Enhancing IoT Botnet Attack Detection in SOCs with an Explainable Active Learning Framework

Rajesh Kalakoti, Sven Nomm, Hayretdin Bahsi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

2 Scopus citations

Abstract

The widespread use of Internet of Things (IoT) devices has raised the threat of botnet attacks, presenting significant challenges for security operations centres (SOCs). While machine learning techniques have shown promising results in detecting these attacks, their effectiveness is often limited by the lack of labeled data and the need for greater transparency in the decision-making process of labeling. We propose an explainable active learning framework incorporating post-hoc explainability methods, such as LIME and SHAP, into the active learning process for detecting IoT botnet attacks in a multi-class classification setting. Our framework enables SOC analysts to provide informed annotations, while the explainability methods offer insights into the model's decision-making process. We employ uncertainty sampling and query-by-committee strategies to select the most informative instances for labeling, and we evaluate the quality of the explanations using various quantitative metrics. Experimental results demonstrate that our explainable active learning framework achieves high detection performance while enhancing the trust and transparency between the SOC analysts and the learning model.

Original languageEnglish (US)
Title of host publication2024 IEEE 5th World AI IoT Congress, AIIoT 2024
EditorsRajashree Paul, Arpita Kundu, Rupsha Bhattacharyya
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages265-272
Number of pages8
ISBN (Electronic)9798350387803
DOIs
StatePublished - 2024
Event5th IEEE Annual World AI IoT Congress, AIIoT 2024 - Seattle, United States
Duration: May 29 2024May 31 2024

Publication series

Name2024 IEEE 5th World AI IoT Congress, AIIoT 2024

Conference

Conference5th IEEE Annual World AI IoT Congress, AIIoT 2024
Country/TerritoryUnited States
CitySeattle
Period5/29/245/31/24

Keywords

  • Active learning
  • Explainable AI
  • IoT Botnet
  • LIME
  • Post-Hoc explainability
  • SHAP
  • SOC

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Networks and Communications
  • Computer Science Applications
  • Computer Vision and Pattern Recognition
  • Safety, Risk, Reliability and Quality
  • Education

Fingerprint

Dive into the research topics of 'Enhancing IoT Botnet Attack Detection in SOCs with an Explainable Active Learning Framework'. Together they form a unique fingerprint.

Cite this