Bruno Miller,Xihui Zhang

DOI: https://doi.org/10.48009/3_iis_2020_168-178

2020-01-01

Issues in Information Systems

Abstract:As the Internet of Things (IoT) becomes ubiquitous and cybersecurity attacks rapidly evolve, IoT devices must be secured.Their infection can lead to compromised networks, stolen information, service disruptions, and botnet attacks.Botnet attacks, such as Distributed Denial of Service (DDoS), strengthen with larger numbers of devices and IoT devices make great targets for this reason.As IoT devices grow in number, the strength and risk of these massive attacks grow.Infamous botnet attacks, such as Mirai, have proven this to be a serious threat.IoT security faces unique challenges including detection difficulties, device limitations, and user attitudes and education.This paper reviews and analyzes 21 articles providing information on tools and techniques for securing IoT devices against these threats.A multi-layer approach to IoT-botnet detection and prevention is suggested consisting of: the outer layer consisting of ISP architecture; the middle layer consisting of advanced detection methods and DDoS detection and mitigation; and the inner layer consisting of user attitudes, education, and security best practices.By addressing security challenges at multiple points along the botnet lifecycle and within each layer, our proposed approach provides a holistic strategy for detecting and preventing botnet attacks.

Morteza Safaei Pour,Antonio Mangino,Kurt Friday,Matthias Rathbun,Elias Bou-Harb,Farkhund Iqbal,Sagar Samtani,Jorge Crichigno,Nasir Ghani

DOI: https://doi.org/10.1016/j.cose.2019.101707

2020-04-01

Abstract:The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructures. The highly heterogeneous nature of IoT devices and their widespread deployments has led to the rise of several key security and measurement-based challenges, significantly crippling the process of collecting, analyzing and correlating IoT-centric data. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. The proposed work aims to classify and infer Internet-scale compromised IoT devices by solely observing one-way network traffic, while also uncovering, reporting and thoroughly analyzing "in the wild" IoT botnets. To prepare a relevant dataset, a novel probabilistic model is developed to cleanse unrelated traffic by removing noise samples (i.e., misconfigured network traffic). Subsequently, several shallow and deep learning models are evaluated in an effort to train an effective multi-window convolutional neural network. By leveraging active and passing measurements when generating the training dataset, the neural network aims to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is employed by scrutinizing a set of innovative and efficient network feature sets. Analyzing 3.6 TB of recently captured darknet traffic revealed a momentous 440,000 compromised IoT devices and generated evidence-based artifacts related to 350 IoT botnets. Moreover, by conducting thorough analysis of such inferred campaigns, we reveal their scanning behaviors, packet inter-arrival times, employed rates and geo-distributions. Although several campaigns exhibit significant differences in these aspects, some are more distinguishable; by being limited to specific geo-locations or by executing scans on random ports besides their core targets. While many of the inferred botnets belong to previously documented campaigns such as Hide and Seek, Hajime and Fbot, newly discovered events portray the evolving nature of such IoT threat phenomena by demonstrating growing cryptojacking capabilities or by targeting industrial control services. To motivate empirical (and operational) IoT cyber security initiatives as well as aid in reproducibility of the obtained results, we make the source codes of all the developed methods and techniques available to the research community at large.

computer science, information systems

Abdelaziz Amara korba,Aleddine Diaf,Yacine Ghamri-Doudane

2024-07-22

Abstract:In the rapidly evolving landscape of cyber threats targeting the Internet of Things (IoT) ecosystem, and in light of the surge in botnet-driven Distributed Denial of Service (DDoS) and brute force attacks, this study focuses on the early detection of IoT bots. It specifically addresses the detection of stealth bot communication that precedes and orchestrates attacks. This study proposes a comprehensive methodology for analyzing IoT network traffic, including considerations for both unidirectional and bidirectional flow, as well as packet formats. It explores a wide spectrum of network features critical for representing network traffic and characterizing benign IoT traffic patterns effectively. Moreover, it delves into the modeling of traffic using various semi-supervised learning techniques. Through extensive experimentation with the IoT-23 dataset - a comprehensive collection featuring diverse botnet types and traffic scenarios - we have demonstrated the feasibility of detecting botnet traffic corresponding to different operations and types of bots, specifically focusing on stealth command and control (C2) communications. The results obtained have demonstrated the feasibility of identifying C2 communication with a 100% success rate through packet-based methods and 94% via flow based approaches, with a false positive rate of 1.53%.

Cryptography and Security,Artificial Intelligence

Huy-Trung Nguyen,Quoc-Dung Ngo,Van-Hoang Le

DOI: https://doi.org/10.1007/s10207-019-00475-6

2019-10-23

International Journal of Information Security

Abstract:The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. These IoT devices can communicate with others over the Internet and fully integrate into people's daily life. In recent years, IoT devices still suffer from basic security vulnerabilities making them vulnerable to a variety of threats and malware, especially IoT botnets. Unlike common malware on desktop personal computer and Android, heterogeneous processor architecture issue on IoT devices brings various challenges for researchers. Many studies take advantages of well-known dynamic or static analysis for detecting and classifying botnet on IoT devices. However, almost studies yet cannot address the multi-architecture issue and consume vast computing resources for analyzing. In this paper, we propose a lightweight method for detecting IoT botnet, which based on extracting high-level features from function–call graphs, called PSI-Graph, for each executable file. This feature shows the effectiveness when dealing with the multi-architecture problem while avoiding the complexity of control flow graph analysis that is used by most of the existing methods. The experimental results show that the proposed method achieves an accuracy of 98.7%, with the dataset of 11,200 ELF files consisting of 7199 IoT botnet samples and 4001 benign samples. Additionally, a comparative study with other existing methods demonstrates that our approach delivers better outcome. Lastly, we make the source code of this work available to Github.

Zhou Shao,Sha Yuan,Yongli Wang

DOI: https://doi.org/10.1016/j.ins.2021.05.076

IF: 8.1

2021-01-01

Information Sciences

Abstract:With the number of Internet of Things (IoT) devices proliferating, the traffic volume of IoT-based attacks has shown a gradually increasing trend. The IoT botnet attack, which aims to commit real, efficient, and profitable cybercrimes, has become one of the most severe IoT threats. Applying traditional techniques to IoT is difficult due to its particular characteristics, such as resource-constrained devices, massive volumes of data, and real-time requirements. In this paper, we explore an adaptive online learning strategy for real-time IoT botnet attack detection. Furthermore, we operate the proposed adaptive strategy in conjunction with online ensemble learning. To evaluate the proposed strategy, we use real IoT traffic data, including benign traffic data and botnet traffic data infected by Mirai. In real-time IoT botnet attack detection, our experimental results demonstrate that the proposed adaptive online learning strategy achieves remarkable performance.

Rongrong Jiang,Zhengqiu Weng,Lili Shi,Erxuan Weng,Hongmei Li,Weiqiang Wang,Tiantian Zhu,Wuzhao Li

DOI: https://doi.org/10.1002/cpe.8258

2024-08-17

Concurrency and Computation Practice and Experience

Abstract:Summary With the development of the Internet of Things (IoT), the number of terminal devices is rapidly growing and at the same time, their security is facing serious challenges. For the industrial control system, there are challenges in detecting and preventing botnet. Traditional detection methods focus on capturing and reverse analyzing the botnet programs first and then parsing the extracted features from the malicious code or attacks. However, their accuracy is very low and their latency is relatively high. Moreover, they sometimes even cannot recognize the unknown botnets. The machine learning based detection methods rely on manual feature engineering and have a weak generalization. The deep learning‐based methods mostly rely on the system log, which does not take into account the multisource information such as traffic. To address the above issues, from the perspective of the botnet features, this paper proposes an intelligent detection method over parallel CNN‐LSTM, integrating the spatial and temporal features to identify botnets. Experimental demonstrate that the accuracy, recall, and F1‐score of our proposed method achieve up to over 98%, and the precision, 97.8%, is not the highest but reasonable. It reveals compared with the existing start‐of‐the‐art methods, our proposed method outperforms in the botnet detection. Our methodology's strength lies in its ability to harness the multifaceted information present in IoT traffic, offering a more nuanced and comprehensive analysis. The parallel CNN‐LSTM architecture ensures that spatial and temporal data are processed concurrently, preserving the integrity of the information and enabling a more robust detection mechanism. The result is a detection system that not only performs exceptionally well in a controlled environment but also holds promise for real‐world application, where the rapid and accurate identification of botnets is paramount.

computer science, theory & methods, software engineering

Majda Wazzan,Daniyal Algazzawi,Aiiad Albeshri,Syed Hasan,Osama Rabie,Muhammad Zubair Asghar

DOI: https://doi.org/10.3390/s22103895

2022-05-20

Abstract:In recent times, organisations in a variety of businesses, such as healthcare, education, and others, have been using the Internet of Things (IoT) to produce more competent and improved services. The widespread use of IoT devices makes our lives easier. On the other hand, the IoT devices that we use suffer vulnerabilities that may impact our lives. These unsafe devices accelerate and ease cybersecurity attacks, specifically when using a botnet. Moreover, restrictions on IoT device resources, such as limitations in power consumption and the central processing unit and memory, intensify this issue because they limit the security techniques that can be used to protect IoT devices. Fortunately, botnets go through different stages before they can start attacks, and they can be detected in the early stage. This research paper proposes a framework focusing on detecting an IoT botnet in the early stage. An empirical experiment was conducted to investigate the behaviour of the early stage of the botnet, and then a baseline machine learning model was implemented for early detection. Furthermore, the authors developed an effective detection method, namely, Cross CNN_LSTM, to detect the IoT botnet based on using fusion deep learning models of a convolutional neural network (CNN) and long short-term memory (LSTM). According to the conducted experiments, the results show that the suggested model is accurate and outperforms some of the state-of-the-art methods, and it achieves 99.7 accuracy. Finally, the authors developed a kill chain model to prevent IoT botnet attacks in the early stage.

Ahsan Nazir,Jingsha He,Nafei Zhu,Ahsan Wajahat,Xiangjun Ma,Faheem Ullah,Sirajuddin Qureshi,Muhammad Salman Pathan

DOI: https://doi.org/10.1016/j.jksuci.2023.101820

2023-01-01

Abstract:The Internet of Things (IoT) has transformed many aspects of modern life, from healthcare and transportation to home automation and industrial control systems. However, the increasing number of connected devices has also led to an increase in security threats, particularly from botnets. To mitigate these threats, various machine learning (ML) and deep learning (DL) techniques have been proposed for IoT botnet attack detection. This systematic review aims to identify the most effective ML and DL techniques for detecting IoT botnets by delving into benchmark datasets, evaluation metrics, and data pre-processing techniques in detail. A comprehensive search was conducted in multiple databases for primary studies published between 2018 and 2023. Studies were included if they reported the use of ML or DL techniques for IoT botnet detection. After screening 1,567 records, 25 studies were included in the final review. The findings suggest that ML and DL techniques show promising results in detecting IoT botnet attacks, outperforming traditional signature-based methods. However, the effectiveness of the techniques varied depending on the dataset, features, and evaluation metrics used. Based on the synthesis of the findings, this review proposes a taxonomy for ML and DL techniques in IoT botnet attack detection and provides recommendations for future research in this area. This review illuminates the considerable potential of ML and DL approaches in bolstering the detection of IoT botnet attacks, thereby offering valuable insights to researchers involved in the domain of IoT security.

Hongyu Yang,Zelin Wang,Liang Zhang,Xiang Cheng

DOI: https://doi.org/10.1002/int.23074

IF: 8.993

2022-01-01

International Journal of Intelligent Systems

Abstract:The existing botnet detection methods have the problems of uneven sampling, poor feature selection, and weak generalization ability, resulting in low detection and classification results and poor adaptability to the internet of things (IoT) environment with limited computing and storage resources. This paper proposes an IoT botnet detection method using feature reconstruction and interval optimization to solve the above problems. Through the designed address triple and time window-based IP aggregation and feature reconstruction method (ATTW-IP-FR), the network traffic samples obtained from the IoT gateway are integrated, and the flow features are reconstructed to attain the reconstructed sample set. The proposed self-corrected hybrid weighted sampling algorithm balances the normal and botnet flow samples in the reconstructed sample set to get the resampling sample set. The introduced multiattribute decision-making and adjacency relation chain-based sequential forward selection algorithm is applied to eliminate the redundant features in the resampling sample set, and the optimal feature subset is obtained. The resampling sample set filtered by the optimal feature subset is detected and classified through the designed two-stage hybrid heterogeneous model optimized by the intermittent chaos and bald eagle search algorithm-based interval optimization algorithm. The experimental results show that the proposed method effectively detects the botnet in two real IoT scenarios. The detection accuracy is 99.17% $ \% $, the Matthews correlation coefficient is 98.35% $ \% $, the false positive rate is 0.25% $ \% $, and the false negative rate is 1.27% $ \% $, which are better than the existing methods. This method can effectively reduce sampling and feature selection time and space overhead and better adapt to the resource-constrained IoT environment.

Jie Yin,Xianda Wu,Junnan Wang,Kun Jia,Chaoge Liu,Yue Shi,Xiang Cui

DOI: https://doi.org/10.1007/978-3-030-78621-2_59

2021-01-01

Abstract:The vulnerabilities found in Internet of Things (IoT) devices have caused a large number of IoT devices being compromised and used as botnet platforms, which imposes a serious threat to the cyber security. In order to mitigate this threat, several network-based intrusion detection methods are proposed. While models and algorithms are important, so are the representative datasets and comprehensive feature vectors. In this paper, we firstly construct a botnet network traffic dataset by automatically monitoring some latest IoT botnet samples in our self-built experimental system. The dataset contains 17.5 GB network traffic which generated by 257 samples from 10 families. We can see the samples’ entire lifecycle, including installation, propagation, scanning, DDoS attacks, C&C and other typical botnet behaviors. Then, through an in-depth analysis of the collected dataset, we propose a set of feature vectors for detecting. Since we are from the perspective of samples’ entire lifecycle, our feature vectors provide more dimensions and is more expressive than existing works. To evaluate the effect of these feature vectors, we design a classification model based on machine learning, and run it on the constructed dataset and another public dataset. The experiment results demonstrate that the proposed feature vectors perform better on our dataset than on others, showing that the future IoT botnet detection model needs to face a longer botnet lifecycle and adopt more comprehensive feature vectors.

Ahsan Nazir,Jingsha He,Nafei Zhu,Xiangjun Ma,Faheem Ullah,Siraj Uddin Qureshi,Ahsan Wajahat

DOI: https://doi.org/10.1145/3672919.3672934

2024-01-01

Abstract:The rapid expansion of Internet of Things (IoT) devices has led to an escalation in security vulnerabilities, particularly concerning botnet attacks. Securing IoT networks against botnet threats is paramount to preserving network integrity and safeguarding sensitive data. Despite advancements in security measures, traditional methods often fall short in effectively detecting and mitigating botnet activity in IoT environments. There is a pressing need for robust and adaptive detection mechanisms capable of accurately identifying botnet behavior amidst the complexity of IoT network traffic. This research addresses the challenge of botnet detection in IoT networks, aiming to develop an effective and scalable solution that can accurately discern between benign and IoT botnets. To address this problem, we propose the use of ensemble learning techniques for the IoT botnet detection. Leveraging the N-BaIoT dataset, which offers real-world IoT traffic data, we apply the Voting Classifier to nine distinct IoT devices and evaluate its performance against key metrics such as accuracy, precision, recall, and F1 score. Our experiments demonstrate the effectiveness of the proposed ensemble approach, achieving high accuracy with an average accuracy rate of 99.3%. Furthermore, the ensemble method exhibits strong precision, recall, and F1 scores across various IoT device types, underscoring its efficacy in accurately discerning botnet activity. This research contributes to the advancement of botnet detection in IoT networks by introducing an ensemble-based approach that offers robust and adaptive detection capabilities. Our findings highlight the potential of ensemble learning techniques in enhancing security measures in IoT environments.

Hao Tang,Hui He,Yuming Feng,Junxiong Meng,Weizhe Zhang

DOI: https://doi.org/10.1109/tai.2024.3509812

2024-01-01

IEEE Transactions on Artificial Intelligence

Abstract:With the widespread use of edge computing, the security issues on the edge side of IoT within the cloud-edge-device architecture are becoming increasingly severe, particularly with the growing threat posed by botnets. Existing research on IoT botnet detection primarily focuses on identifying infected devices, with significantly less emphasis on detecting the botnet scanning and propagation phases. Recognizing the importance of early detection to protect devices and networks, this paper introduces RGPot-a novel honeypot based on a generative response model designed to detect the lifecycle of IoT botnets. RGPot consists of two core components: an interaction response module and a lifecycle detection module. In the Interaction Response Module, Generative Adversarial Networks (GANs) are employed to train models capable of generating responses to various types of request data. This enables RGPot to effectively simulate real IoT devices and provide tailored responses to deceive potential attackers. In the Lifecycle Detection Module, a multi-layer Long Short-Term Memory (LSTM) network is utilized to comprehensively detect the stages of an IoT botnet’s lifecycle, facilitating the precise identification of the stage at which the detected traffic data is located. To evaluate the efficacy of RGPot, we created a controlled experimental environment to assess its ability to capture IoT botnets and detect traffic data. The experimental results validate RGPot’s capability in botnet capture and anti-detection, with an accuracy of 98.81% in detecting botnet lifecycles and a reduction in false positives of approximately 5%.

Metehan Gelgi,Yueting Guan,Sanjay Arunachala,Maddi Samba Siva Samba Siva Rao,Nicola Dragoni

DOI: https://doi.org/10.3390/s24113571

IF: 3.9

2024-06-02

Sensors

Abstract:Internet of Things (IoT) technology has become an inevitable part of our daily lives. With the increase in usage of IoT Devices, manufacturers continuously develop IoT technology. However, the security of IoT devices is left behind in those developments due to cost, size, and computational power limitations. Since these IoT devices are connected to the Internet and have low security levels, one of the main risks of these devices is being compromised by malicious malware and becoming part of IoT botnets. IoT botnets are used for launching different types of large-scale attacks including Distributed Denial-of-Service (DDoS) attacks. These attacks are continuously evolving, and researchers have conducted numerous analyses and studies in this area to narrow security vulnerabilities. This paper systematically reviews the prominent literature on IoT botnet DDoS attacks and detection techniques. Architecture IoT botnet DDoS attacks, evaluations of those attacks, and systematically categorized detection techniques are discussed in detail. The paper presents current threats and detection techniques, and some open research questions are recommended for future studies in this field.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Abdulaziz Aldaej,Tariq Ahamed Ahanger,Mohammed Atiquzzaman,Imdad Ullah

DOI: https://doi.org/10.1007/s10586-024-04379-6

2024-04-20

Cluster Computing

Abstract:The number of cyber-attacks targeting the Internet of Things (IoT) has elevated in the last decade. This is due to the inherent security vulnerabilities inside IoT endpoints, as well as the broad acceptance and usage of Industrial IoT. In this context, botnets have arisen as a significant risk to IoT-based infrastructures by exploiting security flaws in firmware, including weak or default passwords, to hack devices. In this article, research is performed on an Intrusion Detection System (IDS) that can be installed within an IoT device to increase visibility and help devices become more secure. The presented research framework termed a Blockchain-inspired Botnet Detection System (BDS) includes the node-level IDS. Moreover, the comprehensive architecture of the node-level BDS framework is discussed. Using the ISOT, IoT23, and BoTIoT datasets, the performance of the presented model is assessed for alerts, detection rates, detection delay, and peak CPU and memory usage. Based on the computational results effective outcomes were registered for the proposed technique.

computer science, information systems, theory & methods

Ayush Kumar,Mrinalini Shridhar,Sahithya Swaminathan,Teng Joon Lim

DOI: https://doi.org/10.1016/j.cose.2022.102693

2022-06-01

Abstract:In this work, we present an IoT botnet detection solution, EDIMA, consisting of a set of lightweight modules designed to be deployed at the edge gateway installed in home networks with the remaining modules expected to be implemented on cloud servers. EDIMA targets early detection of IoT botnets prior to the launch of an attack and includes a novel two-stage Machine Learning (ML)-based detector developed specifically for IoT bot detection at the edge gateway. The ML-based bot detector first employs supervised ML algorithms for aggregate traffic classification and subsequently Autocorrelation Function (ACF)-based tests to detect individual bots. The EDIMA architecture also comprises a malware traffic database, a policy engine, a feature extractor and a traffic parser. Performance evaluation results using our testbed setup with real-world IoT malware traffic as well as other public IoT datasets show that EDIMA achieves high bot scanning and bot-CnC traffic detection accuracies with very low false positive rates. The detection performance is also shown to be robust to an increase in the number of IoT devices connected to the edge gateway where EDIMA is deployed. Further, the runtime performance analysis of a Python implementation of EDIMA deployed on a Raspberry Pi reveals low bot detection delays and low RAM consumption. EDIMA is also shown to outperform existing detection techniques for bot scanning traffic and bot-CnC server communication.

computer science, information systems

Ruoyu Li,Qing Li,Yucheng Huang,Wenbin Zhang,Peican Zhu,Yong Jiang

DOI: https://doi.org/10.1007/978-3-031-17146-8_28

2022-01-01

Abstract:As the Internet of Things (IoT) plays an increasingly important role in real life, the concern about IoT malware and botnet attacks is considerably growing. Meanwhile, with new techniques such as edge computing and artificial intelligence applied to IoT networks, these devices nowadays become more functional than ever before, which challenges many existing network anomaly detection systems due to the lack of generalization ability to profile diverse activities. To address it, this paper proposes IoTEnsemble, an ensemble network anomaly detection framework. We propose a tree-based activity clustering method that aggregates network flows dedicated to the same activity so that their traffic patterns remain identical. Based on the clustering result, we implement an ensemble model in which each submodel only needs to profile a specific activity, which highly reduces the burden of a single model's generalization ability. For evaluation, we build a 57.1GB IoT dataset collected in 9 months composed of comprehensive normal and malicious traffic. Our evaluation proves that IoTEnsemble possesses a state-of-the-art detection performance on various IoT botnet malware and attack traffic, exhibiting a significantly better result than other baselines in a more intelligent and functional IoT network.

Wei Wang,Yaoyao Shang,Yongzhong He,Yidong Li,Jiqiang Liu

DOI: https://doi.org/10.1016/j.ins.2019.09.024

IF: 8.1

2020-02-01

Information Sciences

Abstract:The Botnets have become one of the most serious threats to cyber infrastructure. Most existing work on detecting botnets is based on flow-based traffic analysis by mining their communication patterns. There also exists related work based on anomaly detection in communication graphs. As bots have continuously evolved and become increasingly sophisticated, only using flow-based traffic analysis or graph-based analysis for the detection would result in false negatives or false positives, or can even be evaded. In this work, we propose BotMark, an automated model that detects botnets with hybrid analysis of flow-based and graph-based network traffic behaviors. We extract 15 statistical flow-based traffic features as well as 3 graph-based features in building the detection model. For flow-based detection, we consider the similarity and stability of C-flow as measurements in the detection. In particular, we employ k-means to measure the similarity of C-flows and assign similarity scores, and calculate stability score of C-flows through the distribution of packet length within a C-flow. The graph-based detection is based on the observation that the neighborhoods of anomalous nodes significantly differ from those of normal nodes in communication graphs. In particular, we use least-square technique and Local Outlier Factor (LOF) to calculate anomaly scores that measure the differences of their neighborhoods. Our models use the scores to mark bots. BotMark performs automated botnet detection with hybrid analysis of flow-based and graph-based traffic behaviors by ensemble of the detection results based on similarity scores, stability scores and anomaly scores. We collect a very large size of network traffic by simulating 5 newly propagated botnets, including Mirai, Black energy, Zeus, Athena and Ares in a real computing environment. Extensive experimental results demonstrate the effectiveness of BotMark. It achieves 99.94% in terms of detection accuracy, outperforming any individual detector with flow-based detection or graph-based detection.

computer science, information systems

Worku Gachena Negera,Friedhelm Schwenker,Taye Girma Debelee,Henock Mulugeta Melaku,Yehualashet Megeresa Ayano

DOI: https://doi.org/10.3390/s22249837

2022-12-14

Abstract:The orchestration of software-defined networks (SDN) and the internet of things (IoT) has revolutionized the computing fields. These include the broad spectrum of connectivity to sensors and electronic appliances beyond standard computing devices. However, these networks are still vulnerable to botnet attacks such as distributed denial of service, network probing, backdoors, information stealing, and phishing attacks. These attacks can disrupt and sometimes cause irreversible damage to several sectors of the economy. As a result, several machine learning-based solutions have been proposed to improve the real-time detection of botnet attacks in SDN-enabled IoT networks. The aim of this review is to investigate research studies that applied machine learning techniques for deterring botnet attacks in SDN-enabled IoT networks. Initially the first major botnet attacks in SDN-IoT networks have been thoroughly discussed. Secondly a commonly used machine learning techniques for detecting and mitigating botnet attacks in SDN-IoT networks are discussed. Finally, the performance of these machine learning techniques in detecting and mitigating botnet attacks is presented in terms of commonly used machine learning models' performance metrics. Both classical machine learning (ML) and deep learning (DL) techniques have comparable performance in botnet attack detection. However, the classical ML techniques require extensive feature engineering to achieve optimal features for efficient botnet attack detection. Besides, they fall short of detecting unforeseen botnet attacks. Furthermore, timely detection, real-time monitoring, and adaptability to new types of attacks are still challenging tasks in classical ML techniques. These are mainly because classical machine learning techniques use signatures of the already known malware both in training and after deployment.

Angela Grace Famera,Raj Mani Shukla,Suman Bhunia

DOI: https://doi.org/10.48550/arXiv.2311.08621

2023-11-15

Networking and Internet Architecture

Abstract:A botnet is an army of zombified computers infected with malware and controlled by malicious actors to carry out tasks such as Distributed Denial of Service (DDoS) attacks. Billions of Internet of Things (IoT) devices are primarily targeted to be infected as bots since they are configured with weak credentials or contain common vulnerabilities. Detecting botnet propagation by monitoring the network traffic is difficult as they easily blend in with regular network traffic. The traditional machine learning (ML) based Intrusion Detection System (IDS) requires the raw data to be captured and sent to the ML processor to detect intrusion. In this research, we examine the viability of a cross-device federated intrusion detection mechanism where each device runs the ML model on its data and updates the model weights to the central coordinator. This mechanism ensures the client's data is not shared with any third party, terminating privacy leakage. The model examines each data packet separately and predicts anomalies. We evaluate our proposed mechanism on a real botnet propagation dataset called MedBIoT. Overall, the proposed method produces an average accuracy of 71%, precision 78%, recall 71%, and f1-score 68%. In addition, we also examined whether any device taking part in federated learning can employ a poisoning attack on the overall system.

Nickolaos Koroniotis,Nour Moustafa,Elena Sitnikova,Jill Slay

DOI: https://doi.org/10.48550/arXiv.1711.02825

2017-11-08

Abstract:The IoT is a network of interconnected everyday objects called things that have been augmented with a small measure of computing capabilities. Lately, the IoT has been affected by a variety of different botnet activities. As botnets have been the cause of serious security risks and financial damage over the years, existing Network forensic techniques cannot identify and track current sophisticated methods of botnets. This is because commercial tools mainly depend on signature-based approaches that cannot discover new forms of botnet. In literature, several studies have conducted the use of Machine Learning ML techniques in order to train and validate a model for defining such attacks, but they still produce high false alarm rates with the challenge of investigating the tracks of botnets. This paper investigates the role of ML techniques for developing a Network forensic mechanism based on network flow identifiers that can track suspicious activities of botnets. The experimental results using the UNSW-NB15 dataset revealed that ML techniques with flow identifiers can effectively and efficiently detect botnets attacks and their tracks.

Cryptography and Security