{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,3]],"date-time":"2026-04-03T20:46:23Z","timestamp":1775249183628,"version":"3.50.1"},"reference-count":38,"publisher":"MDPI AG","issue":"14","license":[{"start":{"date-parts":[[2019,7,19]],"date-time":"2019-07-19T00:00:00Z","timestamp":1563494400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100002322","name":"Coordena\u00e7\u00e3o de Aperfei\u00e7oamento de Pessoal de N\u00edvel Superior","doi-asserted-by":"publisher","award":["Finance Code 001"],"award-info":[{"award-number":["Finance Code 001"]}],"id":[{"id":"10.13039\/501100002322","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Internet of Things (IoT) devices have become increasingly widespread. Despite their potential of improving multiple application domains, these devices have poor security, which can be explored by attackers to build large-scale botnets. In this work, we propose a host-based approach to detect botnets in IoT devices, named IoTDS (Internet of Things Detection System). It relies on one-class classifiers, which model only the legitimate device behaviour for further detection of deviations, avoiding the manual labelling process. The proposed solution is underpinned by a novel agent-manager architecture based on HTTPS, which prevents the IoT device from being overloaded by the training activities. To analyse the device\u2019s behaviour, the approach extracts features from the device\u2019s CPU utilisation and temperature, memory consumption, and number of running tasks, meaning that it does not make use of network traffic data. To test our approach, we used an experimental IoT setup containing a device compromised by bot malware. Multiple scenarios were made, including three different IoT device profiles and seven botnets. Four one-class algorithms (Elliptic Envelope, Isolation Forest, Local Outlier Factor, and One-class Support Vector Machine) were evaluated. The results show the proposed system has a good predictive performance for different botnets, achieving a mean F1-score of 94% for the best performing algorithm, the Local Outlier Factor. The system also presented a low impact on the device\u2019s energy consumption, and CPU and memory utilisation.<\/jats:p>","DOI":"10.3390\/s19143188","type":"journal-article","created":{"date-parts":[[2019,7,22]],"date-time":"2019-07-22T02:55:37Z","timestamp":1563764137000},"page":"3188","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":66,"title":["IoTDS: A One-Class Classification Approach to Detect Botnets in Internet of Things Devices"],"prefix":"10.3390","volume":"19","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8707-4007","authenticated-orcid":false,"given":"Vitor Hugo","family":"Bezerra","sequence":"first","affiliation":[{"name":"Computer Science Department, State University of Londrina (UEL), Londrina PR 86057-970, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2597-4998","authenticated-orcid":false,"given":"Victor Guilherme Turrisi","family":"da Costa","sequence":"additional","affiliation":[{"name":"Computer Science Department, State University of Londrina (UEL), Londrina PR 86057-970, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4988-0702","authenticated-orcid":false,"given":"Sylvio","family":"Barbon Junior","sequence":"additional","affiliation":[{"name":"Computer Science Department, State University of Londrina (UEL), Londrina PR 86057-970, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8176-8040","authenticated-orcid":false,"given":"Rodrigo Sanches","family":"Miani","sequence":"additional","affiliation":[{"name":"School of Computer Science, Federal University of Uberl\u00e2ndia (UFU), Uberl\u00e2ndia MG 38400-902, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9172-3578","authenticated-orcid":false,"given":"Bruno Bogaz","family":"Zarpel\u00e3o","sequence":"additional","affiliation":[{"name":"Computer Science Department, State University of Londrina (UEL), Londrina PR 86057-970, Brazil"}]}],"member":"1968","published-online":{"date-parts":[[2019,7,19]]},"reference":[{"key":"ref_1","unstructured":"Ashton, K. (2019, April 30). That \u2018Internet of Things\u2019 Thing. Available online: https:\/\/www.rfidjournal.com\/articles\/view?4986."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"10350","DOI":"10.3390\/s150510350","article-title":"WSN- and IOT-Based Smart Homes and Their Extension to Smart Buildings","volume":"15","author":"Ghayvat","year":"2015","journal-title":"Sensors"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Shi, X., An, X., Zhao, Q., Liu, H., Xia, L., Sun, X., and Guo, Y. (2019). State-of-the-Art Internet of Things in Protected Agriculture. Sensors, 19.","DOI":"10.3390\/s19081833"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"60","DOI":"10.1109\/MCOM.2018.1700625","article-title":"Integration of LoRaWAN and 4G\/5G for the Industrial Internet of Things","volume":"56","author":"Sendra","year":"2018","journal-title":"IEEE Commun. Mag."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"68","DOI":"10.1109\/MIC.2016.130","article-title":"Application Architecture for the Internet of Cities: Blueprints for Future Smart City Applications","volume":"20","author":"Schleicher","year":"2016","journal-title":"IEEE Internet Comput."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"3179","DOI":"10.1109\/JSEN.2019.2891911","article-title":"The Extreme Edge at the Bottom of the Internet of Things: A Review","volume":"19","author":"Portilla","year":"2019","journal-title":"IEEE Sens. J."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Ibarra-Esquer, J.E., Gonz\u00e1lez-Navarro, F.F., Flores-Rios, B.L., Burtseva, L., and Astorga-Vargas, M.A. (2017). Tracking the Evolution of the Internet of Things Concept Across Different Application Domains. Sensors, 17.","DOI":"10.3390\/s17061379"},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and Other Botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1109\/MCOM.2018.1701204","article-title":"Security and Privacy in the Age of the Smart Internet of Things: An Overview from a Networking Perspective","volume":"56","author":"Yu","year":"2018","journal-title":"IEEE Commun. Mag."},{"key":"ref_10","unstructured":"Angrishi, K. (2017). Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV): IoT Botnets. arXiv, 1\u201317."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"76","DOI":"10.1109\/MC.2017.62","article-title":"Botnets and Internet of Things Security","volume":"50","author":"Bertino","year":"2017","journal-title":"Computer"},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1016\/j.jnca.2017.02.009","article-title":"A survey of intrusion detection in Internet of Things","volume":"84","author":"Miani","year":"2017","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"2661","DOI":"10.1016\/j.adhoc.2013.04.014","article-title":"SVELTE: Real-time intrusion detection in the Internet of Things","volume":"11","author":"Raza","year":"2013","journal-title":"Ad Hoc Netw."},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Amaral, J.P., Oliveira, L.M., Rodrigues, J.J., Han, G., and Shu, L. (2014, January 10\u201314). Policy and network-based intrusion detection system for IPv6-enabled wireless sensor networks. Proceedings of the 2014 IEEE International Conference on Communications (ICC), Sydney, Australia.","DOI":"10.1109\/ICC.2014.6883583"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Granjal, J., Silva, J.M., and Louren\u00e7o, N. (2018). Intrusion Detection and Prevention in CoAP Wireless Sensor Networks Using Anomaly Detection. Sensors, 18.","DOI":"10.3390\/s18082445"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Le, A., Loo, J., Chai, K.K., and Aiash, M. (2016). A Specification-Based IDS for Detecting Attacks on RPL-Based Network Topology. Information, 7.","DOI":"10.3390\/info7020025"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Alrashdi, I., Alqazzaz, A., Aloufi, E., Alharthi, R., Zohdy, M., and Ming, H. (2019, January 7\u20139). AD-IoT: Anomaly Detection of IoT Cyberattacks in Smart City Using Machine Learning. Proceedings of the 2019 IEEE 9th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, NV, USA.","DOI":"10.1109\/CCWC.2019.8666450"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"42450","DOI":"10.1109\/ACCESS.2019.2907965","article-title":"Toward a Lightweight Intrusion Detection System for the Internet of Things","volume":"7","author":"Jan","year":"2019","journal-title":"IEEE Access"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Habibi, J., Midi, D., Mudgerikar, A., and Bertino, E. (2017). Heimdall: Mitigating the Internet of Insecure Things. IEEE Internet Things J., 968\u2013978.","DOI":"10.1109\/JIOT.2017.2704093"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., and Elovici, Y. (2018). N-BaIoT: Network-based Detection of IoT Botnet Attacks Using Deep Autoencoders. arXiv.","DOI":"10.1109\/MPRV.2018.03367731"},{"key":"ref_21","unstructured":"Bezerra, V.H., da Costa, V.G.T., Martins, R.A., Barbon Junior, S., Miani, R.S., and Zarpel\u00e3o, B.B. (2018). Providing IoT host-based datasets for intrusion detection research. SIMP\u00d3SIO BRASILEIRO EM SEGURAN\u00c7A DA INFORMA\u00c7\u00c3O E DE SISTEMAS COMPUTACIONAIS (SBSEG), 2018 Anais do XVIII Simp\u00f3sio Brasileiro em Seguran\u00e7a da Informa\u00e7\u00e3o e de Sistemas Computacionais, Sociedade Brasileira de Computa\u00e7\u00e3o."},{"key":"ref_22","unstructured":"Bezerra, V.H., da Costa, V.G.T., Barbon Junior, S., Miani, R.S., and Zarpel\u00e3o, B.B. (2018). One-class Classification to Detect Botnets in IoT devices. SIMP\u00d3SIO BRASILEIRO EM SEGURAN\u00c7A DA INFORMA\u00c7\u00c3O E DE SISTEMAS COMPUTACIONAIS (SBSEG), 2018 Anais do XVIII Simp\u00f3sio Brasileiro em Seguran\u00e7a da Informa\u00e7\u00e3o e de Sistemas Computacionais, Sociedade Brasileira de Computa\u00e7\u00e3o."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"An, N., Duff, A., Naik, G., Faloutsos, M., Weber, S., and Mancoridis, S. (2017, January 11\u201314). Behavioral anomaly detection of malware on home routers. Proceedings of the 2017 12th International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, Puerto Rico.","DOI":"10.1109\/MALWARE.2017.8323956"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Khan, S.S., and Madden, M.G. (2009). A survey of recent trends in one class classification. Artificial Intelligence and Cognitive Science, Springer. Lecture Notes in Computer Science.","DOI":"10.1007\/978-3-642-17080-5_21"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"212","DOI":"10.1080\/00401706.1999.10485670","article-title":"A fast algorithm for the minimum covariance determinant estimator","volume":"41","author":"Rousseeuw","year":"1999","journal-title":"Technometrics"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Liu, F.T., Ting, K.M., and Zhou, Z.H. (2008, January 15\u201319). Isolation forest. Proceedings of the 2008 Eighth IEEE International Conference on Data Mining, Pisa, Italy.","DOI":"10.1109\/ICDM.2008.17"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Breunig, M.M., Kriegel, H.P., Ng, R.T., and Sander, J. (2000, January 16\u201318). LOF: identifying density-based local outliers. Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, Dallas, TX, USA.","DOI":"10.1145\/342009.335388"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"273","DOI":"10.1007\/BF00994018","article-title":"Support-vector networks","volume":"20","author":"Cortes","year":"1995","journal-title":"Mach. Learn."},{"key":"ref_29","first-page":"48:1","article-title":"A Survey of Random Forest Based Methods for Intrusion Detection Systems","volume":"51","author":"Resende","year":"2018","journal-title":"ACM Comput. Surv."},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"395","DOI":"10.1016\/j.cie.2005.01.009","article-title":"One-class support vector machines\u2014An application in machine fault detection and classification","volume":"48","author":"Shin","year":"2005","journal-title":"Comput. Ind. Eng."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"4183","DOI":"10.1093\/mnras\/stv1551","article-title":"Anomaly detection for machine learning redshifts applied to SDSS galaxies","volume":"452","author":"Hoyle","year":"2015","journal-title":"Mon. Not. R. Astron. Soc."},{"key":"ref_32","unstructured":"Stallings, W. (2017). Cryptography and Network Security: Principles and Practice, Pearson."},{"key":"ref_33","unstructured":"Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., and Kallitsis, M. (2017, January 16\u201318). Understanding the Mirai Botnet. Proceedings of the 26th USENIX Security Symposium, Vancouver, BC, Canada."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT","volume":"50","author":"Stavrou","year":"2017","journal-title":"Computer"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Qiu, M., Xu, S., Yung, M., and Zhang, H. (2015). Android Botnets: What URLs are Telling Us. Network and System Security, Springer International Publishing.","DOI":"10.1007\/978-3-319-25645-0"},{"key":"ref_36","first-page":"2825","article-title":"Scikit-learn: Machine Learning in Python","volume":"12","author":"Pedregosa","year":"2011","journal-title":"J. Mach. Learn. Res."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"427","DOI":"10.1016\/j.ipm.2009.03.002","article-title":"A systematic analysis of performance measures for classification tasks","volume":"45","author":"Sokolova","year":"2009","journal-title":"Inf. Process. Manag."},{"key":"ref_38","first-page":"281","article-title":"Random search for hyper-parameter optimization","volume":"13","author":"Bergstra","year":"2012","journal-title":"J. Mach. Learn. Res."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/14\/3188\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T13:07:35Z","timestamp":1760188055000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/19\/14\/3188"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,7,19]]},"references-count":38,"journal-issue":{"issue":"14","published-online":{"date-parts":[[2019,7]]}},"alternative-id":["s19143188"],"URL":"https:\/\/doi.org\/10.3390\/s19143188","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,7,19]]}}}