Skip to main content
SpringerLink
Log in

IoTEnsemble: Detection of Botnet Attacks on Internet of Things

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13555))

Included in the following conference series:

Abstract

As the Internet of Things (IoT) plays an increasingly important role in real life, the concern about IoT malware and botnet attacks is considerably growing. Meanwhile, with new techniques such as edge computing and artificial intelligence applied to IoT networks, these devices nowadays become more functional than ever before, which challenges many existing network anomaly detection systems due to the lack of generalization ability to profile diverse activities.

To address it, this paper proposes IoTEnsemble, an ensemble network anomaly detection framework. We propose a tree-based activity clustering method that aggregates network flows dedicated to the same activity so that their traffic patterns remain identical. Based on the clustering result, we implement an ensemble model in which each submodel only needs to profile a specific activity, which highly reduces the burden of a single model’s generalization ability. For evaluation, we build a 57.1 GB IoT dataset collected in 9 months composed of comprehensive normal and malicious traffic. Our evaluation proves that IoTEnsemble possesses a state-of-the-art detection performance on various IoT botnet malware and attack traffic, exhibiting a significantly better result than other baselines in a more intelligent and functional IoT network.

This work is supported by the National Key Research and Development Project of China under grant No. 2020AAA0107704, National Natural Science Foundation of China under grant No. 61972189 and 62073263, Shenzhen Key Lab of Software Defined Networking under grant No. ZDSYS20140509172959989, and Research Center for Computer Network (Shenzhen) Ministry of Education.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Our datasets are made public: https://github.com/HeliosHuang/ESORICS.

References

  1. Internet of things security and privacy recommendations (2016). http://www.bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf (2016)

  2. IoT malware dataset (2018). https://www.stratosphereips.org/datasets-iot

  3. The ransomware tsunami (2019). https://www.pandasecurity.com/en/mediacenter/security/2019-the-ransomware-tsunami/

  4. AIoT (2020). http://report.iresearch.cn/report_pdf.aspx?id=3529

  5. IoT forecast: connections, revenue and technology trends 2020–2029 (2021). https://www.analysys.com/research/content/regional-forecasts-/iot-worldwide-forecast-rdme0

  6. Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium, USENIX Security (2017)

    Google Scholar 

  7. Bertsekas, D.P., Gallager, R.G.: Data Networks. Prentice Hall, Hoboken (1992)

    MATH  Google Scholar 

  8. Bezerra, V., Turrisi da Costa, V., Martins, R., Barbon, S., Miani, R., Bogaz Zarpelo, B.: Providing IoT host-based datasets for intrusion detection research. In: Simpósio Brasileiro em Seguran ça da Informa ção e de Sistemas Computacionais (SBSeg) (2018)

    Google Scholar 

  9. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Network anomaly detection: methods, systems and tools. IEEE Commun. Surv. Tutorials 16(1), 303–336 (2014)

    Article  Google Scholar 

  10. Dai, S., Tongaonkar, A., Wang, X., Nucci, A., Song, D.: NetworkProfiler: towards automatic fingerprinting of Android apps. In: Proceedings of the IEEE INFOCOM (2013)

    Google Scholar 

  11. Ding, F.: IoT malware (2017). https://github.com/ifding/iot-malware

  12. Doshi, R., Apthorpe, N.J., Feamster, N.: Machine learning DDoS detection for consumer Internet of Things devices. In: 2018 IEEE Security and Privacy Workshops, SP Workshops (2018)

    Google Scholar 

  13. van Ede, T., et al.: FlowPrint: semi-supervised mobile-app fingerprinting on encrypted network traffic. In: 27th Annual Network and Distributed System Security Symposium, NDSS (2020)

    Google Scholar 

  14. Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)

    Google Scholar 

  15. Hamza, A., Ranathunga, D., Gharakheili, H.H., Roughan, M., Sivaraman, V.: Clear as MUD: generating, validating and applying IoT behavioral profiles. In: Proceedings of the 2018 Workshop on IoT Security and Privacy, IoT S &P@SIGCOMM (2018)

    Google Scholar 

  16. Jain, A.K., Dubes, R.C.: Algorithms for Clustering Data. Prentice-Hall, Hoboken (1988)

    MATH  Google Scholar 

  17. Kambourakis, G., Kolias, C., Stavrou, A.: The Mirai botnet and the IoT zombie armies. In: 2017 IEEE Military Communications Conference, MILCOM (2017)

    Google Scholar 

  18. Kiranyaz, S., Avci, O., Abdeljaber, O., Ince, T., Gabbouj, M., Inman, D.J.: 1D convolutional neural networks and applications: a survey. CoRR (2019)

    Google Scholar 

  19. Koroniotis, N., Moustafa, N., Sitnikova, E., Turnbull, B.: Towards the development of realistic botnet dataset in the Internet of Things for network forensic analytics: Bot-IoT dataset. Future Gener. Comput. Syst. 100, 779–796 (2019)

    Article  Google Scholar 

  20. Li, R., Li, Q., Zhou, J., Jiang, Y.: ADRIoT: an edge-assisted anomaly detection framework against IoT-based network attacks. IEEE Internet Things J. 9(13), 10576–10587 (2022)

    Article  Google Scholar 

  21. Liu, F.T., Ting, K.M., Zhou, Z.: Isolation forest. In: Proceedings of the 8th IEEE International Conference on Data Mining (ICDM) (2008)

    Google Scholar 

  22. Ma, X., Qu, J., Li, J., Lui, J.C.S., Li, Z., Guan, X.: Pinpointing hidden IoT devices via spatial-temporal traffic fingerprinting. In: 39th IEEE Conference on Computer Communications, INFOCOM (2020)

    Google Scholar 

  23. Marín, G., Casas, P., Capdehourat, G.: Deep in the dark - deep learning-based malware traffic detection without expert knowledge. In: 2019 IEEE Security and Privacy Workshops, SP Workshops (2019)

    Google Scholar 

  24. Marzano, A., et al.: The evolution of Bashlite and Mirai IoT botnets. In: 2018 IEEE Symposium on Computers and Communications, ISCC (2018)

    Google Scholar 

  25. McDermott, C.D., Majdani, F., Petrovski, A.: Botnet detection in the internet of things using deep learning approaches. In: 2018 International Joint Conference on Neural Networks, IJCNN (2018)

    Google Scholar 

  26. Miettinen, M., Marchal, S., Hafeez, I., Asokan, N., Sadeghi, A., Tarkoma, S.: IoT SENTINEL: automated device-type identification for security enforcement in IoT. In: 37th IEEE International Conference on Distributed Computing Systems, ICDCS (2017)

    Google Scholar 

  27. Mimoso, M.: New IoT botnet malware borrows from Mirai (2016). https://threatpost.com/new-iot-botnet-malware-borrows-from-mirai/121705

  28. Mirsky, Y., Doitshman, T., Elovici, Y., Shabtai, A.: Kitsune: an ensemble of autoencoders for online network intrusion detection. In: 25th Annual Network and Distributed System Security Symposium, NDSS (2018)

    Google Scholar 

  29. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: Proceedings of the 7th USENIX Symposium on Networked Systems Design and Implementation, NSDI (2010)

    Google Scholar 

  30. Ren, J., Dubois, D.J., Choffnes, D.R., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: Proceedings of the Internet Measurement Conference, IMC (2019)

    Google Scholar 

  31. Singh, A., et al.: HANZO: collaborative network defense for connected things. In: 2018 Principles, Systems and Applications of IP Telecommunications, IPTComm (2018)

    Google Scholar 

  32. Sivanathan, A., et al.: Classifying IoT devices in smart environments using network traffic characteristics. IEEE Trans. Mob. Comput. 18, 1745–1759 (2019)

    Article  Google Scholar 

  33. Tang, R., et al.: ZeroWall: detecting zero-day web attacks through encoder-decoder recurrent neural networks. In: 39th IEEE Conference on Computer Communications, INFOCOM (2020)

    Google Scholar 

  34. Trimananda, R., Varmarken, J., Markopoulou, A., Demsky, B.: Packet-level signatures for smart home devices. In: 27th Annual Network and Distributed System Security Symposium, NDSS (2020)

    Google Scholar 

  35. Usama, M., Asim, M., Latif, S., Qadir, J., Al-Fuqaha, A.I.: Generative adversarial networks for launching and thwarting adversarial attacks on network intrusion detection systems. In: 15th International Wireless Communications & Mobile Computing Conference, IWCMC (2019)

    Google Scholar 

  36. Venkatesh, G.K., Anitha, R.: Botnet detection via mining of traffic flow characteristics. Comput. Electr. Eng. 50, 91–101 (2016)

    Article  Google Scholar 

  37. Wan, Y., Xu, K., Xue, G., Wang, F.: IoTArgos: a multi-layer security monitoring system for Internet-of-Things in smart homes. In: 39th IEEE Conference on Computer Communications, INFOCOM (2020)

    Google Scholar 

  38. Yao, H., Ranjan, G., Tongaonkar, A., Liao, Y., Mao, Z.M.: SAMPLES: self adaptive mining of persistent lexical snippets for classifying mobile application traffic. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, MobiCom (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Shenzhen International Graduate School, Tsinghua University, Shenzhen, China

    Ruoyu Li, Yucheng Huang & Yong Jiang

  2. Peng Cheng Laboratory, Shenzhen, China

    Ruoyu Li, Qing Li, Yucheng Huang & Yong Jiang

  3. Xidian University, Xi’an, China

    Wenbin Zhang

  4. Northwestern Polytechnical University, Xi’an, China

    Peican Zhu

Authors
  1. Ruoyu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Qing Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Yucheng Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Wenbin Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peican Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yong Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Qing Li .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Appendices

A A Maximum Likelihood Estimation

Suppose N observations of packet inter-arrival time \(t_1, t_2, ..., t_N\) that conform to an exponential distribution \(f(t)=\lambda e^{-\lambda t}\) are sampled. T represents the sum of each observation, i.e., \(T=\sum _{i=1}^{N}t_i\). The maximum likelihood estimation of the parameter \(\lambda \) is derived as follow:

$$\begin{aligned} \begin{aligned} \lambda&=\mathop {\arg \max }\limits _{\lambda }\prod _{i=1}^{N}\lambda e^{-\lambda t_i}=\mathop {\arg \max }\limits _{\lambda }\sum _{i=1}^{N}\ln {\lambda } e^{-\lambda t_i}\\&=\mathop {\arg \max }\limits _{\lambda }N\ln {\lambda } -\sum _{i=1}^{N}\lambda t_i\\ {}&=\frac{N}{\sum _{i=1}^{N}t_i}=\frac{N}{T} \end{aligned} \end{aligned}$$

B B Complete Dataset Information and Evaluation Result

See Table 4.

Table 4. Complete experimental result of each device in the testbed; \(N_{c}\) is the number of activity clusters; \(t_0\) and \(t_1\) are required time to observe all activities of a device by manual use and automated script; the last 8 devices are not IP-enabled and they are connected to the corresponding gateways.
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, R., Li, Q., Huang, Y., Zhang, W., Zhu, P., Jiang, Y. (2022). IoTEnsemble: Detection of Botnet Attacks on Internet of Things. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17146-8_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation