SHAP-Enhanced Histogram Gradient Boosting for IoT Threat Detection via Signal-Based Network Traffic Analysis
DOI:
https://doi.org/10.24237/djes.2025.18404Keywords:
Histogram-based Gradient Boosting, IoT, Internet of Things, IDS, N-BaIoTAbstract
The dramatic rise in the number of Internet of Things (IoT) devices has greatly increased the size of the attack surface of network-based threats, especially high-volume, non-portable DDoS botnet attacks. Our hypothesis is to suggest an explainable intrusion detection system and analyse digital signals of raw IoT network traffic. We train a Histogram-based Gradient Boosting Classifier (HGBC) to identify benign and malicious traffic based on 11 classes (10 attack-related, 1 benign) on the N-BaIoT dataset. To reduce bias, the model has been trained on a strictly pre-processed and balanced subset of the data. We apply SHapley Additive exPlanations (SHAP), a game theory-based framework, to gain insight into complex model predictions that are security-relevant, despite the black-box nature of the model. This SHAP-enhanced method classifies and orders the most significant features, and it is found that mutual information and packet jitter characteristics descriptors (e.g., MI_dir_L0.1_mean) are decisive when identifying coordinated attack actions. The model reported the macro-averaged accuracy, recall and F1-score as 1.00 on a held-out test set. The three contributions of the work can be summarised as: (i) an end-to-end interpretable multi-class IoT DDoS detector; (ii) a transparent data curation framework that tackles imbalance and redundancy; and (iii) empirical support on how HGBC with SHAP can be highly performant yet offer actionable insight into the feature semantics that will inform future security design.
Downloads
References
[1] A. Ashraf and W. M. Elmedany, "IoT DDoS attacks detection using machine learning techniques: A Review," in 2021 International Conference on Data Analytics for Business and Industry (ICDABI), 2021, pp. 178-185.
[2] S.-H. Lee, Y.-L. Shiue, C.-H. Cheng, Y.-H. Li, and Y.-F. Huang, "Detection and Prevention of DDoS Attacks on the IoT," Applied Sciences, vol. 12, p. 12407, 2022.
[3] F. Yousaf, M. Arslan, A. A. Khan, A. Tanzil, A. Batool, and M. Asad, "Machine Learning-Based Detection of Mirai and Bashlite Botnets in IoT Networks," Journal of Computing & Biomedical Informatics, vol. 7, pp. 678-689, 2024.
[4] A. Sharma and H. Babbar, "BoT-IoT: Detection of DDoS Attacks in Internet of Things for Smart Cities," in 2023 10th International Conference on Computing for Sustainable Global Development (INDIACom), 2023, pp. 438-443.
[5] M. H. Aysa, A. A. Ibrahim, and A. H. Mohammed, "IoT ddos attack detection using machine learning," in 2020 4th International Symposium on Multidisciplinary Studies and Innovative Technologies (ISMSIT), 2020, pp. 1-7.
[6] S. Mohammed, "A machine learning-based intrusion detection of DDoS attack on IoT devices," Int. J, vol. 10, pp. 2278-3091, 2021.
[7] L. S. Vailshery, "Number of IoT connections worldwide 2022-2033, with forecasts to 2030," 2024.
[8] O. Ebrahem, S. Dowaji, and S. Alhammoud, "Towards a minimum universal features set for IoT DDoS attack detection," Journal of Big Data, vol. 12, p. 88, 2025.
[9] S. Peddabachigari, A. Abraham, C. Grosan, and J. Thomas, "Modeling intrusion detection system using hybrid intelligent systems," Journal of network and computer applications, vol. 30, pp. 114-132, 2007.
[10] A. M. Aleesa and R. Hassan, "A proposed technique to detect DDoS attack on IPv6 web applications," in 2016 Fourth International Conference on Parallel, Distributed and Grid Computing (PDGC), 2016, pp. 118-121.
[11] Y. Al-Hadhrami and F. K. Hussain, "DDoS attacks in IoT networks: a comprehensive systematic literature review," World Wide Web, vol. 24, pp. 971-1001, 2021.
[12] S. Ikeda, "Iot-based ddos attacks are growing and making use of common vulnerabilities," URL https://www. cpomagazine. com/cyber-security/iotbased-ddos-attacks-are-growing-and-making-use-of-commonvulnerabilities/(Apr, 2020), 2020.
[13] Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, A. Shabtai, D. Breitenbacher, et al., "N-baiot—network-based detection of iot botnet attacks using deep autoencoders," IEEE Pervasive Computing, vol. 17, pp. 12-22, 2018.
[14] A. Petrosyan, "Monthly number of Internet of Things (IoT) malware attacks worldwide from 2020 to 2022," statista, Apr 6, 2023 2023.
[15] Z. Chen, F. Jiang, Y. Cheng, X. Gu, W. Liu, and J. Peng, "XGBoost classifier for DDoS attack detection and analysis in SDN-based cloud," in 2018 IEEE international conference on big data and smart computing (bigcomp), 2018, pp. 251-256.
[16] A. Alsirhani, S. Sampalli, and P. Bodorik, "Ddos detection system: utilizing gradient boosting algorithm and apache spark," in 2018 IEEE Canadian Conference on Electrical & Computer Engineering (CCECE), 2018, pp. 1-6.
[17] H. Amaad and H. Mughal, "Experimenting Ensemble Machine Learning for DDoS Classification: Timely Detection of DDoS Using Large Scale Dataset," in 2023 4th International Conference on Advancements in Computational Sciences (ICACS), 2023, pp. 1-7.
[18] D. Celebucki, M. A. Lin, and S. Graham, "A security evaluation of popular internet of things protocols for manufacturers," in 2018 IEEE International Conference on Consumer Electronics (ICCE), 2018, pp. 1-6.
[19] H. Wang, J. Gu, and S. Wang, "An effective intrusion detection framework based on SVM with feature augmentation," Knowledge-Based Systems, vol. 136, pp. 130-139, 2017.
[20] M. Saied, S. Guirguis, and M. Madbouly, "A comparative analysis of using ensemble trees for botnet detection and classification in IoT," Scientific Reports, vol. 13, p. 21632, 2023.
[21] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, et al., "Understanding the mirai botnet," in 26th USENIX security symposium (USENIX Security 17), 2017, pp. 1093-1110.
[22] K. Angrishi, "Turning internet of things (iot) into internet of vulnerabilities (iov): Iot botnets," arXiv preprint arXiv:1702.03681, 2017.
[23] A. B. Mohammed, L. C. Fourati, and A. M. Fakhrudeen, "Isolation Forest Algorithm Against UAV’s GPS Spoofing Attack," in 2024 IEEE International Conferences on Internet of Things (iThings) and IEEE Green Computing & Communications (GreenCom) and IEEE Cyber, Physical & Social Computing (CPSCom) and IEEE Smart Data (SmartData) and IEEE Congress on Cybermatics, 2024, pp. 459-463.
[24] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, "DDoS in the IoT: Mirai and other botnets," Computer, vol. 50, pp. 80-84, 2017.
[25] M. A. Khan and K. Salah, "IoT security: Review, blockchain solutions, and open challenges," Future generation computer systems, vol. 82, pp. 395-411, 2018.
[26] N. M. Sahar, M. F. S. M. Rozi, N. S. Suriani, S. Sari, S. Ismail, A. A. Jamal, et al., "Advances in DeepFake Detection: Leveraging InceptionResNetV2 for Reliable Video Authentication."
[27] S. Bagui, X. Wang, and S. Bagui, "Machine learning based intrusion detection for IoT botnet," International Journal of Machine Learning and Computing, vol. 11, pp. 399-406, 2021.
[28] A. Asokan, "Massive botnet attack used more than 400,000 iot devices," ed: Jul, 2019.
[29] S. A. R. Shah and B. Issac, "Performance comparison of intrusion detection systems and application of machine learning to Snort system," Future Generation Computer Systems, vol. 80, pp. 157-170, 2018.
[30] M. Saied and S. Guirguis, "Explainable artificial intelligence for botnet detection in internet of things," Scientific Reports, vol. 15, p. 7632, 2025/03/04 2025.
[31] Y. Meidan, M. Bohadana, A. Shabtai, J. D. Guarnizo, M. Ochoa, N. O. Tippenhauer, et al., "ProfilIoT: A machine learning approach for IoT device identification based on network traffic analysis," in Proceedings of the symposium on applied computing, 2017, pp. 506-509.
[32] Y. Meidan, M. Bohadana, Y. Mathov, Y. Mirsky, D. Breitenbacher, A. Shabtai, et al., "detection_of_IoT_botnet_attacks_N_BaIoT Data Set," URL: https://archive. ics. uci. edu/ml/datasets/detection_of_IoT_botnet_attacks_N_BaIoT, 2018.
[33] A. Guryanov, "Histogram-based algorithm for building gradient boosting ensembles of piecewise linear decision trees," in Analysis of Images, Social Networks and Texts: 8th International Conference, AIST 2019, Kazan, Russia, July 17–19, 2019, Revised Selected Papers 8, 2019, pp. 39-50.
[34] A. Nazir, J. He, N. Zhu, A. Wajahat, X. Ma, F. Ullah, et al., "Advancing IoT security: A systematic review of machine learning approaches for the detection of IoT botnets," Journal of King Saud University-Computer and Information Sciences, vol. 35, p. 101820, 2023.
[35] B. Bala and S. Behal, "AI techniques for IoT-based DDoS attack detection: Taxonomies, comprehensive review and research challenges," Computer science review, vol. 52, p. 100631, 2024.
[36] M. A. Hossain, S. Saif, and M. S. Islam, "A novel federated learning approach for IoT botnet intrusion detection using SHAP-based knowledge distillation," Complex & Intelligent Systems, vol. 11, pp. 1-23, 2025.
[37] L. C. Guimarães and R. S. Couto, "A performance evaluation of neural networks for botnet detection in the internet of things," Journal of Network and Systems Management, vol. 32, p. 98, 2024.
[38] L. L. C. Kasun, Y. Yang, G.-B. Huang, and Z. Zhang, "Dimension reduction with extreme learning machine," IEEE transactions on Image Processing, vol. 25, pp. 3906-3918, 2016.
[39] S. Dwivedi, M. Vardhan, and S. Tripathi, "Defense against distributed DoS attack detection by using intelligent evolutionary algorithm," International Journal of Computers and Applications, vol. 44, pp. 219-229, 2022.
[40] A. H. Sung and S. Mukkamala, "Identifying important features for intrusion detection using support vector machines and neural networks," in 2003 Symposium on Applications and the Internet, 2003. Proceedings., 2003, pp. 209-216.
[41] H. Peng, F. Long, and C. Ding, "Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy," IEEE Transactions on pattern analysis and machine intelligence, vol. 27, pp. 1226-1238, 2005.
[42] F. Amiri, M. R. Yousefi, C. Lucas, A. Shakery, and N. Yazdani, "Mutual information-based feature selection for intrusion detection systems," Journal of Network and Computer Applications, vol. 34, pp. 1184-1199, 2011.
[43] M. Mayuranathan, M. Murugan, and V. Dhanakoti, "Best features based intrusion detection system by RBM model for detecting DDoS in cloud environment," Journal of Ambient Intelligence and Humanized Computing, vol. 12, pp. 3609-3619, 2021.
[44] A. Firdaus, N. B. Anuar, A. Karim, and M. F. A. Razak, "Discovering optimal features using static analysis and a genetic search based method for Android malware detection," Frontiers of Information Technology & Electronic Engineering, vol. 19, pp. 712-736, 2018.
[45] M. Lopez-Martin, B. Carro, A. Sanchez-Esguevillas, and J. Lloret, "Conditional variational autoencoder for prediction and feature recovery applied to intrusion detection in iot," Sensors, vol. 17, p. 1967, 2017.
[46] M. Ge, N. F. Syed, X. Fu, Z. Baig, and A. Robles-Kelly, "Towards a deep learning-driven intrusion detection approach for Internet of Things," Computer Networks, vol. 186, p. 107784, 2021.
[47] K. Albulayhi, Q. Abu Al-Haija, S. A. Alsuhibany, A. A. Jillepalli, M. Ashrafuzzaman, and F. T. Sheldon, "IoT intrusion detection using machine learning with a novel high performing feature selection method," Applied Sciences, vol. 12, p. 5015, 2022.
[48] Z. Ahmad, A. Shahid Khan, K. Nisar, I. Haider, R. Hassan, M. R. Haque, et al., "Anomaly detection using deep neural network for IoT architecture," Applied Sciences, vol. 11, p. 7050, 2021.
[49] Q. Abu Al-Haija, "Top-down machine learning-based architecture for cyberattacks identification and classification in iot communication networks," Frontiers in big Data, vol. 4, p. 782902, 2022.
[50] Q. Abu Al-Haija and A. Al-Badawi, "Attack-Aware IoT network traffic routing leveraging ensemble learning," Sensors, vol. 22, p. 241, 2021.
[51] C. D. McDermott, F. Majdani, and A. V. Petrovski, "Botnet detection in the internet of things using deep learning approaches," in 2018 international joint conference on neural networks (IJCNN), 2018, pp. 1-8.
[52] M. Alqahtani, H. Mathkour, and M. M. Ben Ismail, "IoT botnet attack detection based on optimized extreme gradient boosting and feature selection," Sensors, vol. 20, p. 6336, 2020.
[53] J. A. Faysal, S. T. Mostafa, J. S. Tamanna, K. M. Mumenin, M. M. Arifin, M. A. Awal, et al., "XGB-RF: A hybrid machine learning approach for IoT intrusion detection," in Telecom, 2022, pp. 52-69.
[54] M. Al-Sarem, F. Saeed, E. H. Alkhammash, and N. S. Alghamdi, "An aggregated mutual information based feature selection with machine learning methods for enhancing IoT botnet attack detection," Sensors, vol. 22, p. 185, 2021.
[55] F. Abbasi, M. Naderan, and S. E. Alavi, "Anomaly detection in Internet of Things using feature selection and classification based on Logistic Regression and Artificial Neural Network on N-BaIoT dataset," in 2021 5th International Conference on Internet of Things and Applications (IoT), 2021, pp. 1-7.
[56] H. Wasswa, H. Abbass, and T. Lynar, "Are GNNs Worth the Effort for IoT Botnet Detection? A Comparative Study of VAE-GNN vs. ViT-MLP and VAE-MLP Approaches," arXiv preprint arXiv:2505.17363, 2025.
[57] A. Naeem, M. A. Khan, N. Alasbali, J. Ahmad, A. A. Khattak, and M. S. Khan, "Efficient IoT Intrusion Detection with an Improved Attention-Based CNN-BiLSTM Architecture," arXiv preprint arXiv:2503.19339, 2025.
[58] R. Kalakoti, H. Bahsi, and S. Nõmm, "Explainable federated learning for botnet detection in iot networks," in 2024 IEEE International Conference on Cyber Security and Resilience (CSR), 2024, pp. 01-08.
[59] P. K. Myakala, S. Kamatala, and C. Bura, "Privacy-Preserving Federated Learning for IoT Botnet Detection: A Federated Averaging Approach," 2025.
[60] K. A. Alaghbari, H.-S. Lim, M. H. M. Saad, and Y. S. Yong, "Deep autoencoder-based integrated model for anomaly detection and efficient feature extraction in iot networks," IoT, vol. 4, pp. 345-365, 2023.
[61] T. A. Tuan, H. V. Long, L. H. Son, R. Kumar, I. Priyadarshini, and N. T. K. Son, "Performance evaluation of Botnet DDoS attack detection using machine learning," Evolutionary Intelligence, vol. 13, pp. 283-294, 2020.
[62] D. Acarali and M. Rajarajan, "Botnet-based attacks and defence mechanisms," Versatile Cybersecurity, pp. 169-199, 2018.
[63] D. Dua and C. Graff, "UCI machine learning repository," 2017.
[64] A. Marzano, D. Alexander, O. Fonseca, E. Fazzion, C. Hoepers, K. Steding-Jessen, et al., "The evolution of bashlite and mirai iot botnets," in 2018 IEEE Symposium on Computers and Communications (ISCC), 2018, pp. 00813-00818.
[65] G. Haixiang, L. Yijing, J. Shang, G. Mingyun, H. Yuanyue, and G. Bing, "Learning from class-imbalanced data: Review of methods and applications," Expert systems with applications, vol. 73, pp. 220-239, 2017.
[66] J. M. Johnson and T. M. Khoshgoftaar, "Survey on deep learning with class imbalance," Journal of big data, vol. 6, pp. 1-54, 2019.
[67] N. Koroniotis, N. Moustafa, E. Sitnikova, and B. Turnbull, "Towards the development of realistic botnet dataset in the internet of things for network forensic analytics: Bot-iot dataset," Future Generation Computer Systems, vol. 100, pp. 779-796, 2019.
[68] R. L. Figueroa, Q. Zeng-Treitler, S. Kandula, and L. H. Ngo, "Predicting sample size required for classification performance," BMC medical informatics and decision making, vol. 12, p. 8, 2012.
[69] T. Chen and C. Guestrin, "Xgboost: A scalable tree boosting system," in Proceedings of the 22nd acm sigkdd international conference on knowledge discovery and data mining, 2016, pp. 785-794.
[70] P. Refaeilzadeh, L. Tang, and H. Liu, "Cross-validation," in Encyclopedia of database systems, ed: Springer, 2009, pp. 532-538.
[71] G. Louppe, Understanding random forests: From theory to practice: Universite de Liege (Belgium), 2014.
[72] P. M. Granitto, C. Furlanello, F. Biasioli, and F. Gasperi, "Recursive feature elimination with random forest for PTR-MS analysis of agroindustrial products," Chemometrics and intelligent laboratory systems, vol. 83, pp. 83-90, 2006.
[73] I. Guyon and A. Elisseeff, "An introduction to variable and feature selection," Journal of machine learning research, vol. 3, pp. 1157-1182, 2003.
[74] S. Narla, S. Peddi, and D. T. Valivarthi, "Optimizing predictive healthcare modelling in a cloud computing environment using histogram-based gradient boosting, MARS, and SoftMax regression," International Journal of Management Research and Business Strategy, vol. 11, pp. 25-40, 2021.
[75] N. L. Fitriyani, M. Syafrudin, N. Chamidah, M. Rifada, H. Susilo, D. Aydin, et al., "A Novel Approach Utilizing Bagging, Histogram Gradient Boosting, and Advanced Feature Selection for Predicting the Onset of Cardiovascular Diseases," Mathematics, vol. 13, p. 2194, 2025.
[76] P. Theerthagiri, "Liver disease classification using histogram-based gradient boosting classification tree with feature selection algorithm," Biomedical Signal Processing and Control, vol. 100, p. 107102, 2025.
[77] J. H. Friedman, "Greedy function approximation: a gradient boosting machine," Annals of statistics, pp. 1189-1232, 2001.
[78] G. Ke, Q. Meng, T. Finley, T. Wang, W. Chen, W. Ma, et al., "Lightgbm: A highly efficient gradient boosting decision tree," Advances in neural information processing systems, vol. 30, 2017.
[79] F. Taher, M. Abdel-salam, M. Elhoseny, and I. M. El-hasnony, "Reliable Machine Learning Model for IIoT Botnet Detection," IEEE Access, 2023.
[80] S. Popoola, R. Ande, A. Atayero, M. Hammoudeh, G. Gui, and B. Adebisi, "Optimized Lightweight Federated Learning for Botnet Detection in Smart Critical Infrastructure," 2023.
[81] M. G. Karthik and M. M. Krishnan, "Hybrid random forest and synthetic minority over sampling technique for detecting internet of things attacks," Journal of Ambient Intelligence and Humanized Computing, pp. 1-11, 2021.
[82] A. KALIDINDI and M. B. ARRAMA, "A TABTRANSFORMER BASED MODEL FOR DETECTING BOTNET-ATTACKS ON INTERNET OF THINGS USING DEEP LEARNING," Journal of Theoretical and Applied Information Technology, vol. 101, 2023.
[83] M. Gromov, D. Arnold, and J. Saniie, "Edge Computing for Real Time Botnet Propagation Detection," in 2022 IEEE International Conference and Expo on Real Time Communications at IIT (RTC), 2022, pp. 13-16.
[84] S. Kalenowski, D. Arnold, M. Gromov, and J. Saniie, "Heterogeneity Tolerance in IoT Botnet Attack Classification," in 2023 IEEE International Conference on Electro Information Technology (eIT), 2023, pp. 353-356.
[85] H. Alkahtani and T. H. Aldhyani, "Botnet attack detection by using CNN-LSTM model for Internet of Things applications," Security and Communication Networks, vol. 2021, pp. 1-23, 2021.
[86] A. Alharbi, W. Alosaimi, H. Alyami, H. T. Rauf, and R. Damaševičius, "Botnet attack detection using local global best bat algorithm for industrial internet of things," Electronics, vol. 10, p. 1341, 2021.
[87] Z. Wang, H. Huang, R. Du, X. Li, and G. Yuan, "IoT Intrusion Detection Model based on CNN-GRU," Frontiers in Computing and Intelligent Systems, vol. 4, pp. 90-95, 2023.
[88] T. Hasan, J. Malik, I. Bibi, W. U. Khan, F. N. Al-Wesabi, K. Dev, et al., "Securing industrial internet of things against botnet attacks using hybrid deep learning approach," IEEE Transactions on Network Science and Engineering, 2022.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Ahmed A. Mohammed, Ahmed M. Aleesa, Ali M. Alhatim
This work is licensed under a Creative Commons Attribution 4.0 International License.
