Sudheera, Kalupahana Liyanage KushanPriyashan, Lokuge Lehele Gedara MadhuwanthaPavithra, Oruthota Arachchige SanduniAththanayake, Malwaththe Widanalage TharinduSudasinghe, Piyumi BhagyaSankalpa, Wijethunga Gamage Chatum AlojSandamali, Gammana Guruge NadeeshaChong, Peter Han Joo2026-03-102026-03-102026-03-02Sensors, ISSN: 1424-8220 (Online), MDPI AG, 26(5), 1573-1573. doi: 10.3390/s260515731424-8220http://hdl.handle.net/10292/20744<jats:p>Botnet attacks in Internet of Things (IoT) environments often occur as multi-stage campaigns, making early and reliable detection difficult across distributed and privacy-sensitive networks. Centralized detection approaches are often limited by heterogeneous traffic characteristics, severe data imbalance, and the need to aggregate large volumes of raw network data, raising scalability and privacy concerns. To address these challenges, this paper proposes FDA, a federated learning-based and data mining-driven framework for stage-aware botnet attack detection in IoT networks. FDA operates at network gateways, where anomalous traffic is first detected and then abstracted into compact and interpretable patterns using Frequent Itemset Mining (FIM). This pattern-based representation reduces noise and local traffic bias, enabling more robust learning across different IoT networks. Lightweight neural network models are trained locally at gateways, and a global model is learned through federated aggregation of model parameters, avoiding direct sharing of raw network data while enabling gateways to collaboratively learn evolving attack patterns across different IoT networks. Experimental results show that FDA achieves anomaly detection F1-scores above 99% across all gateways and multi-stage botnet attack classification F1-scores in the range of 48–49%, which are comparable to centralized machine-learning baselines while operating under decentralized and privacy-preserving constraints. Overall, FDA provides a practical, privacy-preserving, and effective solution for distributed botnet attack stage detection in real-world IoT deployments.</jats:p>© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.0301 Analytical Chemistry0502 Environmental Science and Management0602 Ecology0805 Distributed Computing0906 Electrical and Electronic EngineeringAnalytical Chemistry3103 Ecology4008 Electrical engineering4009 Electronics, sensors and digital hardware4104 Environmental management4606 Distributed computing and systems softwarebotnet attackcyber-securitydata miningfederated learninginternet of thingsmachine learningJournal ArticleOpenAccess10.3390/s26051573