Indonesian Journal of Electrical Engineering and Informatics (IJEEI) Vol.
No.
September 2025, pp.
ISSN: 2089-3272.
DOI: 10.
52549/ijeei.
A Systematic Literature Review (SLR) of Mirai Botnet Compromise Detection in Internet of Things (IoT) Network Ibukun Eweoya1.
Funminiyi Olajide2.
Jonathan Obed3.
Christian Asante4 1,3Department of Software Engineering.
Babcock University.
Nigeria 2Centre for Cyber Security.
Information Privacy, and Privacy.
Penn State University.
USA
4Data.
Technology & Information.
NHS England.
United Kingdom
Article Info
ABSTRACT
Article history:
Since its invention.
Mirai botnet has remained a significant concern in IoT network security.
The botnet and its evolving variants are a major threat to professionals responsible for securing IoT infrastructures.
The danger of the botnet is attributed to the fact that it has been utilized for the execution of numerous Distributed Denial of Service (DDoS) attacks on different network infrastructures in the past.
Several researchers have proposed techniques in mitigating the effect of this botnet.
This research systematically reviews existing detection techniques and evaluates how effective they are in mitigating Mirai botnet attacks between 2017 and 2024.
Using PRISMA methodology, 177 articles were initially identified from Scopus.
Springer Link.
Ie Xplore, and Web of Science in order to broaden the scope of the 27 studies passed the inclusion criteria, and were analyzed thereafter.
Findings reveal a predominant reliance on AI-driven detection methods, such as LSTM and ensemble models, which demonstrate higher accuracy and scalability when compared to traditional techniques.
This review also compares threat intelligence platforms like AlienVault.
CrowdStrike, and Recorded Future, to assess their contributions to dynamic detection Finally, the study explores research gaps and proposes future directions for developing scalable real-time detection systems integrating multi-source threat feeds.
Received Dec 12, 2024 Revised Jan 29, 2025 Accepted Aug 7, 2025 Keywords:
Mirai botnet IoT security Threat intelligence Detection techniques Artificial Intelligence Copyright A 2025 Institute of Advanced Engineering and Science.
All rights reserved.
Corresponding Author:
Ibukun Eweoya.
Department of Software Engineering.
Babcock University.
Illisan Remo.
Ogun State.
Nigeria.
Email: eweoyai@babcock.
INTRODUCTION
The Internet of Things (IoT) has revolutionized modern technology by interconnecting billions of devices worldwide, enabling seamless data sharing and automation across diverse industries .
, .
IoT is now widely recognized as a technology that will transform the future.
However, this advancement has also introduced significant security vulnerabilities and a corresponding high level of increased cyber-attacks .
For example, increased adoption of cloud computing will offer organizations with many good benefits, but at the same time, open these organizations to new cybersecurity concerns and vulnerability to attacks like Distributed Denial of Service (DDoS).
SQL injection, etc.
IoT devices with weak security configurations often become prime targets for cyber threats, particularly botnets like Mirai.
The Mirai botnet first gained notoriety in the year 2016, and has since then become popular in the IoT industry for orchestrating large-scale DDoS attacks that can disrupt IoT infrastructures globally .
, 6, .
Since then, its variants have evolved to exploit new vulnerabilities in IoT ecosystems.
These attacks highlight the urgent need for robust techniques to protect IoT networks.
The Mirai botnet first gained notoriety in the year 2016, and has since then become popular in the IoT industry for orchestrating Journal homepage: http://section.
com/index.
php/IJEEI/index IJEEI
ISSN: 2089-3272
large-scale DDoS attacks that can disrupt IoT infrastructures globally .
, 6, .
Since then, its variants have evolved to exploit new vulnerabilities in IoT ecosystems.
These attacks highlight the urgent need for robust techniques to protect IoT networks.
Despite progress, existing detection methods face challenges in scalability, computational demands, and adaptability to new variants.
This study systematically reviews detection techniques for the Mirai botnet from 2018 to 2024.
It explores the integration of threat intelligence feeds into IoT monitoring tools, identifies research gaps, and proposes future directions for modern and dynamic detection systems.
Rationale Mirai botnet explores the vulnerability of IoT devices with weak security configurations to carry out ravaging attacks that continue to threaten the stability and security of IoT networks .
Given its evolving architecture, the detection of Mirai and its variants remain complex.
Professionals face the challenge of identifying early infection indicators and implementing scalable detection systems.
Notable public threat intelligence platforms report and offer real-time IoCs associated with Mirai like URLs, file hashes.
IP addresses, domains and host names of different Mirai botnet pulses, which become highly relevant when developing detection systems.
Notable progress is seen in the emerging adoption of AI to develop Mirai botnet detection systems .
, and as such this work systematically reviews previous studies on Mirai botnet detection and evaluates the feasibility of utilizing threat intelligence feeds for improved network monitoring.
The review also aims to highlight strengths and limitations in current approaches and give a direction for future research toward adaptive.
AI-driven detection systems.
Objectives The objectives of this research are to:
Explore existing detection techniques for the Mirai botnet in IoT network.
Assess the integration of threat intelligence feeds into IoT monitoring tools.
Investigate available Mirai IoCs on AlienVault OTX to evaluate their utility in real-time detection Identify research gaps, and recommend future research directions.
RESEARCH METHOD
A detailed search to retrieve accessible related literature to support this SLR was conducted in full compliance to PRISMA 2020 guidelines .
The literature search was conducted across multiple databases including Scopus.
Spring Link.
Ie Xplore, and Web of Science databases.
The search covered articles published between January 2017 and July 2024 in peer-reviewed journals and written in English.
Search keywords included: Mirai.
IoT network, threat intelligence, and malware.
Eligibility Criteria The first search to retrieve supporting literature returned a good result that included articles, conference papers, book chapters etc.
Proceeding after the first search, the results were screened thoroughly by the researchers, and only relevant articles that provided specific insights about Mirai detection were marked to be eligible.
To ensure that the screening is done properly.
AuPopulation.
Intervention.
Comparison.
Outcomes and StudyAy (PICOS) framework was adopted .
The blueprint for retaining and selecting relevant articles as outlined by PICOS framework established the inclusion and exclusion criteria.
Inclusion Criteria Articles focusing on detection techniques for Mirai botnet.
English-language publications from 2018 Ae 2024.
Studies discussing the integration of threat intelligence into IoT security systems.
Exclusion Criteria Non-English publications.
Conference papers, book chapters, reviews not centered on Mirai detection.
Studies that discussed botnets or malwares in general that are not primarily Mirai botnets.
SLR of Mirai Botnet Compromise Detection in IoT Network (Eweoya et a.
A ISSN: 2089-3272 Information Sources The procedure for retrieving related literature started with developing an advanced Scopus search query to find articles that contain or project the relevant keywords, and also searching on other databases.
total of 177 results were retrieved by both the Scopus search query below, and from other databases: AuTITLEABS-KEY.
irai OR .
irai AND .
ased OR variant ))) AND ( botnet* OR malware* ) AND ( compromise OR attack* OR threat* OR vulnerability ) AND ( detect* OR discovery ) AND .
etwork* ) AND PUBYEAR > 2017 AND PUBYEAR < 2025 AND ( LIMIT-TO ( SRCTYPE,"j" ) ) AND ( LIMIT-TO ( PUBSTAGE,"final" ) ) AND ( LIMIT-TO ( DOCTYPE,"ar" ) ) AND ( LIMIT-TO ( LANGUAGE,"English" ) )Ay Information Sources The careful review of scholarly articles was done by the researchers.
Researchers utilized automated tools to make the selection process fast.
The results of the initial search were exported and downloaded as either RIS or CSV or PDF formats.
The exported search results were then uploaded to AuHubmetaAy .
, and a check for duplicates was carried out.
Once this step was completed, the review of titles was also done.
At the completion of marking and excluding studies that were not relevant, the remaining articles were exported and uploaded to AuMendeley reference managerAy, for easy retrieval of the full-texts of the selected articles.
Figure 1.
Prisma flowchart The figure 1 .
describes the procedure of how 177 search results were carefully screened by the IJEEI.
Vol.
No.
September 2025: 750 Ae 757
IJEEI
ISSN: 2089-3272
Mirai Identification Techniques in IoT Networks To ensure that this review is in-depth, it was important to study related works and identify several Mirai botnet detection techniques developed / proposed in these studies.
There is significant advancement in adopting Artificial intelligence models for Mirai compromise detection in IoT networks.
As a matter of fact, the investigation showed that some techniques proposed in related works despite being novel, performed The wide adoption of AI in this regard is a shift away from traditional approaches where cybersecurity professionals had to perform traditional .
rule-based network scans and investigations before Mirai IoCs are identified as shown in Table 1.
Table 1.
Summary of studies that passed inclusion criteria Article/Authors .
Botnets Mirai .
Detection technique Statistical hypothesis Year of Mirai Federated Learning (FL) Mirai Adaptive online learning strategy .
Mirai Trusted Monitor (TM) .
Mirai ETM hardware tracer Mirai Malware distribution simulator .
Mirai RF algorithm Mirai Split-and-Merge .
Mirai Gotham testbed .
Mirai Hybrid detection model Mirai Machine learning based multi-class classifier .
Mirai Artificial Intelligence .
Mirai MicroVNF Mirai Artificial Neural Network model Mirai .
Mirai Network intrusion detection system by applying ensemble Machine Learning Algorithm Mirai .
Mirai collaborative threat intelligence sharing mechanism using Ethereum Virtual Machine and Hyperledger supervised learning models .
Mirai BotMiner.
BotProbe, and BotHunter .
Mirai IoTSecSim Mirai Imrc Mirai Long Short Term Memory term (LSTM) and XGBoost Mirai MCELIECE Mirai Open - source analysis tools and QEMU Mirai IoT-Praetor Mirai .
Mirai Recurrent Neural networks and Bidirectional Long Short Term Memory (BLRNN) Botnet Impact Estimation using Traffic Flow Features Findings Out of the 177 studies initially screened, 27 met the inclusion criteria and were selected for full Among these, approximately 65% adopted AI-driven detection approaches, including LSTM.
Federated Learning (FL), and ensemble models.
These approaches generally reported higher accuracy and scalability compared to traditional rule-based or anomaly detection models from platforms like AlienVaultAos OTX.
Recorded Future, and CrowdStrike.
These integrations were used to enhance detection pipelines with real-time Indicators of Compromise (IoC.
The studies also demonstrated increasing interest in integrating threat intelligence feeds.
Table 1 summarizes the studies, including the techniques employed and the year of SLR of Mirai Botnet Compromise Detection in IoT Network (Eweoya et a.
A ISSN: 2089-3272
RESULTS AND DISCUSSION
A deep dive and analysis showed that several reviewed studies reported accuracy levels exceeding 90%, with LSTM-XGBoost hybrids achieving up to 98.
4% accuracy .
In terms of data sources.
Bot-IoT and CICIDS2017 were the most commonly used datasets, although limitations in traffic realism and scope were observed.
Notably, only a few studies validated their detection models in real-time or production-grade IoT environments, highlighting a gap between theoretical models and applied security solutions.
The integration of threat intelligence feeds, particularly from platforms like AlienVault OTX.
Recorded Future, and CrowdStrike emerged as a promising avenue.
The open-source AlienVaultAos OTX Direct Connect API that is hosted on AuGitHubAy .
, for instance, all allows researchers to programmatically access real-time IoCs through SDKs available in Python.
Go.
Java, and JavaScript.
These tools facilitate automatic ingestion of threat data into detection pipelines, enabling faster response to Mirai related threats.
However, integration challenges remain.
The OTX API for example restricts access to subscribed pulses, requiring researchers to manually subscribe to each threat feed, while both Recorded Future and CrowdStrike are not open-sourced.
Furthermore, while AlienVaultAos OTX API subscription is free, it introduces operational limitations in scalability and coverage.
It is also important to contextualize these findings within the evolution of ML techniques from 2018 Early studies often relied on simpler models with limited generalization capabilities.
In contrast, recent works demonstrate a shift toward resource-optimized, distributed, and interpretable AI systems.
Taxonomy of Detection Techniques The reviewed studies showed diverse detection methods.
A taxonomy was developed to classify these methods into five main categories: signature-based, anomaly-based.
AI (ML)-based, hybrid systems, and threat intelligence-based detection as shown in Table 2.
Table 2.
Taxonomy of Mirai Botnet Detection Techniques Category Description Examples Strengths Limitation Signature-based Works by detecting known patterns in network traffic Snort.
Suricata Fast, simple, accurate for known attacks Ineffective against unknown variants Anomaly-based Works by detecting deviations from normal BotHunter.
Bro IDS Detects zero-day attacks Quite prone to false positives.
AI (ML)-based Learns patterns using labeled datasets LSTM.
RF.
FL.
XGBoost High accuracy, adaptable Needs large data, low transparency Hybrid Combines ML, signatures, and heuristics AI threat intelligence, anomaly signature Balanced detection Complex to build and train Multi- Threat Intelligence Integration Uses threat intelligence feeds (IoC.
AlienVault OTX.
Recorded Future Real-time detection Dependent on feed Performance Detection Models from Reviewed Studies Selected studies from the review were evaluated and the performance metrics of proposed AI-based detection models are discussed in Table 3 and Figure 2:
Table 3.
Performance Summary of AI-Based Detection Models Model Type
Accuracy (%) Dataset Used Summary LSTM XGBoost
Bot-IoT
High precision, long
training time
N-Balot
Lightweight and distributed Ensemble Model
CICIDS2017
Balanced recall and ANN Bot-IoT Good baseline but less Bot-IoT Quick training, but prone to IJEEI.
Vol.
No.
September 2025: 750 Ae 757
IJEEI
ISSN: 2089-3272
Figure 2.
Comparative Accuracy of Selected Detection Models Threat Intelligence Platform Comparison Threat intelligence feeds play a crucial role in enhancing the responsiveness of detection technioques.
Table 4 compares three widely referenced platforms in the reviewed literature.
Table 4.
Comparison of Threat Intelligence Platforms Platform Open Source Real-Time IoCs API Access AlienVault OTX Yes Yes Public Recorded Future No (Commercial, no open SDK) Yes Paid CrowdStrike No (Enterprise-only acces.
Yes Paid Overall, the results support that multi-source threat intelligence-driven detection method is viable, and call for future efforts to bridge the gap between academic proposals and deployable cybersecurity solutions for IoT environments.
CONCLUSION AND FUTURE DIRECTIONS
Numerous threat detection techniques exist as reflected in this review.
This review has also showcased the advancements in adopting AI techniques for Mirai detection.
However, challenges of real-time adaptability and multi-platform integration remain unresolved, making the inspiration of developing a Mirai detection technique through integrating multi-threat intelligence an undeniably brilliant idea at this time.
Future research should focus on developing scalable frameworks that dynamically incorporate IoCs from multiple threat intelligence platforms.
REFERENCES