Traditional IoT botnet detection models neglect inter-sample dependencies, while graph neural networks (GNNs) incur high computational overhead in graph construction. Method: This paper proposes a “dimensionality reduction first, then graph construction” framework: NetFlow features are compressed via VAE, Autoencoder, or PCA, followed by instance-level graph construction where each node represents a network flow instance; the resulting graph is processed by a Graph Attention Network (GAT) to jointly model long-range feature dependencies and cross-instance relationships. Contribution/Results: We present the first systematic evaluation of how different dimensionality reduction strategies affect GAT performance for botnet detection—explicitly breaking the independent-sample assumption. On an IoT botnet dataset, VAE+GAT achieves 99.2% accuracy, outperforming the independent-sample baseline by 4.7% and reducing graph size by 62%, thereby significantly lowering computational cost.

With the rise of IoT-based botnet attacks, researchers have explored various learning models for detection, including traditional machine learning, deep learning, and hybrid approaches. A key advancement involves deploying attention mechanisms to capture long-term dependencies among features, significantly improving detection accuracy. However, most models treat attack instances independently, overlooking inter-instance relationships. Graph Neural Networks (GNNs) address this limitation by learning an embedding space via iterative message passing where similar instances are placed closer based on node features and relationships, enhancing classification performance. To further improve detection, attention mechanisms have been embedded within GNNs, leveraging both long-range dependencies and inter-instance connections. However, transforming the high dimensional IoT attack datasets into a graph structured dataset poses challenges, such as large graph structures leading computational overhead. To mitigate this, this paper proposes a framework that first reduces dimensionality of the NetFlow-based IoT attack dataset before transforming it into a graph dataset. We evaluate three dimension reduction techniques--Variational Autoencoder (VAE-encoder), classical autoencoder (AE-encoder), and Principal Component Analysis (PCA)--and compare their effects on a Graph Attention neural network (GAT) model for botnet attack detection