Concept Drift Analysis by Dynamic Residual Projection for Effectively Detecting Botnet Cyber-Attacks in IoT Scenarios

IoT devices typically stream data such as sensor values to other devices including cloud-based services. Analyzing these streams for cyber-attacks is a challenging task. This is due to the infinite nature of stream-based datatypes. Analyzing streams can require additional real-time processing and computational performance capabilities. In this article, we focus on how concept drifts affect Botnet cyber-attack detection in IoT scenarios. To reveal the result, we incorporate the concept drift analysis to detect cyber-attacks on the Bot-IoT dataset, which consists of legitimate and simulated IoT network traffics, together with various types of attacks. We designed subdatasets of the Bot-IoT to ensure the concept drift occurs that eventually complete the experiments. The detection accuracies improved 15%-26% compared with the classification models without concept drift analysis. We also gain superior performance results by comparing confusion matrices when concept drift analysis is ongoing. We propose a technique featuring a dynamic sliding window based on the residual projection to perform concept drift analysis. During the process of finding concepts in data streams, the sample number is updated dynamically by comparing the anomalous quantity obtained by the residual projection method in the current window to the previous one. In addition to the Bot-IoT dataset, our method is also applied to two popular synthetic datasets SEA Concept and UG-2C-5D. The results demonstrate the effectiveness of our method with respect to the false alarm rate, misses, and average delay.