Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection

Recently, the number of Internet of Things (IoT) botnet attacks has increased tremendously due to the expansion of online IoT devices which can be easily compromised. Botnets are a common threat that takes advantage of the lack of basic security tools in IoT devices and can perform a series of Distributed Denial of Service (DDoS) attacks. Developing new methods to detect compromised IoT devices is urgent in order to mitigate the negative consequences of these IoT botnets since the existing IoT botnet detection methods still present some issues, such as, relying on labelled data, not being validated with newer botnets, and using very complex machine learning algorithms. Anomaly detection methods are promising for detecting IoT botnet attacks since the amount of available normal data is very large. One of the powerful algorithms that can be used for anomaly detection is One Class Support vector machine (OCSVM). The efficiency of the OCSVM algorithm depends on several factors that greatly affect the classification results such as the subset of features that are used for training OCSVM model, the kernel type, and its hyperparameters. In this paper, a new unsupervised evolutionary IoT botnet detection method is proposed. The main contribution of the proposed method is to detect IoT botnet attacks launched form compromised IoT devices by exploiting the efficiency of a recent swarm intelligence algorithm called Grey Wolf Optimization algorithm (GWO) to optimize the hyperparameters of the OCSVM and at the same time to find the features that best describe the IoT botnet problem. To prove the efficiency of the proposed method, its performance is evaluated using typical anomaly detection evaluation measures over a new version of a real benchmark dataset. The experimental results show that the proposed method outperforms all other algorithms in terms of true positive rate, false positive rate, and G-mean for all IoT device types. Also, it achieves the lowest detection time, while significantly reducing the number of selected features.