Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
skip to main content
10.1145/3339252.3339272acmotherconferencesArticle/Chapter ViewAbstractPublication PagesaresConference Proceedingsconference-collections
research-article

Data-driven Curation, Learning and Analysis for Inferring Evolving IoT Botnets in the Wild

Published: 26 August 2019 Publication History

Abstract

The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructure realms. Several challenges impede addressing IoT security at large, including, the lack of IoT-centric data that can be collected, analyzed and correlated, due to the highly heterogeneous nature of such devices and their widespread deployments in Internet-wide environments. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. This not only aims at classifying and inferring Internet-scale compromised IoT devices by solely observing such one-way network traffic, but also endeavors to uncover, track and report on orchestrated "in the wild" IoT botnets. Initially, to prepare the effective utilization of such data, a novel probabilistic model is designed and developed to cleanse such traffic from noise samples (i.e., misconfiguration traffic). Subsequently, several shallow and deep learning models are evaluated to ultimately design and develop a multi-window convolution neural network trained on active and passive measurements to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is deployed by scrutinizing a set of innovative and efficient network feature sets. By analyzing 3.6 TB of recent darknet traffic, the proposed approach uncovers a momentous 440,000 compromised IoT devices and generates evidence-based artifacts related to 350 IoT botnets. While some of these detected botnets refer to previously documented campaigns such as the Hide and Seek, Hajime and Fbot, other events illustrate evolving threats such as those with cryptojacking capabilities and those that are targeting industrial control system communication and control services.

References

[1]
2018. Coinhive. https://coinhive.com/. (2018). {Online; accessed 01-March-2019}.
[2]
2019. All Things Considered: An Analysis of IoT Devices on Home Networks. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/usenixsecurity19/presentation/kumar-deepak
[3]
360Netlab. 2019. ADB.Miner: More Information. https://blog.netlab.360.com/adb-miner-more-information-en/. (2019). {Online; accessed 01-March-2019}.
[4]
360Netlab. 2019. Fbot, A Satori Related Botnet Using Block-chain DNS System. https://tinyurl.com/yavvhf4v. (2019). {Online; accessed 01-March-2019}.
[5]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the Mirai Botnet. (2017).
[6]
Karyn Benson. 2016. Leveraging internet background radiation for opportunistic network analysis. Ph.D. Dissertation. UC San Diego.
[7]
Elisa Bertino and Nayeem Islam. 2017. Botnets and internet of things security. Computer 2 (2017), 76--79.
[8]
Elias Bou-Harb. 2016. A brief survey of security approaches for cyber-physical systems. In 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 1--5.
[9]
Elias Bou-Harb, Mourad Debbabi, and Chadi Assi. 2016. Big data behavioral analytics meet graph theory: on effective botnet takedowns. IEEE Network 31, 1 (2016), 18--26.
[10]
Elias Bou-Harb, Mourad Debbabi, and Chadi Assi. 2016. A novel cyber security capability: Inferring Internet-scale infections by correlating malware and probing activities. Computer Networks 94 (2016), 327--343.
[11]
Elias Bou-Harb, Evangelos I Kaisar, and Mark Austin. 2017. On the impact of empirical attack models targeting marine transportation. In 2017 5th IEEE International Conference on Models and Technologies for Intelligent Transportation Systems (MT-ITS). IEEE, 200--205.
[12]
Orçun Cetin, Carlos Ganán, Lisette Altena, Takahiro Kasama, Daisuke Inoue, Kazuki Tamiya, Ying Tie, Katsunari Yoshioka, and Michel van Eeten. 2019. Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai. (2019).
[13]
Yu Cheng, Fei Wang, Ping Zhang, and Jianying Hu. 2016. Risk prediction with electronic health records: A deep learning approach. In Proceedings of the 2016 SIAM International Conference on Data Mining. SIAM, 432--440.
[14]
François Chollet et al. 2015. Keras. https://keras.io. (2015).
[15]
Ronan Collobert, Jason Weston, Léon Bottou, Michael Karlen, Koray Kavukcuoglu, and Pavel Kuksa. 2011. Natural language processing (almost) from scratch. Journal of Machine Learning Research 12, Aug (2011), 2493--2537.
[16]
Li Da Xu, Wu He, and Shancang Li. 2014. Internet of things in industries: A survey. IEEE Transactions on industrial informatics 10, 4 (2014), 2233--2243.
[17]
Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, and Antonio Pescapé. 2015. Analysis of a /0 stealth scan from a botnet. IEEE/ACM Transactions on Networking (TON) 23, 2 (2015), 341--354.
[18]
Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J Alex Halderman. 2015. A search engine backed by Internet-wide scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 542--553.
[19]
Zakir Durumeric, Michael Bailey, and J Alex Halderman. 2014. An Internet-Wide View of Internet-Wide Scanning. In USENIX Security Symposium. 65--78.
[20]
Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, Vol. 8. 47--53.
[21]
IBM X-Force Exchange. 2018. JenX Botnet. https://exchange.xforce.ibmcloud.com/collection/JenX-Botnet-c47476c5e6fafd7df487cecd1110a761. (2018). {accessed 01-March-2019}.
[22]
Claude Fachkha, Elias Bou-Harb, and Mourad Debbabi. 2015. On the inference and prediction of DDoS campaigns. Wireless Communications and Mobile Computing 15, 6 (2015), 1066--1078.
[23]
Claude Fachkha and Mourad Debbabi. 2016. Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization. IEEE Communications Surveys and Tutorials 18, 2 (2016), 1197--1227.
[24]
Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. 2018. Acquisitional rule-based engine for discovering Internet-of-Things devices. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 327--341.
[25]
Aidin Ferdowsi and Walid Saad. 2018. Deep learning for signal authentication and security in massive internet-of-things systems. IEEE Transactions on Communications 67, 2 (2018), 1371--1387.
[26]
Matthew Ford, Jonathan Stevens, and John Ronan. 2006. Initial Results from an IPv6 Darknet13. In International Conference on Internet Surveillance and Protection. IEEE, 13--13.
[27]
Andrew Gelman, John B Carlin, Hal S Stern, and Donald B Rubin. 2014. Bayesian data analysis. Vol. 2. Taylor & Francis.
[28]
Juan Guarnizo, Amit Tambe, Suman Sankar Bunia, Martín Ochoa, Nils Tippenhauer, Asaf Shabtai, and Yuval Elovici. 2017. SIPHON: Towards Scalable High-Interaction Physical Honeypots. arXiv preprint arXiv:1701.02446 (2017).
[29]
Stephen Herwig, Katura Harvey, George Hughey, Richard Roberts, and Dave Levin. 2019. Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet. (2019).
[30]
Martin Husák, Nataliia Neshenko, Morteza Safaei Pour, Elias Bou-Harb, and Pavel Čeleda. 2018. Assessing Internet-wide Cyber Situational Awareness of Critical Sectors. In Proceedings of the 13th International Conference on Availability, Reliability and Security. ACM, 29.
[31]
Yair Meidan, Michael Bohadana, Asaf Shabtai, Juan David Guarnizo, Martın Ochoa, Nils Ole Tippenhauer, and Yuval Elovici. 2017. ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis. (2017).
[32]
Lionel Metongnon and Ramin Sadre. 2018. Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements. In Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. ACM, 21--26.
[33]
Markus Miettinen, Samuel Marchal, Ibbad Hafeez, N Asokan, Ahmad-Reza Sadeghi, and Sasu Tarkoma. 2017. IoT Sentinel: Automated device-type identification for security enforcement in IoT. In Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference on. IEEE, 2177--2184.
[34]
David Moore, Colleen Shannon, Douglas J Brown, Geoffrey M Voelker, and Stefan Savage. 2006. Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS) 24, 2 (2006), 115--139.
[35]
Marcin Nawrocki, Matthias Wählisch, Thomas C Schmidt, Christian Keil, and Jochen Schönfelder. 2016. A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016).
[36]
Nataliia Neshenko, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum, and Nasir Ghani. 2019. Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations. IEEE Communications Surveys & Tutorials (2019).
[37]
Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2016. IoTPOT: A Novel Honeypot for Revealing Current IoT Threats. Journal of Information Processing 24, 3 (2016), 522--533.
[38]
INFORMATION MARKETPLACE FOR POLICY and ANALYSIS OF CYBER-RISK & TRUST. 2019. https://impactcybertrust.org/. (2019).
[39]
Morteza Safaei Pour and Elias Bou-Harb. 2018. Implications of Theoretic Derivations on Empirical Passive Measurements for Effective Cyber Threat Intelligence Generation. In 2018 IEEE International Conference on Communications (ICC). IEEE, 1--7.
[40]
Morteza Safaei Pour, Elias Bou-Harb, Kavita Varma, Nataliia Neshenko, Dimitris A Pados, and Kim-Kwang Raymond Choo. 2019. Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns. Digital Investigation 28 (2019), S40--S49.
[41]
Morteza Safaei Pour and Mahmoud Salmasizadeh. 2017. A New CPA Resistant Software Implementation for Symmetric Ciphers with Smoothed Power Consumption: SIMON Case Study. ISeCure 9, 2 (2017).
[42]
Max Pumperla. 2019. https://github.com/maxpumperla/hyperas. (2019).
[43]
radware. 2018. Hajime Botnet Friend or Foe? https://security.radware.com/ddos-threats-attacks/hajime-iot-botnet/. (2018). {Online; accessed 01-March-2019}.
[44]
Yegenshen Rootkiter. 2018. Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style. https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/. (2018). {Online; accessed 01-March-2019}.
[45]
Yegenshen Rootkiter. 2018. HNS Botnet Recent Activities. https://blog.netlab.360.com/hns-botnet-recent-activities-en/. (2018). {Online; accessed 01-March-2019}.
[46]
Christian Rossow. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS.
[47]
Ramin Sahba, Nima Ebadi, Mo Jamshidi, and Paul Rad. 2018. Automatic text summarization using customizable fuzzy features and attention on the context and vocabulary. In 2018 World Automation Congress (WAC). IEEE, 1--5.
[48]
Shodan. 2019. The search engine for Internet of things. http://shodan.io. (2019).
[49]
Censys Team. 2017. Internet-Wide Scan Data Repository. Retrieved (2017), 2017.
[50]
Nguyen Thai-Nghe, Zeno Gantner, and Lars Schmidt-Thieme. 2010. Cost-sensitive learning methods for imbalanced data. In Neural Networks (IJCNN), The 2010 International Joint Conference on. IEEE, 1--8.
[51]
Vijayanand Thangavelu, Dinil Mon Divakaran, Rishi Sairam, Suman Sankar Bhunia, and Mohan Gurusamy. 2018. DEFT: A Distributed IoT Fingerprinting Technique. IEEE Internet of Things Journal (2018).
[52]
Sam Lloyd Thomas. 2018. Backdoor detection systems for embedded devices. Ph.D. Dissertation. University of Birmingham.
[53]
Sadegh Torabi, Elias Bou-Harb, Chadi Assi, Mario Galluscio, Amine Boukhtouta, and Mourad Debbabi. 2018. Inferring, characterizing, and investigating Internetscale malicious IoT device activities: A network telescope perspective. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 562--573.
[54]
Ivo Van der Elzen and Jeroen van Heugten. 2017. Techniques for detecting compromised IoT devices. University of Amsterdam (2017).
[55]
xmrminer. 2019. Monero Web Miner. https://xmrminer.cc/. (2019).
[56]
Dongkuan Xu and Yingjie Tian. 2015. A comprehensive survey of clustering algorithms. Annals of Data Science 2, 2 (2015), 165--193.
[57]
ZoomEye. 2019. http://www.zoomeye.org/. (2019).

Cited By

View all
  • (2024)Characterizing and Analyzing LEO Satellite Cyber Landscape: A Starlink Case StudyICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10623029(1352-1357)Online publication date: 9-Jun-2024
  • (2024)Employing Watchdog Timer to Prohibit DDoS Attack2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486314(705-710)Online publication date: 9-Feb-2024
  • (2022)The Impact of Health Information Privacy Concerns on Engagement and Payment Behaviors in Online Health CommunitiesFrontiers in Psychology10.3389/fpsyg.2022.86190313Online publication date: 8-Apr-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security
August 2019
979 pages
ISBN:9781450371643
DOI:10.1145/3339252
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Internet measurements
  2. Internet-of-Things
  3. IoT botnets
  4. deep learning
  5. network security
  6. network telescopes

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ARES '19

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)18
  • Downloads (Last 6 weeks)5
Reflects downloads up to 21 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Characterizing and Analyzing LEO Satellite Cyber Landscape: A Starlink Case StudyICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10623029(1352-1357)Online publication date: 9-Jun-2024
  • (2024)Employing Watchdog Timer to Prohibit DDoS Attack2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486314(705-710)Online publication date: 9-Feb-2024
  • (2022)The Impact of Health Information Privacy Concerns on Engagement and Payment Behaviors in Online Health CommunitiesFrontiers in Psychology10.3389/fpsyg.2022.86190313Online publication date: 8-Apr-2022
  • (2022)COVID-19 Paradox: The Role of Privacy Concerns and Ad Intrusiveness on Consumer’s Attitude Toward App Usage BehaviorFrontiers in Psychology10.3389/fpsyg.2022.83606013Online publication date: 30-May-2022
  • (2022)Disposable Botnets: Long-term Analysis of IoT Botnet InfrastructureJournal of Information Processing10.2197/ipsjjip.30.57730(577-590)Online publication date: 2022
  • (2022)An attentive interpretable approach for identifying and quantifying malware-infected internet-scale IoT bots behind a NATProceedings of the 19th ACM International Conference on Computing Frontiers10.1145/3528416.3530995(279-286)Online publication date: 17-May-2022
  • (2022)A Learning Methodology for Line-Rate Ransomware Mitigation with P4 SwitchesNetwork and System Security10.1007/978-3-031-23020-2_7(120-139)Online publication date: 7-Dec-2022
  • (2021)A Multidimensional Network Forensics Investigation of a State-Sanctioned Internet Outage2021 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC51323.2021.9498743(813-818)Online publication date: 28-Jun-2021
  • (2021)Revisiting IoT Fingerprinting behind a NAT2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00235(1745-1752)Online publication date: Sep-2021
  • (2021)Sanitizing the IoT Cyber Security Posture: An Operational CTI Feed Backed up by Internet Measurements2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48987.2021.00059(497-506)Online publication date: Jun-2021
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media