The use of Internet of Things (IoT) devices has experienced an increase since its inception and is expected to continue to do so. However, this growth has also attracted individuals with malicious intentions. Botnet attacks on IoT devices have become more potent each year, exploiting new vulnerabilities and attacking more devices. Therefore, it is imperative to improve countermeasures. N-BaIoT is a frequently used dataset that covers botnet attacks in various stages of the botnet life cycle. Nevertheless, when examining the state-of-the-art utilizing the dataset, there are certain limitations that need to be addressed.

One limitation is the lack of detailed feature analysis in most studies. This results in less comprehension of the behavior of the malicious and benign data in the dataset, leading to a lack of feature optimization. Feature optimization is crucial as it improves the computational time of the model and makes it efficient to deploy in real-life applications. Another limitation is the uneven distribution of the malicious and benign data, resulting in unreliable evaluation scores. This issue has not been addressed in many studies.

The main contribution of this thesis is the development of a hybrid ensemble model to detect IoT botnet attacks faster and accurately. Additionally, the aim of this study is to provide a clear analysis of the behavior of the malicious and benign data and optimize the number of selected features. In the hybrid ensemble model, a minimal number of features will be utilized to evaluate performance. The comparison will be achieved by taking into account both the unbalanced and balanced datasets used for training and testing. By considering both datasets, the limitation of the distribution can be highlighted by examining the distinct performance of each dataset, making the comparison extensive and reliable.

The results indicate that the selected features and detection models proposed in this research outperform those of other studies. In both cases using the balanced and unbalanced sets, the performance score and computational time are improved. In addition, this is achieved by using fewer features compared to several studies.

Intermax Cloudsourcing B.V. designs, implements and manages critical IT-infrastructures for Dutch clients from the medical, public and financial sectors. The information that passes over these IT-infrastructures is highly confidential and privacy-sensitive, therefore it is essential that these infrastructures are secure. To improve the security of their infrastructure, Intermax is developing a Security Operations Center (SOC) which is fed by information from an optical tap which is placed on one of Intermax's core routers. The goal of this project was to extend the SOC with a REST API that analyses and classifies SSL certificates to filter malicious network data. This REST API makes use of models, so in addition to the REST API itself, a Neural Network Framework has been built to create these models. The framework can be used for different sorts of network data, but for this project, a proof of concept using SSL certificates was worked out to provide Intermax with a working product. The SOC is being built upon the security analytics framework Apache Metron and the REST API will be incorporated using Metron's Model as a Service functionality. Apache Metron sends individual data packets to the REST API, which analyses the data packet and returns whether the packet is malicious or not with a certain accuracy. This analysis takes roughly 1 millisecond and is independent from other data packets. This allows Apache Metron to spawn multiple instances of the REST API, making the solution fast and scalable. The Neural Network Framework runs completely separate from Apache Metron and the REST API. A user can configure, train and test a neural network using the framework and their own dataset. The neural network can be stored on a storage medium. Consequently, the REST API can import and apply the neural network on incoming data.