BOTA: Explainable IoT Malware Detection in Large Networks

Explainability and alert reasoning are essential but often neglected properties of intrusion detection systems. The lack of explainability reduces security personnel's trust, limiting the overall impact of alerts. This article proposes the botnet analysis (BOTA) system, which uses the concepts of weak indicators and heterogeneous meta-classifiers to maintain accuracy compared with state-of-the-art systems while also providing explainable results that are easy to understand. To evaluate the proposed system, we have implemented a demonstration of intrusion weak-indication detectors, each working on a different principle to ensure robustness. We tested the architecture with various real-world and lab-created data sets, and it correctly identified 94.3% of infected Internet of Things (IoT) devices without false positives. Furthermore, the implementation is designed to work on top of extended bidirectional flow data, making it deployable on large 100-Gb/s large-scale networks at the level of Internet Service Providers. Thus, a single instance of BOTA can protect millions of devices connected to end-users' local networks and significantly reduce the threat arising from powerful IoT botnets.