Publication Details
BOTA: Explainable IoT Malware Detection in Large Networks
Hynek Karel
Čejka Tomáš, doc. Ing., Ph.D. (SSDIT)
Kolář Dušan, doc. Dr. Ing. (DIFS)
detection, explainability, Internet of Things (IoT), malware, network monitoring,
network security, weak indicators
Explainability and alert reasoning are essential but often neglected properties
of intrusion detection systems. The lack of explainability reduces security
personnel's trust, limiting the overall impact of alerts. This article proposes
the botnet analysis (BOTA) system, which uses the concepts of weak indicators and
heterogeneous meta-classifiers to maintain accuracy compared with
state-of-the-art systems while also providing explainable results that are easy
to understand. To evaluate the proposed system, we have implemented
a demonstration of intrusion weak-indication detectors, each working on
a different principle to ensure robustness. We tested the architecture with
various real-world and lab-created data sets, and it correctly identified 94.3%
of infected Internet of Things (IoT) devices without false positives.
Furthermore, the implementation is designed to work on top of extended
bidirectional flow data, making it deployable on large 100-Gb/s large-scale
networks at the level of Internet Service Providers. Thus, a single instance of
BOTA can protect millions of devices connected to end-users' local networks and
significantly reduce the threat arising from powerful IoT botnets.
@article{BUT185208,
author="Daniel {Poliakov} and Karel {Hynek} and Tomáš {Čejka} and Dušan {Kolář}",
title="BOTA: Explainable IoT Malware Detection in Large Networks",
journal="IEEE Internet of Things Journal",
year="2023",
volume="10",
number="10",
pages="8416--8431",
doi="10.1109/JIOT.2022.3228816",
issn="2327-4662",
url="https://ieeexplore.ieee.org/document/9983820"
}