Hybrid GNN–LSTM Architecture for Probabilistic IoT Botnet Detection with Calibrated Risk Assessment

Babenko T. Kolesnikova K. Bakhtiyarova Y. Yeskendirova D. Sansyzbay K. Sysoyev A. Kruchinin O.
January 2026 Multidisciplinary Digital Publishing Institute (MDPI)

Computers
2026 #15 Issue 1

Detecting botnets in IoT environments is difficult because most intrusion detection systems treat network events as independent observations. In practice, infections spread through device relationships and evolve through distinct temporal phases. A system that ignores either aspect will miss important patterns. This paper explores a hybrid architecture combining Graph Neural Networks with Long Short-Term Memory networks to capture both structural and temporal dynamics. The GNN component models behavioral similarity between traffic flows in feature space, while the LSTM tracks how patterns change as attacks progress. The two components are trained jointly so that relational context is preserved during temporal learning. We evaluated the approach on two datasets with different characteristics. N-BaIoT contains traffic from nine devices infected with Mirai and BASHLITE, while CICIoT2023 covers 105 devices across 33 attack types. On N-BaIoT, the model achieved 99.88% accuracy with F1 of 0.9988 and Brier score of 0.0015. Cross-validation on CICIoT2023 yielded 99.73% accuracy with Brier score of 0.0030. The low Brier scores suggest that probability outputs are reasonably well calibrated for risk-based decision making. Consistent performance across both datasets provides some evidence that the architecture generalizes beyond a single benchmark setting.

anomaly detection , botnet detection , cybersecurity , graph neural network (GNN) , hybrid deep learning , internet of things (IoT) , IoT traffic analysis , long short-term memory (LSTM) , probabilistic classification , risk calibration

Text of the article Перейти на текст статьи

Department of Cybersecurity, International Information Technologies University, Almaty, 050040, Kazakhstan
Department of Information Systems, International Information Technologies University, Almaty, 050040, Kazakhstan
Department of Radio Engineering, Electronics and Telecommunications, International Information Technologies University, Almaty, 050040, Kazakhstan
Department of Information Security and Telecommunications, Dnipro University of Technology, Dnipro, 49005, Ukraine

Department of Cybersecurity
Department of Information Systems
Department of Radio Engineering
Department of Information Security and Telecommunications

10 лет помогаем публиковать статьи Международный издатель

Книга Публикация научной статьи Волощук 2026 Book Publication of a scientific article 2026