Title: Feature evaluation for IoT botnet traffic classification

Authors: Joffrey L. Leevy; Taghi M. Khoshgoftaar; John Hancock

Addresses: Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA ' Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA ' Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA

Abstract: Researchers must often decide whether to use destination port as an input feature when building predictive models for intrusion detection systems. To evaluate this feature, we use the Bot-IoT dataset with three different sets of input features. The first and second set of input features comprise all Bot-IoT features (26 variables) and all Bot-IoT features excluding destination port (25 variables), respectively, while the third includes destination port as the only feature. Our results show that classification models trained on the first (26 variables) and second (25 variables) set of input features generally yield favourable results. We note that several destination port values are associated with disproportionate label distributions. Hence, it is possible in some cases, that the classifiers have been trained to closely correlate specific attack types with specific values of destination port. To the best of our knowledge, this is the first Bot-IoT study based on the destination port feature.

Keywords: Bot-IoT; intrusion detection; internet of things; IoT; machine learning; ensemble classifiers; big data; destination port; CatBoost; LightGBM; random forest; XGBoost.

DOI: 10.1504/IJITCA.2022.124374

International Journal of Internet of Things and Cyber-Assurance, 2022 Vol.2 No.1, pp.87 - 102

Received: 22 Apr 2022
Accepted: 27 Apr 2022
Published online: 25 Jul 2022 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article