Botnet Attack Detection by Using CNN-LSTM Model for Internet of Things Applications

e Internet of ings (IoT) has grown rapidly, and nowadays, it is exploited by cyber attacks on IoTdevices. An accurate system to identify malicious attacks on the IoT environment has become very important for minimizing security risks on IoT devices. Botnet attacks are among the most serious and widespread attacks, and they threaten IoTdevices. Motionless IoTdevices have a security weakness due to lack of sufficientmemory and computation results for a security platform. In addition, numerous existing systems present themselves for finding unknown patterns from IoT networks to improve security. In this study, hybrid deep learning, a convolutional neural network and long short-term memory (CNN-LSTM) algorithm, was proposed to detect botnet attacks, namely, BASHLITE and Mirai, on nine commercial IoT devices. Extensive empirical research was performed by employing a real N-BaIoTdataset extracted from a real system, including benign and malicious patterns. e experimental results exposed the superiority of the CNN-LSTMmodel with accuracies of 90.88% and 88.61% in detecting botnet attacks from doorbells (Danminin and Ennio brands), whereas the proposed system achieved good accuracy (88.53%) in identifying botnet attacks from thermostat devices. e accuracies of the proposed system in detecting botnet attacks from security cameras were 87.19%, 89.23%, 87.76%, and 89.64%, with respect to accuracy metrics. Overall, the CNN-LSTM model was successful in detecting botnet attacks from various IoT devices with optimal accuracy.


Introduction
e fourth industrial revolution, as described by Klaus Schwab, was built on the great achievements of the third revolution, especially the Internet, enormous processing capacity, the ability to store information, and the unlimited potential for access to knowledge [1]. Today, these achievements open the doors to unlimited possibilities through major breakthroughs of emerging technologies in the field of artificial intelligence, robotics, the Internet of ings, autonomous vehicles, 3D printing, nanotechnology, biotechnology, materials science, quantum computing, block chain, and others. e Internet of ings (IoT) aims to interconnect thousands of smart objects/devices in a seamless manner by sensing, processing, and analyzing large amounts of data obtained from heterogeneous IoT devices [2]. e IoT is recognized as one of the Gartner top 10 strategic technology trends in 2020, which projected that IoT will be used to develop 20 times more smart devices than conventional IT devices in 2023 [3]. According to Gartner, the overall usage of IoT in various areas, such as utilities, healthcare, government, physical security, and vehicles, is expected to increase [4]. is rapid development of infrastructure for the Internet of ings comes at the cost of numerous attacks and increased security threats. Symantec reported that every two minutes an IoTdevice is attacked [5]. Furthermore, Kaspersky reported [6] collecting 121,588 malware samples that had attacked IoT devices in 2018; this indicates that attacks averaged around four times more than in 2017 [7]. ere are several types of malware that access IoT devices, such as BASHLITE and Mirai, which are strong and dangerous to the IoT infrastructure, because of it being accessible to vulnerabilities and known authentication authorizations. In 2016, 2.5 million IoT devices were infected by Mirai attacks [8]. BASHLITE and Mirai attacks have features similar to distributed denial-of-service attacks (DDoS), which are carried by devices that are connected to the Internet. According to [9][10][11], Owari, Mirai, and BASHLITE are botnet attacks that have risen in popularity. Botnet attacks are used to run bots on all devices that connect to the Internet and control by employing command and control (C&C) [12]. A botnet attack is a very serious attack known for spreading rapidly between devices connected to the Internet. ere are major gaps in previous technologies for finding appropriate and effective mechanisms to protect IoT devices from botnet attacks. e intrusion detection system (IDS) is one solution for dealing with botnet attacks. It uses artificial intelligence for discovering new patterns of botnet attacks. e IDS is divided into two types: the anomaly and misuse methods. ese types depend on being signature based. ere are numerous IDSs available, such as Snort [13] and Suricata [14].
Currently, artificial intelligence (AI) algorithms are used to detect IoT attacks with more assured detection. Artificial intelligence technology even has the ability to detect variances in channels and methods of attacks. is was one of the challenges faced by security solutions for dealing with IoT attacks: hackers make small changes in previous attacks that security solutions are unable to detect. Developers and researchers use AI technologies for preventing any threats to the IoT environment by analyzing network traffic [15,16]. Deep learning and machine learning have been built into security systems to detect such attacks efficiently. Deep learning is one of the artificial intelligence advances that are present in many real-life applications to handle complex nonlinear data. Deep recurrent neural network (DRNN) has been implemented to identify botnet attacks from IoT devices [17][18][19].
In this research, we present the convolutional neural network and long short-term memory (CNN-LSTM) model to detect botnet attacks from selected IoT devices. e proposed system differs from existing systems by training full datasets. Most researchers have used feature selection to select the most significant features for improving accuracy, but our system has achieved better accuracy by using all the training data.
e main innovations of this study are as follows: (a) Using advanced artificial intelligence algorithms such as CNN-LSTM to detect serious botnet attacks against the nine IoT devices infection by ten attacks (b) e proposed system has attained good accuracy by training all input samples (c) e system has the ability to analyze large amounts of data with good accuracy (d) CNN-LSTM has the ability to detect any botnet attack from any IoT device

Related Works
Numerous researchers have focused on developing efficient frameworks to detect botnet attacks and protect the IoT environment. However, botnet attacks represent most of the DDoS attacks that infect IoT devices. e intrusion detection system is a powerful mechanism that is used to protect network systems against any malicious activities. e proposed system can help detect new attack batching by matching with signature attacks. Intrusion detection has two main methods, anomaly-based detection and signaturebased detection, that detect attacks by extracting unknown patterns from network datasets. Al-Garadi et al. [20] applied a deep learning algorithm for designing numerous applications, such as image recognition, localization, and security. Xie et al. [21] demonstrated an intrusion detection system for developing smart cities by using a short-term memory neural network (LSTM-NN) and multilayer perceptron (MLP) models. It is noted that the LSTM-G-NB has the highest accuracy. Alam et al. [22] introduced significant classification algorithms that can be used in IoT environments: support vector machine (SVM), K-nearest neighbor (KNN), and naive Bayes (NB). It is observed that the linear discriminant analysis (LDA) provides better results in terms of time. In this research [23], we developed a novel framework based on machine learning and deep learning to detect anomalies. e authors have used the pros and cons of the existing methods. An advanced algorithm has been proposed to make a paradigm in the security system. e authors' target is to improve the existing system by focusing on detecting attacks from the network layer.
e authors [24] proposed a convolutional neural network (CNN) model based on a system of detecting intrusions from wireless networks. e results of the CNN model have achieved the highest accuracy and low false positive rate.
An IoT malware attack is a DDoS that attacks IoT devices. Most of the IoT environment does not have any mechanism for automatic updation of the devices themselves; therefore, these attacks cause widespread malware. Setting up an IDS has become very necessary for protection against malware. HaddadPajouh et al. [23] used the long short-term memory (LSTM) classifier to detect malware attacks based on the IoT infrastructure. e authors used 100 samples of malware as training data. e accuracy of the system has reached up to 97%. McDermott et al. [25] suggested deep learning approaches to detect botnet attacks.
e Mirai botnet was classified in the research study. Bidirectional long short-term memory (BLSTM) using recurrent neural network (RNN) models was considered as an appropriate approach for protecting systems against botnet attacks. e performance of LSTM has an accuracy of 99.51%, and BLSTM accuracy is 99.98%. Brun et al. [26] applied dense RNN to detect attacks. is system has the ability to detect various types of attacks, such as UDP flooding, TCP SYN flooding, sleep-deprivation attacks, barrage attacks, and broadcast attacks. Captured packets extract statistical sequence data. is study was developed in a 3G SIM card environment, with a lot of IoT devices connected to this network. Meidan et al. [27] employed packet-captured data from IoT devices; the environments of the IoT were a security camera, smoke detector, socket, thermostat, TV, and a watch. e random forest tree algorithm was suggested to detect unauthorized IoT devices; since then, the proposed system obtained a metric of 94% with respect to accuracy. Doshi et al. [28] proposed KNN, a Lagrangian support vector machine (LSVM), decision tree (DT), random forest (RF), and neural network (NN) to predict denial-of-service (DoS) attacks from IoT traffic. e network feature was divided into stateless and stateful features: stateless features include packet size and protocol features, whereas the stateful features include bandwidth and packet headers, such as source and destination address. Hodo et al. [29] applied artificial neural network (ANN) algorithms to detect DDoS/DoS attacks based on the characteristics of host-based IDS and network-based IDS.
e proposed system has obtained 99.4% accuracy. Meidan et al. [30] proposed deep autoencoder for anomaly detection. e N-BaIoT dataset was considered. e system was developed for protecting IoT environments from botnet attacks. When the system is compared with various existing systems, such as SVM and decision tree algorithm, it is noted that the system has the ability to detect botnet attacks with successful results. HaddadPajouh et al. [23] applied an LSTM classifier with Advanced RISC Machine-(ARM-) based IoT applications. To test the LSTM classifier, the authors used 100 examples of malware data not used in model training. e proposed model offered 97% average accuracy.
A study [31] used traditional machine learning, such as linear nearest neighbor lasso step (LNNLS-KH), to extract significant features for enhancing a system. e LNNLS-KH method is used to renew krill herd position to obtain the optimal global solution. Another study [32] used a features selection method, namely, wrapper and filter-based method, to handle dimensionality reduction to improve the classifiers process. e outputs from feature selection methods are processed using Bayesian networks (BN) and C4.5 algorithms. e authors employed the KDD CUP 99 network dataset to examine the proposed system. e designing of an efficient intrusion detection system can be completed by using numerous advanced artificial intelligence algorithms, such as nature-inspired computation intelligence [33][34][35][36] and other methods of machine learning [37][38][39].

Materials and Methods
In this section, the system architecture for developing system-based IoT botnet detection is presented.
e system used is an example of an advanced artificial intelligence (CNN-LSTM) model to detect intrusion from IoT devices. e system was tested by employing real traffic data gathered from nine commercial IoT devices authentically infected by two common botnet attacks, namely, Mirai and BASHLITE.
e system was set to recognize zero-day attacks from IoT devices to identify well-known attacks. Figure 1 shows the system architecture of the developing system. e main components of the proposed system are described in the next section.

N-BaIoT Dataset.
e N-BaIoT dataset was collected from a machine-learning repository.
e network data consisted of 155 features gathered from port mirroring of switch devices in IoT environments. e dataset was generated from real network traffic, including nine commercial IoT devices; 23 main features were extracted at different time intervals (100 ms, 500 ms, 10 s, 10 min, and 1 min). Table 1 displays nine commercial devices used to extract network traffic, including botnet attacks. e dataset has two main attacks, namely, Mirai and BASHLITE (https://archive.ics. uci.edu/ml/datasets/ detection_of_IoT_botnet_attacks_N_BaIoT). Figure 2 displays the lab setup for collecting the botnet attacks from IoT devices. ese devices were connected to Wi-Fi using many access point devices. Port mirroring has been set up on the switch devices for obtaining and sniffing real network traffic. e datasets were recorded using Wireshark software. Table 2 summarizes attack types in the dataset, including two common botnet attacks, namely, BASHLITE and Mirai. BASHLITE attacks, one type of botnet attack representing DDoS attacks, were developed using C programming for infecting Linux systems. is attack is the most common botnet attack that infects IoT devices, such as cameras. In contrast, Mirai botnet attacks, discovered in 2016 by Paras, use malware run on ARC processors to infect large-scale IoT networks.

Deep Learning Algorithms.
Deep learning is one of the artificial intelligence algorithms used to handle analysis, complex processes, and big data. e deep learning model is applied to detecting botnet attacks from an IoT environment. In this proposed research, we have applied a multichannel CNN-LSTM deep learning model to identify and classify botnet attacks from different IoT devices.

Convolutional Neural Networks (CNN)
. CNN is a deep learning algorithm that is used to build an efficient system for image classification. However, the CNN model can also help design efficient systems for security purposes. e CNN algorithm is similar to the ordinary neural network: the CNN algorithm consists of four main layers, namely, the input layer, convolutional layer, pooling layer, and fully connected layer [41,42].
(1) Convolutional Layer. e convolutional layer is used to explore, size, and filter the training sample, including numerous filters known as convolution kernels. e convolutional layer develops the weight matrix for the input sample and recodes the weighted summation kernel layer. e filter is integer values that are used to subset the input pixel values. ree significant hyperparameters, such as filter size, stride, and zero padding, play roles in increasing the performance of the convolutional kernels, choosing appropriate values that can help reduce the complexity of the neural network and increase the performance of the system. Figure 3 shows the details of the CNN algorithm layers. e input shape is (115, 1). We have used two values for filters, 64 and 128, with some kernel size, 5. e values of parameters are strides, 1, and padding, some. e convolutional layer is processed using where X is the sample of training input data, w i is the weighted matrix, x i−1 : X is the sample of training input data, ⊗ is the convolution operation, f is the activation function, and b i is the basis of neural network.
A rectified linear (ReLU) is a nonlinear activation function used to apply the element-wise activation function of a features map from convolutional layers. e ReLU function returns 0 for negative values, and for positive values, it returns any value x. Figure 4 shows the ReLU function: the ReLU function has a range from 0 to infinity [43]: (2) Pooling Layer. A pooling layer is used to reduce the number of parameters in the features map by selecting the maximum values in each region for designing a fit matrix average pooling. is matrix is processed into the next layer. We have considered the maximum pooling size of 5. Figure 5 shows the pooling layer.
where Q j is the output results from the IoT cybersecurity dataset, j is the pooling region, Max is the operation, and P t j is the element of the pooling.
(3) Fully Connected Layer. e last layer of the convolutional neural network is represented by the fully connected layer. Each node in the fully connected layer is connected directly to each node in layers (L − 1) and (L + 1). ere is not any connection between nodes in the same layer, in contrast with the traditional ANN [44]. erefore, this layer takes a long training and testing time. At the same network, more than one fully connected layer can be used, as shown in Figure 6.

Long Short-Term Memory (LSTM).
e recurrent neural network (RNN) algorithm is one of the deep learning models used in many real-life applications. Figure 7 displays the structure of the RNN model, where x represents input and y represents classification output. e long short-term memory model is one type of RNN. e LSTM is used to process sequence data that have feedback connect dissimilar to standard feedforward neural networks. e LSTM has three main gates: input gate, forget gate, and output gate. e input gate is used to store the training data in long-term memory. While the long-term memory initializes from the current input data, the short-term memory initializes from the previous time step. e input gate has filters used to extract training data and discard unuseful information, whereas the useful information passes into sigma function. e sigma function has two indicator values: 0 and 1. e 1 value indicates the values that are very important, while the 0 value indicates values that are unimportant. e output from the input layer is saved in longterm memory. e forget gate is one of most significant gates in the LSTM model. It is used to decide which information to save or discard, by multiplying the forget vector values by current input gate e output from the forget gate will be passed to the next cell to obtain a new version from longterm memory. Figure 8 shows the structure of the LSTM model.      Security and Communication Networks where i t is the output values for input layer, W is the weight values, and b is the bias. e σ activation function is used to transfer the important information to the next cell. f t is the output from the forget gate, O t is the output gate, c t is the cellular cell, x t is the input information, and h t is the output information. Unlike standard feedforward neural networks, LSTM has feedback connections. It can process not only single data points but also entire sequences of data.
In this research, we have hybridized the CNN and LSTM models to detect botnet attacks from various types of IoT devices. Figure 9 displays a generic structure of the hybrid CNN-LSTM model that was used in our study.
e main components of the proposed system to detect botnet attacks from IoT devices are presented in Table 3. We have put the size of kernel convolution as 5, and epochs system was 20. e ReLU function was used as the activation function. A snapshot of the CNN-LSTM model is presented in Figure 10.

Experimental Results
In this section, the results of the proposed system to detect botnet attacks are presented.

Experiment Environment Setup.
e proposed research was completed using different software and hardware environments. Table 4 shows the requirements used to develop the proposed system. It was noted that these requirements were appropriate for developing a system to detect botnet attacks from IoT devices.

Evaluation
Metrics. Accuracy, recall, precision, and F1score metrics were considered to test the system for detection of botnet attacks. e equations are defined as follows: where TP is true positive, FP is false positive, TN is true negative, and FN is false negative.

Results and Discussion.
To evaluate and examine the proposed system, five experiments were conducted on different IoT platforms. e machine learning and deep learning algorithms were implemented to detect botnet Security and Communication Networks attacks by using a network dataset extracted from an IoT setup. In order to validate the system, the datasets were divided into 20% testing data and 70% training data. Table 5 shows input samples for nine commercial IoT devices, including botnet attacks. e five experiments' details are presented in the next section.

Experiment 1: Doorbell Devices.
e CNN-LSTM model was applied to detect the anomaly from network data extracted from doorbells (Danminin and Ennio). Table 6 shows the results of the hybrid CNN-LSTM model. e weighted averages of the performance of the proposed system in detecting attack anomalies from the doorbell Figure 8: Structure of the LSTM model.

Input
convolutional layers LSTM layers FC layers Security and Communication Networks (Danminin) are 93, 91, and 88% with respect to precision, recall, and F1-score metrics, whereas the weighted averages of the proposed system for detecting intrusions from the doorbell (Ennio) are 91% (precision ), 89% (recall), and 85% (F1-score). Utilizing confusion metrics parameters, namely, true positives, false negatives, true negatives, and false positives, to detect the botnet attacks, Figure 11 shows the confusion metrics of the training model for identifying the pattern of unknown botnet attacks from Danminin and Ennio devices. Figure 12 shows accuracy performance of the CNN-LSTM model for identifying intrusion from Danminin and Ennio devices. e accuracy of the proposed system in detecting ten attacks and benign traffic from Danminin devices is presented; it is noted that performance begins at approximately 84% and reaches 91%, whereas accuracy for Ennio of the proposed model starts at 74%, growing to 89% with 20 epochs. Figure 13 shows the cross-entropy loss of CNN-LSTM when training Danminin and Ennio devices. Figure 13(a) shows the training loss of the system to detect the attacks from Danminin devices; the training loss has been reduced from 20.0 to 0.13. Figure 13(b) shows the training loss reduced from 20.0 to 0.17 in detecting intrusion from Ennio devices.

Experiment 2: ermostat Device.
In this experiment, we have implemented the hybrid CNN-LSTM model to detect intrusion from data extracted from a thermostat device. Table 7 summarizes the results of the CNN-LSTM for detecting botnet attacks. e weighted averages of evaluation metrics are 94%, 89%, and 85% for precision, recall, and F1score metrics, respectively. Figure 14 shows the confusion metrics of CNN-LSTM in classifying botnet attacks from the network data that were extracted from thermostat devices. It is observed that the system detected most botnet attacks. Figure 15 shows the performance of the CNN-LSTM model in identifying botnet attacks from thermostat devices that are set up in the IoT environment. Figure 15(a) shows that the accuracy of the CNN-LSTM model increases from 80% to 88.53% with 20 epochs. e training loss of the system is shown in Figure 15(b); it is noted that training loss is reduced from 20.0 to 0.16.

Experiment 3: Baby Monitor Device.
In this experiment, we tested the CNN-LSTM model to detect intrusion from baby monitor (Philips B120N/10) IoT devices. e results of the proposed system are expressed in Table 8. From the optimal results, the system has achieved good accuracy in finding unknown patterns from datasets to handle botnet attacks. e weighted averages of the system are 93%, 92%, and 89% for precision, recall, and F1-score metrics, respectively. e confusion metrics obtained through using the CNN-LSTM model are presented in Figure 16. It is shown that the system has the ability to train all the botnet attacks. Figure 17 shows the performance of CNN-LSTM in detecting botnet attacks from a baby monitor device. e accuracy has been increased from 84% to 92%, whereas the training loss decreases from 20.0 to 0.12 with 20 epochs.           Simple Home XCS7-1002-WHT, and Simple Home XCS7-1003-WHT. Table 9 shows the results of the CNN-LSTM model in detecting botnet attacks from these devices when established in the IoT platform. Figure 18 shows the confusion metrics of the system to classify the ten attacks and benign patterns from Provision PT-737E and Provision PT-838 security camera devices. e confusion metrics of the proposed system to detect attacks from Simple Home XCS7-1002-W and Simple Home XCS7-1003-WHT security camera devices are shown in Figure 19. We observed that the framework has achieved good accuracy in detecting most attacks from security cameras.

Experiment 4: Security
Accuracy performances of the CNN-LSTM model for developing a security system to detect attacks from security cameras in the IoT environment are demonstrated in Figure 20. e system has achieved good performance in   Security and Communication Networks detecting attacks in Simple Home XCS7-1003-WHT: accuracy is increased from 78% to 90%, whereas the system has attained low accuracy (87.19%) in identifying attacks from Provision PT-737E devices. e cross-entropy losses of the CNN-LSTM model training the dataset from security camera IoT devices are presented in Figure 21. Figure 21

Experiment 5: Webcam (Samsung).
In this experiment, we have trained the CNN-LSTM model using data from webcam (Samsung SNH1011N) IoT devices. Table 10 shows the results of the CNN-LSTM model in detecting attacks from a webcam (Samsung SNH1011N). e weighted averages for the system are 94%, 88%, and 84% in terms of precision, recall, and F1-score metrics, respectively.  Figure 23. e performance of the system grows from 78% to 88%, as shown in Figure 23(a), whereas the training model loss is reduced from 20.0 to 0.16, as shown in Figure 23(b).

Discussion
Botnet attacks are one of the serious attacks that threaten IoT devices. As we know, most of our real-life applications are based on IoT technology. e attackers have developed batch files of botnet attacks for preventing security system devices from recognizing these attacks. is makes it difficult for technology companies to design zero-day security system devices to protect the IoT environment. erefore, using artificial intelligence models to detect botnet attacks, by extracting various unknown patterns that are developed by attackers, can easily help protect an IoT platform. In this research, we applied the CNN-LSTM model to detect botnets. is system was tested by a dataset generated from nine commercial device injections from ten attacks.
e results of the first experiment, to identify botnet attacks from doorbell IoT devices, are shown in Table 6. We observed the following points: (1) e CNN-LSTM model achieved 100% with respect to precision, recall, and F1-score in detecting most attacks from a doorbell (Danminin version) (2) e CNN-LSTM system showed low performance in detecting Scan attacks: precision, 71%; recall, 0.0; and F1-score, 0.0, from a doorbell (Danminin version) (3) e system achieved good performance between 100-99% in detection of most of the attacks from a doorbell (Ennio version) device (4) e system showed low performance in detecting Scan and TCP flood attacks; for Scan attacks: precision (75%) and recall and F1-score (0.00), whereas for TCP flood attacks: precision (53%) and F1-score (69%) In the second experiment, the CNN-LSTM model was used to detect botnet attacks from thermostat IoT devices, as shown in Table 7. We obtained the following points: (1) e CNN-LSTM model has achieved good performance in detecting all the attacks except TCP flood attacks; the performance of the proposed system was 100% with respect to precision, recall, and F1-score metrics (2) e proposed system achieved low performance, with precision 52% and F1-score 69%, in the detection of TCP flood attacks In the third experiment, we used a baby monitor (Philips B120N/10) IoT device dataset to examine the proposed system, as summarized in Table 8. We observed the following points: (1) e proposed system attained 100% performance in classifying most botnet attacks in terms of precision, recall, and F1-score metrics (2) e CNN-LSTM model demonstrated low performance in detection of Scan attacks precision (67%) and recall and F1-score (0.00), and TCP flood precision (54%) In the fourth experiment, we applied the CNN-LSTM system to detect botnet attacks from security camera devices (Provision PT-737E, Provision PT-838, Simple Home XCS7-1002-WHT, and Simple Home XCS7-1003-WHT), as shown in Table 9. We arrived at the following points: (1) e CNN-LSTM system obtained optimal results in detecting most of the attacks, with 100% precision, recall, and F1-score metrics (2) e proposed system shows low performance in detecting Scan and TCP flood attacks from security camera IoT devices  In the fifth experiments, we used dataset extract from webcam (Samsung SNH1011N) IoT devices to test our system; it is noted that the system obtained low performance in detecting scan attack with F1-score (0.00). Figure 24 displays receiver operating characteristic (ROC) curves for simulation results of the CNN-LSTM model for detecting botnet attacks. e ROC is used to measure the validation of the proposed system to detect botnets from IoT devices. e graphical representation (y-axis) is the recall metric for detecting ten attacks and benign traffic in nine different commercial devices; x-axis represents the specificity metric for detecting all botnet attacks.
Overall, the CNN-LSTM model has the ability to detect botnet attacks from different IoT devices with optimal performance. e proposed system showed low performance in detecting Scan and TCP flood attacks. Curve and confusion metrics are presented and proved the effectiveness and efficiency of the system to detect botnet attacks from nine commercial IoT devices, including the ten most serious attacks that infect the IoT environment.  Developing security system to detect the intrusion from IoT environment has played a pivotal role in protecting the IoT network. e CNN-LSTM deep learning algorithm was used to detect the botnet attacks. Table 11 summarizes CNN-LSTM model results against existing systems. ere are few studies that have used some datasets to detect the botnet attack from IoT network. During research, we have found one study that used some attacks but different dataset.
Soe et al. [45] applied three machine learning algorithms, namely, naïve Bayes, J48, and artificial neural network (ANN), to detect botnet attacks from IoT devices; the dataset was different but attacks are similar. is study has used  feature selection to improve the accuracy of the machine learning. In this study, we have examined the proposed system with IoT device datasets extracted from nine devices. We have considered the highest accuracy results to compare against existing systems. Overall, we observed that the proposed system shows better performance.

Conclusion
We developed a system based on a deep learning algorithm to reduce the risks that IoT devices face from DDoS attacks. (ii) e proposed system has achieved low accuracy in detecting Scan and TCP flood attacks in terms of evaluation metrics. (iii) e experimental results proved that the detection of botnet attacks depends on numerous training models rather than the type of IoT device. We believe that the proposed system based on CNN-LSTM can effectively enhance security in various types of IoT platforms by detecting botnet attacks. (iv) e CNN-LSTM model has accomplished high results in detecting most botnet attacks. (v) e main contribution of this study is to develop a framework by using advanced artificial intelligence to identify various unknown patterns from IoT devices to detect botnet attacks from various types of IoT devices effectively and efficiently. In the future, we will try to find ways to improve the detection of Scan and TCP flood attacks.

Conflicts of Interest
e authors declare no conflicts of interest.