An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)

Abstract: The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analyzing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis in sandboxes, introducing a delay during which a botnet may ch… Show more

“…As a result, the proposed approaches may not be effective for clustering obfuscated samples. In our recent study [8], we observed that 38% of the samples captured by our honeypots were packed, while 59% had encoded strings. Therefore, we argue that to identify botnet variants equipped with new capabilities, both obfuscated and non-obfuscated samples should be effectively clustered.…”

“…Many of the related studies propose the use of features extracted via static analysis for clustering IoT botnets, based on the observation that the IoT malware obfuscation is not as common as the Windows malware obfuscation. However, in our recent study [8], concerned with the analysis of IoT botnet samples captured by honeypots, we observed that a significant proportion of the analysed samples were obfuscated. Approximately 38% of the analysed samples were packed, 25% of which were packed with custom packers.…”

“…The IoT botnet samples are executed using the ELF DIGEST sandbox, presented in our previous work [8]. The ELF DIGEST sandbox supports ARMv5, ARMv7, MIPS, x86 and x64 CPU architectures, as well as older (v.3) and more recent (v.4+) Linux kernel versions.…”

“…However, the large number of IoT botnet samples collected by antivirus vendors makes it impossible for the malware analysts to examine each botnet sample [7]. Although significant efforts have been made for automating the analysis of IoT botnet samples using sandboxes [8][9][10], the analysis results still need to be interpreted by malware analysts. This challenge can be overcome by grouping together samples that exhibit similar behaviours into clusters.…”

“…A botnet may infect IoT devices with different CPU architectures or with the same CPU architecture. In our recent study of IoT botnets [8],…”

An Automated Behaviour-Based Clustering of IoT Botnets

“…As a result, the proposed approaches may not be effective for clustering obfuscated samples. In our recent study [8], we observed that 38% of the samples captured by our honeypots were packed, while 59% had encoded strings. Therefore, we argue that to identify botnet variants equipped with new capabilities, both obfuscated and non-obfuscated samples should be effectively clustered.…”

“…Many of the related studies propose the use of features extracted via static analysis for clustering IoT botnets, based on the observation that the IoT malware obfuscation is not as common as the Windows malware obfuscation. However, in our recent study [8], concerned with the analysis of IoT botnet samples captured by honeypots, we observed that a significant proportion of the analysed samples were obfuscated. Approximately 38% of the analysed samples were packed, 25% of which were packed with custom packers.…”

“…The IoT botnet samples are executed using the ELF DIGEST sandbox, presented in our previous work [8]. The ELF DIGEST sandbox supports ARMv5, ARMv7, MIPS, x86 and x64 CPU architectures, as well as older (v.3) and more recent (v.4+) Linux kernel versions.…”

“…However, the large number of IoT botnet samples collected by antivirus vendors makes it impossible for the malware analysts to examine each botnet sample [7]. Although significant efforts have been made for automating the analysis of IoT botnet samples using sandboxes [8][9][10], the analysis results still need to be interpreted by malware analysts. This challenge can be overcome by grouping together samples that exhibit similar behaviours into clusters.…”

“…A botnet may infect IoT devices with different CPU architectures or with the same CPU architecture. In our recent study of IoT botnets [8],…”

An Automated Behaviour-Based Clustering of IoT Botnets

A Reinforcement Learning-Based Approach for Detection Zero-Day Malware Attacks on IoT System

Association rule learning for threat analysis using traffic analysis and packet filtering approach