commands to execute HTTP flood attacks directed to the target.
After the attack, Apache 2 was installed on the target device, with a default configura-
tion as an HTTP server, without any improvement in its settings to alter the security or
response time.
The HTTP flood attack had the following parameters:
• Target address;
• IP Port;
• Duration;
• Domain;
• Method.
In the NIDS controller, there is a federated learning server instance running in order
to connect to Raspberry Pi 3 clients and apply the network traffic dataset training. The FL
server uses network data captured during botnet attacks to classify each packet as normal
or an anomaly. After classification and prediction, each client determines which rules need
to be activated in order to mitigate the botnet.
To monitor the traffic generated by the bots, Wireshark was installed and used on the
target. We configured Wireshark to run during all tests and capture all packets received
at the target. The behavior of the packets sent from the infected bots to the target was
analyzed. Wireshark was also used on the Mirai controller to capture packets between bots
and the controller, to identify behaviors that would characterize an infected device being
controlled by the botnet and to allow the creation of prevention rules to block the malicious
traffic on the IDS.
Sensors 2023, 23, 6305 24 of 35
• Aggregated accuracy, aggregated loss and execution time in the last training round by
the fault-tolerant federated averaging algorithm;
• Rule activation through the HIDPS after DDoS detection by federated clients;
• HTTP flood attack mitigation directly in the smart device;
• Target and smart device availability through Wireshark.
With the three infected smart devices, an HTTP flood attack was performed on the
target. During the attack, the NIDS was activated to apply federated learning, training,
evaluation and new data detection. To check the training and detection performance, the
accuracy, loss and execution time results were obtained in terms of training and evaluation
through the fault-tolerant federated averaging aggregation algorithm.
Thus, during an attack, the federated learning structure trains a pre-obtained model
serving as a knowledge base and then classifies each new packet that is captured in near-
real time. Each client uses deep learning to train the model and applies detection after
learning each pattern’s behavior.
At the end of FL execution, the rule is activated through the federated clients in such a
way that the infected smart devices consume it through Kafka. The rule activation works
through a Kafka producer, while the infected smart devices act as Kafka consumers in order
to be mitigated.
Figure 14. HIDPS results in terms of bytes × seconds during real-time mitigation procedure.
5. Results
Considering the NIDS and HIDPS scenario, particularly with its integration through
the fog orchestrator using the mitigation structure referenced in Section 3, the two scenarios
presented in Section 4 were executed in order to obtain detection and mitigation results
with a real botnet performing DDoS attacks.
In this section, the proposed model’s results are divided into the following entities:
the NIDS and HIDPS execution results and the benchmarking of NIDS- and HIDPS-related
works.
Table 4. Federated learning results obtained during anomaly-based detection procedure through
deep learning.
With the NIDS, we can conclude that the general accuracy reached almost 90% during
training and detection, with less than 30% loss. This loss value indicates that the detection
architecture shows a great learning rate, thus being able to detect and classify new input
in a more profound manner. The federated learning execution time is approximately five
minutes when training the local dataset generated through Suricata and Apache Spark.
Considering its decentralized structure with low-end microarchitecture devices, a
low bandwidth and ML capabilities, 90% accuracy in a near-real-time scenario with a
real botnet is impressive when compared with centralized scenarios containing high-end
devices. The NIDS execution time obtained in all three testing phases is low considering
the context of a massive DDoS attack occurring simultaneously, and considering the fact
that a deep learning algorithm is deployed at each low-end device to train, test and detect
malicious data.
Another observation regards security and privacy issues in the detection phase. Dif-
ferent from a centralized scenario, the FL scenario considers a diversity of endpoints and
reduces failure points during detection. With more endpoints in a Secure Sockets Layer
environment, the training, testing and detection procedure offers greater privacy than other
related works, such as [32,33].
As shown in Table 6, the standard deviation for the run time rule was nearly zero,
considering Y as the average time for rule execution of 0.125 s.
Sensors 2023, 23, 6305 28 of 35
F ( x ) = x + 0.125, (1)
where x represents the time that the bot requires to consume the rule published on the
Kafka topic, and F(x) is the time that each bot requires to converge.
To measure the mean time that a bot requires to consume the rules published on the
Kafka topic, an average was calculated for the time taken to consume messages in Kafka
by the bots. We used 10 values to compute the average and obtained the results given in
Table 7. It is important to note that these results are specific to the constraints of this test
scenario, as the value can vary depending on the number of messages published on the
topic. A complete analysis of the Kafka consumption time is beyond the scope of this work.
Table 7. Time to consume mitigation rule from Kafka in each infected device.
From Equation (1) and the average time presented for the consumption of messages in
Kafka in this scenario, we can conclude that the total time taken to receive and execute the
rule is, on average, below 1 s.
Thus, from each time calculated during the rule execution and consumption phase,
which was below 1 s considering its deviation, the detection and mitigation procedure lasts
less than 6 min on average. In terms of mitigation, each time is considerably small and
indicates the ability to stop DDoS attacks after their detection.
based attack detection, all works are compared regarding their infrastructures, technologies
and testing methods.
Thus, after describing the main differences between all works, the results in terms of
training and detection accuracy are compared in order to reveal their differences in terms
of efficiency and performance in detecting anomalies in the network.
Table 9. The 1D-CNN results with “imbalanced” UNSW NB15 data in Azizjon’s work.
Figure 16. Comparing accuracy results between this project and Azizjon’s work.
Sensors 2023, 23, 6305 30 of 35
The comparison made in Figure 16 shows the difference in training accuracy per-
formance between the related work and this project. It is observed that the training and
classification of traffic using the proposed hybrid architecture and federated learning is
better than the performance of all layers in the related work. This indicates that, in a concate-
nated distributed environment with a mitigation architecture, the detection performance is
superior, presenting operational advantages.
Table 10. Cloud NIDS and HIDPS accuracy results obtained in Ghosh’s work.
The comparison made in Figure 17 shows the superiority of the detection and train-
ing using the federated learning model on an imbalanced dataset when compared to all
methods used in the related work. The work applies KNN and NN individually, as well as
using both in a NIDS and HIDPS architecture. This project, also using a hybrid architecture
with distributed training, obtains better accuracy results from aggregation algorithms with
multiple training clients.
These related works involve NIDS and even HIDPS detection through centralized
machine learning methods using deep learning and neural networks. It was found that this
project presents higher accuracy during training and detection in a distributed structure
with federated learning, which naturally reduces the efficiency in order to increase privacy.
Figure 17. Comparing accuracy results between this project and Ghosh’s work.
Table 11. FedACNN accuracy results with 10 to 40 epochs obtained in Dapeng’s work.
Figure 18. Comparing accuracy results between this project and Dapeng’s work.
The comparison made in Figure 18 uses only the accuracy obtained with 20 epochs,
because our work only used 20 epochs during FL training execution. It shows that Dapeng’s
work achieves better accuracy regarding DoS detection, with a difference of 9%. Despite
having better accuracy, our proposed solution shows great efficiency considering that it
applies a botnet in a real scenario with a HIDPS integrated in order to apply mitigation in
near-real time. Dapeng’s work uses NSL-KDD in a simulated scenario using only NIDS
with a new aggregation algorithm, thus increasing the efficiency during FL training, but it
does not apply mitigation as well.
Our project shows lower accuracy, but it has an anomaly detection and mitigation
structure, thus increasing the security and privacy, and its application scenario is a real IoT
with a fog computing infrastructure. Although Dapeng’s work has greater efficiency in
terms of classification, it does not show greater privacy and security in an IoT decentralized
structure, as with our proposed solution.
Consequently, the signature-based structure with a decision tree classifier in the SIDS
stage serves as a training method in the AIDS stage with the utilization of the one-class
SVM algorithm on unknown traffic (traffic not detected with signature rules). This hybrid
approach provides an ensemble to detect known attacks and predict new ones, thereby
expanding the rule database over time.
Our project shares a similar objective in terms of combining anomaly-based and
signature-based methods, but there are several differences. Firstly, our solution not only
incorporates a HIDPS but also utilizes an ML approach with a Network-Based Intrusion De-
tection System (NIDS) to perform anomaly detection. Additionally, our project introduces
a mitigation and prevention method in near-real time to effectively counter DDoS attacks
using fog computing. Thus, our project combines two IDS approaches using decentralized
ML with deep learning, instead of a decision tree classifier and one-class SVM, and it
incorporates a mitigation component, resulting in a comprehensive prevention system.
Table 12 shows the differences between our project and the related work cited above.
6. Conclusions
This work focused on creating and deploying a cutting-edge hybrid Intrusion Detec-
tion System (IDS) that effectively merges Network-Based Intrusion Detection (NID) with
Host-Based Intrusion Detection (HIDP). This integrated system, known as an Intrusion
Response System (IRS), was designed to proactively identify and counter zero-day attacks.
To accomplish this, we employed a decentralized federated learning system that leverages
the power of deep learning for anomaly detection.
By utilizing this advanced approach, we were able to enhance the system’s ability to
recognize and respond to unknown threats. Furthermore, we integrated attack mitigation
capabilities into the system by leveraging a fog computing orchestrator. This enabled us to
create and deploy custom rules for the mitigation of attacks, enhancing the overall security
of the system.
Sensors 2023, 23, 6305 33 of 35
The proposed model, which is a botnet detection and mitigation model for IoT net-
works, is robust in identifying and mitigating denial-of-service attacks, stopping attacks
at the source. The federated learning method allowed the scalable use of a distributed
computing model, where, to increase the processing capacity, it is sufficient to add more
nodes, without wasting previous investments in fog computing nodes.
In comparison to our NIDS solution, three other works [32–34] utilized centralized
machine learning, and the latter used federated learning with deep learning methods for
anomaly detection in simulated scenarios. However, our work employed a decentralized
learning technique in a real scenario involving real-time DDoS attacks. As a result, our
approach presented superior performance in terms of accuracy, achieving an average
accuracy rate of 89.753% during both training and attack detection. Notably, our solution
also prioritized privacy concerns by leveraging distributed machine learning and a fog
computing structure integrated with a HIDPS in a real-world setting.
In terms of results, the average accuracy, average loss and average execution time
obtained during the anomaly detection procedure through FL were 89.753%, 26.705%
and 303.904 s, respectively. Compared with [32], we achieved a 4% gain in terms of
accuracy, and compared with [33], we achieved over 10% higher accuracy versus all deep
learning methods used in the related work, and we only 9% lower accuracy compared
with [34] when applying 20 epochs.
This superiority in terms of efficiency is determined by the utilization of federated
learning with 1D-CNN, resulting in a decentralized training structure that increases privacy
and reduces the training overload. The utilization of a federated training and detection pro-
cedure through deep learning minimizes the impact of a single point of failure (SPOF) and
reduces the workload of each device because of the ML decentralization. Thus, the superior
accuracy is due to the fact that multiple devices share training and detection results in a real
scenario with a balanced dataset, applying 1D-CNN to detect each piece of malicious data.
As a future goal, we aim to explore this model within a software-defined networking
(SDN) framework, incorporating OpenFlow-enabled switches into the scenario devised for
this study. This endeavor will enable us to quantify the mitigation time in a real equipment
environment. Furthermore, we plan to extend the application of this model to virtual ma-
chines in data centers, thereby introducing an additional layer of security. Additionally, as a
continuation of this research, we intend to integrate this solution with cloud orchestrators,
facilitating seamless integration and management in cloud computing environments.
General Attorney of the Union (Grant AGU 697.935/2019), in part by the Institutional Security Office
of the Presidency of Brazil (Grant ABIN 001/2019), in part by the Department of Federal Police (Grant
DPF 03/2020), and in part by the General Attorney’s Office for the National Treasure (Grant PGFN
23106.148934/2019-67).
Conflicts of Interest: The authors declare no conflict of interest.
References
1. Kotha, H.D.; Gupta, V.M. IoT application: A survey. Int. J. Eng. Technol. 2018, 7, 891–896. [CrossRef]
2. Chunka, C.; Banerjee, S.; Gupta, D.S. A secure communication using multifactor authentication and key agreement techniques in
internet of medical things for COVID-19 patients. Concurr. Comput. Pract. Exp. 2023, 35, e7602. [CrossRef]
3. Silva, S.S.; Silva, R.M.; Pinto, R.C.; Salles, R.M. Botnets: A survey. Comput. Netw. 2013, 57, 378–403. [CrossRef]
4. Bertino, E.; Islam, N. Botnets and Internet of Things Security. Computer 2017, 50, 76–79. [CrossRef]
5. Zoppi, T.; Ceccarelli, A.; Bondavalli, A. Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application. IEEE
Access 2021, 9, 90603–90615. [CrossRef]
6. Dutra, B.V.; Martins, L.M.C.E. HIDS by signature for embedded devices in IoT networks. In Proceedings of the Actas de las V
Jornadas Nacionales de Ciberseguridad, Cáceres, Spain, 5–7 June 2019; Servicio de Publicaciones: Cáceres, Spain, 2019; pp. 53–61.
7. Ahmad, Z.; Shahid Khan, A.; Wai Shiang, C.; Abdullah, J.; Ahmad, F. Network intrusion detection system: A systematic study of
machine learning and deep learning approaches. Trans. Emerg. Telecommun. Technol. 2021, 32, e4150. [CrossRef]
8. Liu, H.; Lang, B. Machine learning and deep learning methods for intrusion detection systems: A survey. Appl. Sci. 2019, 9, 4396.
[CrossRef]
9. da Mata, R.; Filho, F.; Mendonca, F.; Fares, A.; de Sousa Junior, R. Hybrid Architecture for Intrusion Prevention and Detection in
IoT Networks. In Proceedings of the 2021 Workshop on Communication Networks and Power Systems (WCNPS), Brasilia, Brazil,
18–19 November 2021; pp. 1–7. [CrossRef]
10. Schiller, C.A.; Binkley, J.; Harley, D.; Evron, G.; Bradley, T.; Willems, C.; Cross, M. Botnet: The Killer Web App; Syngress Publishing:
Oxford, UK, 2007; p. 36.
11. Vargas Martinez, C.; Vogel-Heuser, B. A Host Intrusion Detection System architecture for embedded industrial devices. J. Frankl.
Inst. 2021, 358, 210–236. [CrossRef]
12. De Carvalho Bertoli, G.; Pereira Júnior, L.A.; Saotome, O.; Dos Santos, A.L.; Verri, F.A.N.; Marcondes, C.A.C.; Barbieri, S.;
Rodrigues, M.S.; Parente De Oliveira, J.M. An End-to-End Framework for Machine Learning-Based Network Intrusion Detection
System. IEEE Access 2021, 9, 106790–106805. [CrossRef]
13. Phan, T.V.; Bauschert, T. DeepAir: Deep Reinforcement Learning for Adaptive Intrusion Response in Software-Defined Networks.
IEEE Trans. Netw. Serv. Manag. 2022, 19, 2207–2218. [CrossRef]
14. Modi, A.S. Review Article on Deep Learning Approaches. In Proceedings of the 2018 Second International Conference on
Intelligent Computing and Control Systems (ICICCS), Madurai, India, 14–15 June 2018; pp. 1635–1639. [CrossRef]
15. Lauzon, F.Q. An introduction to deep learning. In Proceedings of the 2012 11th International Conference on Information Science,
Signal Processing and their Applications (ISSPA), Montreal, QC, Canada, 2–5 July 2012; pp. 1438–1439. [CrossRef]
16. O’Shea, K.; Nash, R. An Introduction to Convolutional Neural Networks. arXiv 2015, arXiv:1511.08458.
17. Samat, N.A.; Salleh, M.; Ali, H. The Comparison of Pooling Functions in Convolutional Neural Network for Sentiment Analysis
Task. In Recent Advances on Soft Computing and Data Mining: Proceedings of the Fourth International Conference on Soft Computing and
Data Mining (SCDM 2020), Melaka, Malaysia, 22–23 January 2020; Springer International Publishing: New York, NY, USA, 2020;
pp. 202–210. [CrossRef]
18. Li, T.; Sahu, A.K.; Talwalkar, A.; Smith, V. Federated Learning: Challenges, Methods, and Future Directions. IEEE Signal Process.
Mag. 2020, 37, 50–60. [CrossRef]
19. Sharma, I.; Sharma, A.; Gupta, S.K. Asynchronous and Synchronous Federated Learning-based UAVs. In Proceedings of the
2023 Third International Symposium on Instrumentation, Control, Artificial Intelligence, and Robotics (ICA-SYMP), Bangkok,
Thailand, 18–20 January 2023; pp. 105–109. [CrossRef]
20. Shaheen, M.; Farooq, M.S.; Umer, T.; Kim, B.S. Applications of Federated Learning; Taxonomy, Challenges, and Research Trends.
Electronics 2022, 11, 670. [CrossRef]
21. Gupta, A.; Gupta, D.S. A survey on green unmanned aerial vehicles-based fog computing: Challenges and future perspective.
Trans. Emerg. Telecommun. Technol. 2022, 33, e4603. [CrossRef]
22. Alzahrani, R.J.; Alzahrani, A. A Novel Multi Algorithm Approach to Identify Network Anomalies in the IoT Using Fog
Computing and a Model to Distinguish between IoT and Non-IoT Devices. J. Sens. Actuator Netw. 2023, 12, 19. [CrossRef]
23. von Sperling, T.L.; de Caldas Filho, F.L.; de Sousa Júnior, R.T.; e Martins, L.M.C.; Rocha, R.L. Tracking intruders in IoT networks
by means of DNS traffic analysis. In Proceedings of the 2017 Workshop on Communication Networks and Power Systems
(WCNPS), Brasília, Brazil, 16–17 November 2017; pp. 1–4. [CrossRef]
24. Kasinathan, P.; Costamagna, G.; Khaleel, H.; Pastrone, C.; Spirito, M.A. DEMO: An IDS Framework for Internet of Things
Empowered by 6LoWPAN. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security,
Berlin, Germany, 4–8 November 2013; pp. 1337–1340. [CrossRef]
Sensors 2023, 23, 6305 35 of 35
25. da Silva Cardoso, A.M.; Lopes, R.F.; Teles, A.S.; Magalhães, F.B.V. Real-Time DDoS Detection Based on Complex Event Processing
for IoT. In Proceedings of the 2018 IEEE/ACM Third International Conference on Internet-of-Things Design and Implementation
(IoTDI), Orlando, FL, USA, 17–20 April 2018; pp. 273–274. [CrossRef]
26. Jun, C.; Chi, C. Design of Complex Event-Processing IDS in Internet of Things. In Proceedings of the 2014 Sixth International
Conference on Measuring Technology and Mechatronics Automation, Zhangjiajie, China, 10–11 January 2014; pp. 226–229.
[CrossRef]
27. Hodo, E.; Bellekens, X.; Hamilton, A.; Dubouilh, P.L.; Iorkyase, E.; Tachtatzis, C.; Atkinson, R. Threat analysis of IoT networks
using artificial neural network intrusion detection system. In Proceedings of the 2016 International Symposium on Networks,
Computers and Communications (ISNCC), Yasmine Hammamet, Tunisia, 11–13 May 2016; pp. 1–6. [CrossRef]
28. Pacheco, J.; Hariri, S. IoT Security Framework for Smart Cyber Infrastructures. In Proceedings of the 2016 IEEE 1st International
Workshops on Foundations and Applications of Self* Systems (FAS*W), Augsburg, Germany, 12–16 September 2016; pp. 242–247.
[CrossRef]
29. Sabahi, F.; Movaghar, A. Intrusion Detection: A Survey. In Proceedings of the 2008 Third International Conference on Systems
and Networks Communications, Sliema, Malta, 26–31 October 2008; pp. 23–26. [CrossRef]
30. Khraisat, A.; Gondal, I.; Vamplew, P.; Kamruzzaman, J.; Alazab, A. A Novel Ensemble of Hybrid Intrusion Detection System for
Detecting Internet of Things Attacks. Electronics 2019, 8, 1210. [CrossRef]
31. Fotiadou, K.; Velivassaki, T.H.; Voulkidis, A.; Skias, D.; Tsekeridou, S.; Zahariadis, T. Network Traffic Anomaly Detection via
Deep Learning. Information 2021, 12, 215. [CrossRef]
32. Azizjon, M.; Jumabek, A.; Kim, W. 1D CNN based network intrusion detection with normalization on imbalanced data. In
Proceedings of the 2020 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), Fukuoka,
Japan, 19–21 February 2020; pp. 218–224. [CrossRef]
33. Ghosh, P.; Mandal, A.; Kumar, R. An Efficient Cloud Network Intrusion Detection System. Adv. Intell. Syst. Comput. 2015,
339, 91–99. [CrossRef]
34. Man, D.; Zeng, F.; Yang, W.; Yu, M.; Lv, J.; Wang, Y. Intelligent Intrusion Detection Based on Federated Learning for Edge-Assisted
Internet of Things. Secur. Commun. Netw. 2021, 2021, 1–11. [CrossRef]
35. Nguyen, T.; Marchal, S.; Miettinen, M.; Fereidooni, H.; Asokan, N.; Sadeghi, A.R. DÏoT: A Federated Self-learning Anomaly
Detection System for IoT. In Proceedings of the 2019 IEEE 39th International Conference on Distributed Computing Systems
(ICDCS), Dallas, TX, USA, 7–10 July 2019; pp. 756–767. [CrossRef]
36. Flower Documentation. Available online: https://flower.dev/docs (accessed on 6 November 2022).
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.