research-article

Data-driven Curation, Learning and Analysis for Inferring Evolving IoT Botnets in the Wild

Authors:

Morteza Safaei Pour,

Antonio Mangino,

Matthias Rathbun,

Elias Bou-Harb,

Farkhund Iqbal,

Abdelkarim ErradiAuthors Info & Claims

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

Article No.: 6, Pages 1 - 10

https://doi.org/10.1145/3339252.3339272

Published: 26 August 2019 Publication History

Abstract

The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructure realms. Several challenges impede addressing IoT security at large, including, the lack of IoT-centric data that can be collected, analyzed and correlated, due to the highly heterogeneous nature of such devices and their widespread deployments in Internet-wide environments. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. This not only aims at classifying and inferring Internet-scale compromised IoT devices by solely observing such one-way network traffic, but also endeavors to uncover, track and report on orchestrated "in the wild" IoT botnets. Initially, to prepare the effective utilization of such data, a novel probabilistic model is designed and developed to cleanse such traffic from noise samples (i.e., misconfiguration traffic). Subsequently, several shallow and deep learning models are evaluated to ultimately design and develop a multi-window convolution neural network trained on active and passive measurements to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is deployed by scrutinizing a set of innovative and efficient network feature sets. By analyzing 3.6 TB of recent darknet traffic, the proposed approach uncovers a momentous 440,000 compromised IoT devices and generates evidence-based artifacts related to 350 IoT botnets. While some of these detected botnets refer to previously documented campaigns such as the Hide and Seek, Hajime and Fbot, other events illustrate evolving threats such as those with cryptojacking capabilities and those that are targeting industrial control system communication and control services.

References

[1]

2018. Coinhive. https://coinhive.com/. (2018). {Online; accessed 01-March-2019}.

[2]

2019. All Things Considered: An Analysis of IoT Devices on Home Networks. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/usenixsecurity19/presentation/kumar-deepak

[3]

360Netlab. 2019. ADB.Miner: More Information. https://blog.netlab.360.com/adb-miner-more-information-en/. (2019). {Online; accessed 01-March-2019}.

[4]

360Netlab. 2019. Fbot, A Satori Related Botnet Using Block-chain DNS System. https://tinyurl.com/yavvhf4v. (2019). {Online; accessed 01-March-2019}.

[5]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the Mirai Botnet. (2017).

[6]

Karyn Benson. 2016. Leveraging internet background radiation for opportunistic network analysis. Ph.D. Dissertation. UC San Diego.

[7]

Elisa Bertino and Nayeem Islam. 2017. Botnets and internet of things security. Computer 2 (2017), 76--79.

Digital Library

[8]

Elias Bou-Harb. 2016. A brief survey of security approaches for cyber-physical systems. In 2016 8th IFIP International Conference on New Technologies, Mobility and Security (NTMS). IEEE, 1--5.

[9]

Elias Bou-Harb, Mourad Debbabi, and Chadi Assi. 2016. Big data behavioral analytics meet graph theory: on effective botnet takedowns. IEEE Network 31, 1 (2016), 18--26.

Digital Library

[10]

Elias Bou-Harb, Mourad Debbabi, and Chadi Assi. 2016. A novel cyber security capability: Inferring Internet-scale infections by correlating malware and probing activities. Computer Networks 94 (2016), 327--343.

Digital Library

[11]

Elias Bou-Harb, Evangelos I Kaisar, and Mark Austin. 2017. On the impact of empirical attack models targeting marine transportation. In 2017 5th IEEE International Conference on Models and Technologies for Intelligent Transportation Systems (MT-ITS). IEEE, 200--205.

[12]

Orçun Cetin, Carlos Ganán, Lisette Altena, Takahiro Kasama, Daisuke Inoue, Kazuki Tamiya, Ying Tie, Katsunari Yoshioka, and Michel van Eeten. 2019. Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai. (2019).

[13]

Yu Cheng, Fei Wang, Ping Zhang, and Jianying Hu. 2016. Risk prediction with electronic health records: A deep learning approach. In Proceedings of the 2016 SIAM International Conference on Data Mining. SIAM, 432--440.

[14]

François Chollet et al. 2015. Keras. https://keras.io. (2015).

[15]

Ronan Collobert, Jason Weston, Léon Bottou, Michael Karlen, Koray Kavukcuoglu, and Pavel Kuksa. 2011. Natural language processing (almost) from scratch. Journal of Machine Learning Research 12, Aug (2011), 2493--2537.

Digital Library

[16]

Li Da Xu, Wu He, and Shancang Li. 2014. Internet of things in industries: A survey. IEEE Transactions on industrial informatics 10, 4 (2014), 2233--2243.

[17]

Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, and Antonio Pescapé. 2015. Analysis of a /0 stealth scan from a botnet. IEEE/ACM Transactions on Networking (TON) 23, 2 (2015), 341--354.

Digital Library

[18]

Zakir Durumeric, David Adrian, Ariana Mirian, Michael Bailey, and J Alex Halderman. 2015. A search engine backed by Internet-wide scanning. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 542--553.

Digital Library

[19]

Zakir Durumeric, Michael Bailey, and J Alex Halderman. 2014. An Internet-Wide View of Internet-Wide Scanning. In USENIX Security Symposium. 65--78.

Digital Library

[20]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In USENIX Security Symposium, Vol. 8. 47--53.

Digital Library

[21]

IBM X-Force Exchange. 2018. JenX Botnet. https://exchange.xforce.ibmcloud.com/collection/JenX-Botnet-c47476c5e6fafd7df487cecd1110a761. (2018). {accessed 01-March-2019}.

[22]

Claude Fachkha, Elias Bou-Harb, and Mourad Debbabi. 2015. On the inference and prediction of DDoS campaigns. Wireless Communications and Mobile Computing 15, 6 (2015), 1066--1078.

Digital Library

[23]

Claude Fachkha and Mourad Debbabi. 2016. Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization. IEEE Communications Surveys and Tutorials 18, 2 (2016), 1197--1227.

Digital Library

[24]

Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. 2018. Acquisitional rule-based engine for discovering Internet-of-Things devices. In 27th {USENIX} Security Symposium ({USENIX} Security 18). 327--341.

Digital Library

[25]

Aidin Ferdowsi and Walid Saad. 2018. Deep learning for signal authentication and security in massive internet-of-things systems. IEEE Transactions on Communications 67, 2 (2018), 1371--1387.

[26]

Matthew Ford, Jonathan Stevens, and John Ronan. 2006. Initial Results from an IPv6 Darknet13. In International Conference on Internet Surveillance and Protection. IEEE, 13--13.

Digital Library

[27]

Andrew Gelman, John B Carlin, Hal S Stern, and Donald B Rubin. 2014. Bayesian data analysis. Vol. 2. Taylor & Francis.

[28]

Juan Guarnizo, Amit Tambe, Suman Sankar Bunia, Martín Ochoa, Nils Tippenhauer, Asaf Shabtai, and Yuval Elovici. 2017. SIPHON: Towards Scalable High-Interaction Physical Honeypots. arXiv preprint arXiv:1701.02446 (2017).

[29]

Stephen Herwig, Katura Harvey, George Hughey, Richard Roberts, and Dave Levin. 2019. Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet. (2019).

[30]

Martin Husák, Nataliia Neshenko, Morteza Safaei Pour, Elias Bou-Harb, and Pavel Čeleda. 2018. Assessing Internet-wide Cyber Situational Awareness of Critical Sectors. In Proceedings of the 13th International Conference on Availability, Reliability and Security. ACM, 29.

Digital Library

[31]

Yair Meidan, Michael Bohadana, Asaf Shabtai, Juan David Guarnizo, Martın Ochoa, Nils Ole Tippenhauer, and Yuval Elovici. 2017. ProfilIoT: A Machine Learning Approach for IoT Device Identification Based on Network Traffic Analysis. (2017).

[32]

Lionel Metongnon and Ramin Sadre. 2018. Beyond Telnet: Prevalence of IoT Protocols in Telescope and Honeypot Measurements. In Proceedings of the 2018 Workshop on Traffic Measurements for Cybersecurity. ACM, 21--26.

Digital Library

[33]

Markus Miettinen, Samuel Marchal, Ibbad Hafeez, N Asokan, Ahmad-Reza Sadeghi, and Sasu Tarkoma. 2017. IoT Sentinel: Automated device-type identification for security enforcement in IoT. In Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference on. IEEE, 2177--2184.

[34]

David Moore, Colleen Shannon, Douglas J Brown, Geoffrey M Voelker, and Stefan Savage. 2006. Inferring internet denial-of-service activity. ACM Transactions on Computer Systems (TOCS) 24, 2 (2006), 115--139.

Digital Library

[35]

Marcin Nawrocki, Matthias Wählisch, Thomas C Schmidt, Christian Keil, and Jochen Schönfelder. 2016. A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016).

[36]

Nataliia Neshenko, Elias Bou-Harb, Jorge Crichigno, Georges Kaddoum, and Nasir Ghani. 2019. Demystifying IoT Security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-scale IoT Exploitations. IEEE Communications Surveys & Tutorials (2019).

[37]

Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2016. IoTPOT: A Novel Honeypot for Revealing Current IoT Threats. Journal of Information Processing 24, 3 (2016), 522--533.

[38]

INFORMATION MARKETPLACE FOR POLICY and ANALYSIS OF CYBER-RISK & TRUST. 2019. https://impactcybertrust.org/. (2019).

[39]

Morteza Safaei Pour and Elias Bou-Harb. 2018. Implications of Theoretic Derivations on Empirical Passive Measurements for Effective Cyber Threat Intelligence Generation. In 2018 IEEE International Conference on Communications (ICC). IEEE, 1--7.

[40]

Morteza Safaei Pour, Elias Bou-Harb, Kavita Varma, Nataliia Neshenko, Dimitris A Pados, and Kim-Kwang Raymond Choo. 2019. Comprehending the IoT cyber threat landscape: A data dimensionality reduction technique to infer and characterize Internet-scale IoT probing campaigns. Digital Investigation 28 (2019), S40--S49.

Digital Library

[41]

Morteza Safaei Pour and Mahmoud Salmasizadeh. 2017. A New CPA Resistant Software Implementation for Symmetric Ciphers with Smoothed Power Consumption: SIMON Case Study. ISeCure 9, 2 (2017).

[42]

Max Pumperla. 2019. https://github.com/maxpumperla/hyperas. (2019).

[43]

radware. 2018. Hajime Botnet Friend or Foe? https://security.radware.com/ddos-threats-attacks/hajime-iot-botnet/. (2018). {Online; accessed 01-March-2019}.

[44]

Yegenshen Rootkiter. 2018. Botnet Muhstik is Actively Exploiting Drupal CVE-2018-7600 in a Worm Style. https://blog.netlab.360.com/botnet-muhstik-is-actively-exploiting-drupal-cve-2018-7600-in-a-worm-style-en/. (2018). {Online; accessed 01-March-2019}.

[45]

Yegenshen Rootkiter. 2018. HNS Botnet Recent Activities. https://blog.netlab.360.com/hns-botnet-recent-activities-en/. (2018). {Online; accessed 01-March-2019}.

[46]

Christian Rossow. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS.

[47]

Ramin Sahba, Nima Ebadi, Mo Jamshidi, and Paul Rad. 2018. Automatic text summarization using customizable fuzzy features and attention on the context and vocabulary. In 2018 World Automation Congress (WAC). IEEE, 1--5.

[48]

Shodan. 2019. The search engine for Internet of things. http://shodan.io. (2019).

[49]

Censys Team. 2017. Internet-Wide Scan Data Repository. Retrieved (2017), 2017.

[50]

Nguyen Thai-Nghe, Zeno Gantner, and Lars Schmidt-Thieme. 2010. Cost-sensitive learning methods for imbalanced data. In Neural Networks (IJCNN), The 2010 International Joint Conference on. IEEE, 1--8.

[51]

Vijayanand Thangavelu, Dinil Mon Divakaran, Rishi Sairam, Suman Sankar Bhunia, and Mohan Gurusamy. 2018. DEFT: A Distributed IoT Fingerprinting Technique. IEEE Internet of Things Journal (2018).

[52]

Sam Lloyd Thomas. 2018. Backdoor detection systems for embedded devices. Ph.D. Dissertation. University of Birmingham.

[53]

Sadegh Torabi, Elias Bou-Harb, Chadi Assi, Mario Galluscio, Amine Boukhtouta, and Mourad Debbabi. 2018. Inferring, characterizing, and investigating Internetscale malicious IoT device activities: A network telescope perspective. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 562--573.

[54]

Ivo Van der Elzen and Jeroen van Heugten. 2017. Techniques for detecting compromised IoT devices. University of Amsterdam (2017).

[55]

xmrminer. 2019. Monero Web Miner. https://xmrminer.cc/. (2019).

[56]

Dongkuan Xu and Yingjie Tian. 2015. A comprehensive survey of clustering algorithms. Annals of Data Science 2, 2 (2015), 165--193.

[57]

ZoomEye. 2019. http://www.zoomeye.org/. (2019).

Cited By

Hong Van LThuan LVan Huong PMinh N(2024)A New Method to Improve the CNN Configuration for IoT Attack Detection Problem Based on the Genetic Algorithm and Multi-Objective Approach2024 1st International Conference On Cryptography And Information Security (VCRIS)10.1109/VCRIS63677.2024.10813441(1-9)Online publication date: 3-Dec-2024
https://doi.org/10.1109/VCRIS63677.2024.10813441
Tieby NKhoury JBou-Harb E(2024)Characterizing and Analyzing LEO Satellite Cyber Landscape: A Starlink Case StudyICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10623029(1352-1357)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10623029
Michael Rajan AMadhan Raaj AJean Justus J(2024)Employing Watchdog Timer to Prohibit DDoS Attack2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486314(705-710)Online publication date: 9-Feb-2024
https://doi.org/10.1109/IC2PCT60090.2024.10486314
Show More Cited By

Recommendations

Disposable botnets: examining the anatomy of IoT botnet infrastructure
ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Large botnets made up of Internet-of-Things (IoT) devices have been a steady presence in the threat landscape since 2016. Earlier research has found preliminary evidence that the IoT binaries and C&C infrastructure were only seen for very brief periods. ...
On data-driven curation, learning, and analysis for inferring evolving internet-of-Things (IoT) botnets in the wild
Abstract
The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructures. The highly heterogeneous nature of IoT devices and their widespread deployments has led to the rise of several ...
Identifying infected energy systems in the wild
e-Energy '19: Proceedings of the Tenth ACM International Conference on Future Energy Systems

The 2016 Mirai outbreak established an entirely new mindset in the history of large-scale Internet attacks. A plethora of Mirai-like variants have emerged in the last two years that are capable to infiltrate any type of device. In this paper we provide ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and Security

August 2019

979 pages

ISBN:9781450371643

DOI:10.1145/3339252

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 August 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES '19

ARES '19: 14th International Conference on Availability, Reliability and Security

August 26 - 29, 2019

CA, Canterbury, United Kingdom

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
355
Total Downloads

Downloads (Last 12 months)22
Downloads (Last 6 weeks)3

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hong Van LThuan LVan Huong PMinh N(2024)A New Method to Improve the CNN Configuration for IoT Attack Detection Problem Based on the Genetic Algorithm and Multi-Objective Approach2024 1st International Conference On Cryptography And Information Security (VCRIS)10.1109/VCRIS63677.2024.10813441(1-9)Online publication date: 3-Dec-2024
https://doi.org/10.1109/VCRIS63677.2024.10813441
Tieby NKhoury JBou-Harb E(2024)Characterizing and Analyzing LEO Satellite Cyber Landscape: A Starlink Case StudyICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10623029(1352-1357)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10623029
Michael Rajan AMadhan Raaj AJean Justus J(2024)Employing Watchdog Timer to Prohibit DDoS Attack2024 IEEE International Conference on Computing, Power and Communication Technologies (IC2PCT)10.1109/IC2PCT60090.2024.10486314(705-710)Online publication date: 9-Feb-2024
https://doi.org/10.1109/IC2PCT60090.2024.10486314
Wu BLuo PLi MHu X(2022)The Impact of Health Information Privacy Concerns on Engagement and Payment Behaviors in Online Health CommunitiesFrontiers in Psychology10.3389/fpsyg.2022.86190313Online publication date: 8-Apr-2022
https://doi.org/10.3389/fpsyg.2022.861903
Bano SSarfraz USalameh AJan A(2022)COVID-19 Paradox: The Role of Privacy Concerns and Ad Intrusiveness on Consumer’s Attitude Toward App Usage BehaviorFrontiers in Psychology10.3389/fpsyg.2022.83606013Online publication date: 30-May-2022
https://doi.org/10.3389/fpsyg.2022.836060
Tanabe RWatanabe TFujita AIsawa RGañán CEeten MYoshioka KMatsumoto T(2022)Disposable Botnets: Long-term Analysis of IoT Botnet InfrastructureJournal of Information Processing10.2197/ipsjjip.30.57730(577-590)Online publication date: 2022
https://doi.org/10.2197/ipsjjip.30.577
Nader CBou-Harb ESterpone LBartolini AButko A(2022)An attentive interpretable approach for identifying and quantifying malware-infected internet-scale IoT bots behind a NATProceedings of the 19th ACM International Conference on Computing Frontiers10.1145/3528416.3530995(279-286)Online publication date: 17-May-2022
https://dl.acm.org/doi/10.1145/3528416.3530995
Friday KBou-Harb ECrichigno J(2022)A Learning Methodology for Line-Rate Ransomware Mitigation with P4 SwitchesNetwork and System Security10.1007/978-3-031-23020-2_7(120-139)Online publication date: 7-Dec-2022
https://doi.org/10.1007/978-3-031-23020-2_7
Mangino ABou-Harb E(2021)A Multidimensional Network Forensics Investigation of a State-Sanctioned Internet Outage2021 International Wireless Communications and Mobile Computing (IWCMC)10.1109/IWCMC51323.2021.9498743(813-818)Online publication date: 28-Jun-2021
https://doi.org/10.1109/IWCMC51323.2021.9498743
Nader CBou-Harb E(2021)Revisiting IoT Fingerprinting behind a NAT2021 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom)10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00235(1745-1752)Online publication date: Sep-2021
https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom52081.2021.00235
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten