# Federated Learning and Data Mining-Based Botnet Attack Detection Framework for Internet of Things

**Authors:** Kalupahana Liyanage Kushan Sudheera, Lokuge Lehele Gedara Madhuwantha Priyashan, Oruthota Arachchige Sanduni Pavithra, Malwaththe Widanalage Tharindu Aththanayake, Piyumi Bhagya Sudasinghe, Wijethunga Gamage Chatum Aloj Sankalpa, Gammana Guruge Nadeesha Sandamali, Peter Han Joo Chong

PMC · DOI: 10.3390/s26051573 · Sensors (Basel, Switzerland) · 2026-03-02

## TL;DR

This paper introduces FDA, a privacy-preserving framework using federated learning and data mining to detect multi-stage botnet attacks in IoT networks.

## Contribution

FDA is a novel framework combining federated learning and frequent itemset mining for decentralized, privacy-aware botnet detection in IoT.

## Key findings

- FDA achieves anomaly detection F1-scores above 99% across all gateways.
- Multi-stage botnet attack classification reaches F1-scores of 48–49%, comparable to centralized methods.
- The framework avoids raw data sharing while enabling collaborative learning across IoT networks.

## Abstract

Botnet attacks in Internet of Things (IoT) environments often occur as multi-stage campaigns, making early and reliable detection difficult across distributed and privacy-sensitive networks. Centralized detection approaches are often limited by heterogeneous traffic characteristics, severe data imbalance, and the need to aggregate large volumes of raw network data, raising scalability and privacy concerns. To address these challenges, this paper proposes FDA, a federated learning-based and data mining-driven framework for stage-aware botnet attack detection in IoT networks. FDA operates at network gateways, where anomalous traffic is first detected and then abstracted into compact and interpretable patterns using Frequent Itemset Mining (FIM). This pattern-based representation reduces noise and local traffic bias, enabling more robust learning across different IoT networks. Lightweight neural network models are trained locally at gateways, and a global model is learned through federated aggregation of model parameters, avoiding direct sharing of raw network data while enabling gateways to collaboratively learn evolving attack patterns across different IoT networks. Experimental results show that FDA achieves anomaly detection F1-scores above 99% across all gateways and multi-stage botnet attack classification F1-scores in the range of 48–49%, which are comparable to centralized machine-learning baselines while operating under decentralized and privacy-preserving constraints. Overall, FDA provides a practical, privacy-preserving, and effective solution for distributed botnet attack stage detection in real-world IoT deployments.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12987258/full.md

## Figures

13 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12987258/full.md

## References

35 references — full list in the complete paper: https://tomesphere.com/paper/PMC12987258/full.md

---
Source: https://tomesphere.com/paper/PMC12987258