<![CDATA[The swift expansion of Internet of Things (IoT) technology has markedly heightened cybersecurity threats, especially Distributed Denial-of-Service (DDoS) assaults executed via IoT botnets. Conventional Intrusion Detection Systems (IDS) predominantly concentrate on the examination of inbound traffic, limiting their capability to proactively identify compromised internal devices through abnormal outbound communication patterns. To address this gap, This paper presents an explainable machine learning architecture that uniquely combines outbound traffic analysis with SHapley Additive exPlanations (SHAP) based interpretability for IoT botnet DDoS detection a combination not simultaneously addressed in prior work. The framework was evaluated using the IoT-23 dataset comprising four IoT botnet scenarios and 50,000 network flow records. Random Forest, XGBoost, and ensemble models were assessed using Accuracy, Precision, Recall, F1-Score, AUC-ROC, and Stratified K-Fold Cross Validation. Experimental results demonstrated that Random Forest achieved the best performance with approximately 97.5% accuracy, while XGBoost and ensemble models also produced consistently high classification results. SHAP analysis further identified orig_ip_bytes, proto_state_interaction, and orig_pkts_per_sec as the most influential indicators of IoT botnet outbound traffic behavior. Unlike previous studies that target inbound traffic or omit explainability, the proposed framework provides both early detection of compromised IoT devices and transparent decision support for cybersecurity analysts, making it more operationally relevant for real-world deployment. Nevertheless, this study remains limited to offline evaluation using a single benchmark dataset, suggesting the need for future real-time implementation and broader network environment evaluation.]]>
Copyrights © 2026
