Abstract
As the Internet of Things (IoT) plays an increasingly important role in real life, the concern about IoT malware and botnet attacks is considerably growing. Meanwhile, with new techniques such as edge computing and artificial intelligence applied to IoT networks, these devices nowadays become more functional than ever before, which challenges many existing network anomaly detection systems due to the lack of generalization ability to profile diverse activities.
To address it, this paper proposes IoTEnsemble, an ensemble network anomaly detection framework. We propose a tree-based activity clustering method that aggregates network flows dedicated to the same activity so that their traffic patterns remain identical. Based on the clustering result, we implement an ensemble model in which each submodel only needs to profile a specific activity, which highly reduces the burden of a single model’s generalization ability. For evaluation, we build a 57.1 GB IoT dataset collected in 9 months composed of comprehensive normal and malicious traffic. Our evaluation proves that IoTEnsemble possesses a state-of-the-art detection performance on various IoT botnet malware and attack traffic, exhibiting a significantly better result than other baselines in a more intelligent and functional IoT network.
This work is supported by the National Key Research and Development Project of China under grant No. 2020AAA0107704, National Natural Science Foundation of China under grant No. 61972189 and 62073263, Shenzhen Key Lab of Software Defined Networking under grant No. ZDSYS20140509172959989, and Research Center for Computer Network (Shenzhen) Ministry of Education.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Our datasets are made public: https://github.com/HeliosHuang/ESORICS.
References
Internet of things security and privacy recommendations (2016). http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf (2016)
IoT malware dataset (2018). https://www.stratosphereips.org/datasets-iot
The ransomware tsunami (2019). https://www.pandasecurity.com/en/mediacenter/security/2019-the-ransomware-tsunami/
AIoT (2020). http://report.iresearch.cn/report_pdf.aspx?id=3529
IoT forecast: connections, revenue and technology trends 2020–2029 (2021). https://www.analysys.com/research/content/regional-forecasts-/iot-worldwide-forecast-rdme0
Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium, USENIX Security (2017)
Bertsekas, D.P., Gallager, R.G.: Data Networks. Prentice Hall, Hoboken (1992)
Bezerra, V., Turrisi da Costa, V., Martins, R., Barbon, S., Miani, R., Bogaz Zarpelo, B.: Providing IoT host-based datasets for intrusion detection research. In: Simpósio Brasileiro em Seguran ça da Informa ção e de Sistemas Computacionais (SBSeg) (2018)
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutorials 16(1), 303–336 (2014)
Dai, S., Tongaonkar, A., Wang, X., Nucci, A., Song, D.: NetworkProfiler: towards automatic fingerprinting of Android apps. In: Proceedings of the IEEE INFOCOM (2013)
Ding, F.: IoT malware (2017). https://github.com/ifding/iot-malware
Doshi, R., Apthorpe, N.J., Feamster, N.: Machine learning DDoS detection for consumer Internet of Things devices. In: 2018 IEEE Security and Privacy Workshops, SP Workshops (2018)
van Ede, T., et al.: FlowPrint: semi-supervised mobile-app fingerprinting on encrypted network traffic. In: 27th Annual Network and Distributed System Security Symposium, NDSS (2020)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)
Hamza, A., Ranathunga, D., Gharakheili, H.H., Roughan, M., Sivaraman, V.: Clear as MUD: generating, validating and applying IoT behavioral profiles. In: Proceedings of the 2018 Workshop on IoT Security and Privacy, IoT S &P@SIGCOMM (2018)
Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall, Hoboken (1988)
Kambourakis, G., Kolias, C., Stavrou, A.: The Mirai botnet and the IoT zombie armies. In: 2017 IEEE Military Communications Conference, MILCOM (2017)
Kiranyaz, S., Avci, O., Abdeljaber, O., Ince, T., Gabbouj, M., Inman, D.J.: 1D convolutional neural networks and applications: a survey. CoRR (2019)
Koroniotis, N., Moustafa, N., Sitnikova, E., Turnbull, B.: Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset. Future Gener. Comput. Syst. 100, 779–796 (2019)
Li, R., Li, Q., Zhou, J., Jiang, Y.: ADRIoT: an edge-assisted anomaly detection framework against IoT-based network attacks. IEEE Internet Things J. 9(13), 10576–10587 (2022)
Liu, F.T., Ting, K.M., Zhou, Z.: Isolation forest. In: Proceedings of the 8th IEEE International Conference on Data Mining (ICDM) (2008)
Ma, X., Qu, J., Li, J., Lui, J.C.S., Li, Z., Guan, X.: Pinpointing hidden IoT devices via spatial-temporal traffic fingerprinting. In: 39th IEEE Conference on Computer Communications, INFOCOM (2020)
Marín, G., Casas, P., Capdehourat, G.: Deep in the dark - deep learning-based malware traffic detection without expert knowledge. In: 2019 IEEE Security and Privacy Workshops, SP Workshops (2019)
Marzano, A., et al.: The evolution of Bashlite and Mirai IoT botnets. In: 2018 IEEE Symposium on Computers and Communications, ISCC (2018)
McDermott, C.D., Majdani, F., Petrovski, A.: Botnet detection in the internet of things using deep learning approaches. In: 2018 International Joint Conference on Neural Networks, IJCNN (2018)
Miettinen, M., Marchal, S., Hafeez, I., Asokan, N., Sadeghi, A., Tarkoma, S.: IoT SENTINEL: automated device-type identification for security enforcement in IoT. In: 37th IEEE International Conference on Distributed Computing Systems, ICDCS (2017)
Mimoso, M.: New IoT botnet malware borrows from Mirai (2016). https://threatpost.com/new-iot-botnet-malware-borrows-from-mirai/121705
Mirsky, Y., Doitshman, T., Elovici, Y., Shabtai, A.: Kitsune: an ensemble of autoencoders for online network intrusion detection. In: 25th Annual Network and Distributed System Security Symposium, NDSS (2018)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, NSDI (2010)
Ren, J., Dubois, D.J., Choffnes, D.R., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: Proceedings of the Internet Measurement Conference, IMC (2019)
Singh, A., et al.: HANZO: collaborative network defense for connected things. In: 2018 Principles, Systems and Applications of IP Telecommunications, IPTComm (2018)
Sivanathan, A., et al.: Classifying IoT devices in smart environments using network traffic characteristics. IEEE Trans. Mob. Comput. 18, 1745–1759 (2019)
Tang, R., et al.: ZeroWall: detecting zero-day web attacks through encoder-decoder recurrent neural networks. In: 39th IEEE Conference on Computer Communications, INFOCOM (2020)
Trimananda, R., Varmarken, J., Markopoulou, A., Demsky, B.: Packet-level signatures for smart home devices. In: 27th Annual Network and Distributed System Security Symposium, NDSS (2020)
Usama, M., Asim, M., Latif, S., Qadir, J., Al-Fuqaha, A.I.: Generative adversarial networks for launching and thwarting adversarial attacks on network intrusion detection systems. In: 15th International Wireless Communications & Mobile Computing Conference, IWCMC (2019)
Venkatesh, G.K., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91–101 (2016)
Wan, Y., Xu, K., Xue, G., Wang, F.: IoTArgos: a multi-layer security monitoring system for Internet-of-Things in smart homes. In: 39th IEEE Conference on Computer Communications, INFOCOM (2020)
Yao, H., Ranjan, G., Tongaonkar, A., Liao, Y., Mao, Z.M.: SAMPLES: self adaptive mining of persistent lexical snippets for classifying mobile application traffic. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, MobiCom (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Maximum Likelihood Estimation
Suppose N observations of packet inter-arrival time \(t_1, t_2, ..., t_N\) that conform to an exponential distribution \(f(t)=\lambda e^{-\lambda t}\) are sampled. T represents the sum of each observation, i.e., \(T=\sum _{i=1}^{N}t_i\). The maximum likelihood estimation of the parameter \(\lambda \) is derived as follow:
B B Complete Dataset Information and Evaluation Result
See Table 4.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Li, R., Li, Q., Huang, Y., Zhang, W., Zhu, P., Jiang, Y. (2022). IoTEnsemble: Detection of Botnet Attacks on Internet of Things. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_28
Download citation
DOI: https://doi.org/10.1007/978-3-031-17146-8_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17145-1
Online ISBN: 978-3-031-17146-8
eBook Packages: Computer ScienceComputer Science (R0)