Title: Feature evaluation for IoT botnet traffic classification
Authors: Joffrey L. Leevy; Taghi M. Khoshgoftaar; John Hancock
Addresses: Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA ' Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA ' Department of Electrical Engineering and Computer Science, Florida Atlantic University, Boca Raton, FL, USA
Abstract: Researchers must often decide whether to use destination port as an input feature when building predictive models for intrusion detection systems. To evaluate this feature, we use the Bot-IoT dataset with three different sets of input features. The first and second set of input features comprise all Bot-IoT features (26 variables) and all Bot-IoT features excluding destination port (25 variables), respectively, while the third includes destination port as the only feature. Our results show that classification models trained on the first (26 variables) and second (25 variables) set of input features generally yield favourable results. We note that several destination port values are associated with disproportionate label distributions. Hence, it is possible in some cases, that the classifiers have been trained to closely correlate specific attack types with specific values of destination port. To the best of our knowledge, this is the first Bot-IoT study based on the destination port feature.
Keywords: Bot-IoT; intrusion detection; internet of things; IoT; machine learning; ensemble classifiers; big data; destination port; CatBoost; LightGBM; random forest; XGBoost.
DOI: 10.1504/IJITCA.2022.124374
International Journal of Internet of Things and Cyber-Assurance, 2022 Vol.2 No.1, pp.87 - 102
Received: 22 Apr 2022
Accepted: 27 Apr 2022
Published online: 25 Jul 2022 *