Detection of internet of things network attacks by hybrid deep learning (CNN-LSTM) algorithm to enhance security – Scientific Reports

The Internet of Things is exploding in scale—and so are the security risks. Botnet campaigns that conscript vulnerable devices can cripple networks and compromise sensitive data. A new study proposes a hybrid deep learning model that marries Convolutional Neural Networks (CNNs) with Long Short-Term Memory (LSTM) networks to spot these threats with remarkable precision. Trained and validated on the widely used BoT-IoT dataset, the approach tackles both feature richness and temporal dynamics, delivering standout results on balanced and imbalanced traffic.

Why it matters

Traditional detection systems often miss fast-evolving botnet behaviors, especially in noisy, heterogeneous IoT traffic. The hybrid CNN-LSTM architecture addresses this by learning both spatial patterns in features and time-dependent signatures in flows—two ingredients that are crucial for reliable attack identification in the real world.

The hybrid approach: CNN meets LSTM

The model pipeline is designed to capture complementary signals:

• CNN layers extract discriminative feature patterns from network traffic, filtering noise and highlighting structures that correlate with malicious activity.
• LSTM layers model temporal dependencies, tracking how behaviors evolve across sequences to differentiate benign bursts from orchestrated botnet operations.

This pairing improves representation learning and temporal pattern recognition beyond what standalone CNNs or LSTMs typically achieve, resulting in more accurate and robust classification.

Data, balancing, and feature engineering

The researchers use the publicly available BoT-IoT dataset, which contains diverse attack types and traffic resembling real-world conditions. Two key preprocessing strategies strengthen the training signal:

• Feature Engineering (FE): Curated transformations reduce noise and enhance the most informative attributes, improving model focus and generalization.
• SMOTE for class imbalance: Synthetic Minority Over-sampling Technique generates realistic samples of underrepresented classes, mitigating skew and helping the model learn minority attack patterns more effectively.

Experiments are conducted on both unbalanced data and a balanced dataset (D2), enabling a clear assessment of performance across operational conditions.

Results at a glance

On the balanced dataset (D2), the CNN-LSTM hybrid achieves:

• Accuracy: 99.77%
• PR-AUC: 100%
• ROC-AUC: 99.99%

Crucially, the model also performs well on imbalanced data, underscoring its generalizability to production settings where attack traffic is relatively rare.

Beating the baselines

Compared with classical machine learning and single-architecture deep learning baselines, the hybrid model consistently leads on key metrics. The gains stem from:

• Richer feature representation: CNN layers distill subtle, high-variance signals embedded in complex IoT traffic.
• Superior temporal reasoning: LSTM layers track sequential dependencies that static models often overlook.

The result is a significant lift in detection fidelity for multiple attack categories, reducing false negatives without inflating false positives—vital for security teams aiming to minimize alert fatigue.

Scalability and interpretability

The architecture is designed with deployment in mind. CNNs offer efficient parallelization, while LSTMs handle sequence modeling without a prohibitive computational footprint. The modular structure also supports interpretability: separating spatial and temporal components helps practitioners understand which aspects of traffic drive decisions, a plus for incident response and compliance.

What sets this work apart

• End-to-end pipeline: From feature engineering to imbalance handling (SMOTE), the workflow is tuned for messy, real-world IoT environments.
• Robust evaluation: Performance is demonstrated on both balanced and unbalanced settings, not just cherry-picked scenarios.
• Production relevance: Strong metrics, generalization on skewed data, and a scalable design make it practical for SOC and NOC workflows.

Implications for IoT defenders

For operators grappling with sprawling device fleets, this CNN-LSTM model offers a powerful blueprint: combine spatial and temporal deep learning, invest in thoughtful feature engineering, and address class imbalance head-on. The payoff is clear—near-perfect discrimination on benchmarked traffic and resilience when conditions are less than ideal.

Bottom line

The proposed CNN-LSTM hybrid model sets a high bar for botnet detection in IoT networks. By uniting strong feature extraction with temporal insight—and validating on a realistic dataset with both balanced and imbalanced regimes—it delivers accuracy and reliability that surpass conventional baselines. For organizations seeking scalable, interpretable, and production-ready defenses, this approach represents a compelling next step in securing the Internet of Things.