How the Graph Construction Technique Shapes Performance in IoT Botnet Detection

TL;DR

This paper investigates how different graph construction methods affect the performance of GNN-based IoT botnet detection, finding that Gabriel graphs yield the best results in classifying network traffic.

Contribution

It systematically evaluates five graph construction techniques for GNNs in IoT botnet detection, highlighting the impact of graph choice on classification accuracy.

Findings

Gabriel graph achieves 97.56% accuracy in detection.

Shared Nearest Neighbor performs the worst with 78.56% accuracy.

Using VAE reduces computational complexity in graph generation.

Abstract

The increasing incidence of IoT-based botnet attacks has driven interest in advanced learning models for detection. Recent efforts have focused on leveraging attention mechanisms to model long-range feature dependencies and Graph Neural Networks (GNNs) to capture relationships between data instances. Since GNNs require graph-structured input, tabular NetFlow data must be transformed accordingly. This study evaluates how the choice of the method for constructing the graph-structured dataset impacts the classification performance of a GNN model. Five methods--k-Nearest Neighbors, Mutual Nearest Neighbors, Shared Nearest Neighbor, Gabriel Graph, and epsilon-radius Graph--were evaluated in this research. To reduce the computational burden associated with high-dimensional data, a Variational Autoencoder (VAE) is employed to project the original features into a lower-dimensional latent space prior to graph generation. Subsequently, a Graph Attention Network (GAT) is trained on each graph to classify traffic in the N-BaIoT dataset into three categories: Normal, Mirai, and Gafgyt. The results indicate that using Gabriel graph achieves the highest detection performance with an accuracy of 97.56% while SNN recorded the lowest performance with an accuracy as low as 78.56%.