Hybrid GNN–LSTM Architecture for Probabilistic IoT Botnet Detection with Calibrated Risk Assessment

Detecting botnets in IoT environments is difficult because most intrusion detection systems treat network events as independent observations. In practice, infections spread through device relationships and evolve through distinct temporal phases. A system that ignores either aspect will miss important patterns. This paper explores a hybrid architecture combining Graph Neural Networks with Long Short-Term Memory networks to capture both structural and temporal dynamics. The GNN component models behavioral similarity between traffic flows in feature space, while the LSTM tracks how patterns change as attacks progress. The two components are trained jointly so that relational context is preserved during temporal learning. We evaluated the approach on two datasets with different characteristics. N-BaIoT contains traffic from nine devices infected with Mirai and BASHLITE, while CICIoT2023 covers 105 devices across 33 attack types. On N-BaIoT, the model achieved 99.88% accuracy with F1 of 0.9988 and Brier score of 0.0015. Cross-validation on CICIoT2023 yielded 99.73% accuracy with Brier score of 0.0030. The low Brier scores suggest that probability outputs are reasonably well calibrated for risk-based decision making. Consistent performance across both datasets provides some evidence that the architecture generalizes beyond a single benchmark setting.

• Publication year

  2026

• Venue

  Computers

• Publication date

  2026-01-05

• Fields of study

  Not labeled

• Identifiers
  DOI 10.3390/computers15010026
• External record

  Open on Semantic Scholar

• Source metadata

  Semantic Scholar

• No claims are published for this paper.

• No concepts are published for this paper.

• The State of https Adoption on the Web

  2025cited by this paper
• Automated OSINT Techniques for Digital Asset Discovery and Cyber Risk Assessment

  2025influential reference
• Risk Assessment of Cryptojacking Attacks on Endpoint Systems: Threats to Sustainable Digital Agriculture

  2025cited by this paper
• A high performance hybrid LSTM CNN secure architecture for IoT environments using deep learning

  2025cited by this paper
• A Hybrid Approach Using Graph Neural Networks and LSTM for Attack Vector Reconstruction

  2025cited by this paper
• Method for Determining the Level of Criticality Elements when Ensuring the Functional Stability of the System based on Role Analysis of Elements

  2024cited by this paper
• A GNN-Based Adversarial Internet of Things Malware Detection Framework for Critical Infrastructure: Studying Gafgyt, Mirai, and Tsunami Campaigns

  2024influential reference
• Efficient Large-Scale IoT Botnet Detection through GraphSAINT-Based Subgraph Sampling and Graph Isomorphism Network

  2024influential reference
• Enhanced Intrusion Detection with LSTM-Based Model, Feature Selection, and SMOTE for Imbalanced Data

  2024influential reference
• Application of a Dynamic Line Graph Neural Network for Intrusion Detection With Semisupervised Learning

  2023influential reference
• Multi-stage Attack Detection and Prediction Using Graph Neural Networks: An IoT Feasibility Study

  2023influential reference
• Network Intrusion Detection Based on Graph Neural Network and Ensemble Learning

  2023cited by this paper
• Deep Graph Embedding for IoT Botnet Traffic Detection

  2023influential reference
• Botnet attacks detection in IoT environment using machine learning techniques

  2023influential reference
• CICIoT2023: A Real-Time Dataset and Benchmark for Large-Scale Attacks in IoT Environment

  2023influential reference
• Towards the Development of a Realistic Multidimensional IoT Profiling Dataset

  2022influential reference
• Intrusion Detection System to Advance Internet of Things Infrastructure-Based Deep Learning Algorithms

  2021influential reference
• Environmental Impact Assessment Procedure As The Implementation Of The Value Approach In Environmental Projects

  2021influential reference
• Performance Analysis of Intrusion Detection Systems Using a Feature Selection Method on the UNSW-NB15 Dataset

  2020influential reference
• Intelligent Detection of IoT Botnets Using Machine Learning and Deep Learning

  2020cited by this paper
• GNNExplainer: Generating Explanations for Graph Neural Networks

  2019cited by this paper
• A Comprehensive Survey on Graph Neural Networks

  2019cited by this paper
• Survey on deep learning with class imbalance

  2019influential reference
• Performance Evaluation in Machine Learning: The Good, the Bad, the Ugly, and the Way Forward

  2019cited by this paper
• Survey of intrusion detection systems: techniques, datasets and challenges

  2019influential reference
• Unsupervised intelligent system based on one class support vector machine and Grey Wolf optimization for IoT botnet detection

  2019influential reference
• PyTorch: An Imperative Style, High-Performance Deep Learning Library

  2019cited by this paper
• Secure Software Developing Recommendations

  2019cited by this paper
• How Powerful are Graph Neural Networks?

  2018cited by this paper
• Adversarial Attacks on Neural Networks for Graph Data

  2018cited by this paper
• LVQ models of DDOS attacks identification

  2018cited by this paper
• Revisiting Small Batch Training for Deep Neural Networks

  2018cited by this paper
• N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders

  2018influential reference
• Stop explaining black box machine learning models for high stakes decisions and use interpretable models instead

  2018cited by this paper
• FastGCN: Fast Learning with Graph Convolutional Networks via Importance Sampling

  2018cited by this paper
• Model Evaluation, Model Selection, and Algorithm Selection in Machine Learning

  2018influential reference
• Understanding the Mirai Botnet

  2017influential reference
• On Calibration of Modern Neural Networks

  2017influential reference
• Internet of Things security: A survey

  2017cited by this paper
• DDoS in the IoT: Mirai and Other Botnets

  2017cited by this paper
• A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection

  2017cited by this paper
• Wild Patterns: Ten Years After the Rise of Adversarial Machine Learning

  2017cited by this paper
• Botnets and Internet of Things Security

  2017cited by this paper
• Inductive Representation Learning on Large Graphs

  2017influential reference
• IoT SENTINEL: Automated Device-Type Identification for Security Enforcement in IoT

  2016influential reference
• Semi-Supervised Classification with Graph Convolutional Networks

  2016influential reference
• A Comprehensive Measurement Study of Domain Generating Malware

  2016cited by this paper
• Deep Learning

  2016influential reference
• Towards Evaluating the Robustness of Neural Networks

  2016cited by this paper
• A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection

  2016cited by this paper
• Long Short Term Memory Recurrent Neural Network Classifier for Intrusion Detection

  2016influential reference
• A survey of transfer learning

  2016cited by this paper
• XGBoost: A Scalable Tree Boosting System

  2016influential reference
• BlindBox: Deep Packet Inspection over Encrypted Traffic

  2015cited by this paper
• Dropout as a Bayesian Approximation: Representing Model Uncertainty in Deep Learning

  2015cited by this paper
• AMAL: High-fidelity, behavior-based automated malware analysis and classification

  2014cited by this paper
• A Survey on Transfer Learning

  2010cited by this paper
• Outside the Closed World: On Using Machine Learning for Network Intrusion Detection

  2010influential reference
• Internet of Things - New security and privacy challenges

  2010cited by this paper
• Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

  2010influential reference
• Anomaly detection: A survey

  2009influential reference
• Dataset Shift in Machine Learning

  2009influential reference
• The Tradeoffs of Large Scale Learning

  2007cited by this paper
• Pattern Recognition and Machine Learning

  2006cited by this paper
• The relationship between Precision-Recall and ROC curves

  2006influential reference
• Challenging the anomaly detection paradigm: a provocative discussion

  2006cited by this paper
• Predicting good probabilities with supervised learning

  2005influential reference
• The economics of information security investment

  2002influential reference
• How to Own the Internet in Your Spare Time

  2002cited by this paper
• Why information security is hard - an economic perspective

  2001cited by this paper
• The base-rate fallacy and the difficulty of intrusion detection

  2000cited by this paper
• Snort - Lightweight Intrusion Detection for Networks

  1999cited by this paper
• Probabilistic reasoning in intelligent systems: networks of plausible inference" Morgan Kaufmann

  1997cited by this paper
• Long Short-Term Memory

  1997influential reference
• Rapid Decision Making on the Fire Ground

  1986cited by this paper
• The meaning and use of the area under a receiver operating characteristic (ROC) curve.

  1982cited by this paper
• VERIFICATION OF FORECASTS EXPRESSED IN TERMS OF PROBABILITY

  1950influential reference

• No citing papers are available for this paper.