N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders

Meidan, Yair; Bohadana, Michael; Mathov, Yael; Mirsky, Yisroel; Shabtai, Asaf; Breitenbacher, Dominik; Elovici, Yuval

doi:10.1109/mprv.2018.03367731

Cited by 1,019 publications

(685 citation statements)

References 18 publications

Supporting

Mentioning

518

Contrasting

Unclassified

Order By: Relevance

“…Third, unlike [14], [17], we aim to detect IoT malware activity much before the actual attack, during the scanning/infection phase. Finally, instead of fingerprinting the normal traffic of IoT devices [15], [17] and using those fingerprints towards anomaly detection, we detect the malware-induced scanning packet traffic generated by infected IoT devices.…”

Section: Related Workmentioning

confidence: 99%

EDIMA: Early Detection of IoT Malware Network Activity Using Machine Learning Techniques

Kumar

Lim

2019

2019 IEEE 5th World Forum on Internet of Things (WF-IoT)

115

View full text Add to dashboard Cite

The widespread adoption of Internet of Things has led to many security issues. Post the Mirai-based DDoS attack in 2016 which compromised IoT devices, a host of new malware using Mirai's leaked source code and targeting IoT devices have cropped up, e.g. Satori, Reaper, Amnesia, Masuta etc. These malware exploit software vulnerabilities to infect IoT devices instead of open TELNET ports (like Mirai) making them more difficult to block using existing solutions such as firewalls. In this research, we present EDIMA, a distributed modular solution which can be used towards the detection of IoT malware network activity in large-scale networks (e.g. ISP, enterprise networks) during the scanning/infecting phase rather than during an attack. EDIMA employs machine learning algorithms for edge devices' traffic classification, a packet traffic feature vector database, a policy module and an optional packet sub-sampling module. We evaluate the classification performance of EDIMA through testbed experiments and present the results obtained.

show abstract

Section: Related Workmentioning

confidence: 99%

EDIMA: Early Detection of IoT Malware Network Activity Using Machine Learning Techniques

Kumar

Lim

2019

2019 IEEE 5th World Forum on Internet of Things (WF-IoT)

115

View full text Add to dashboard Cite

show abstract

“…The authors in [21] propose an intrusion detection model for IoT backbone networks leveraging twolayer dimension reduction and two-tier classification techniques to detect U2R (Userto-Root) and R2L (Remote-to-Local) attacks. In a recently published paper [22], deepautoencoders based anomaly detection has been used to detect attacks launched from IoT botnets. The method consists of extraction of statistical features from behavioral snapshots of normal IoT device traffic captures, training of a deep learning-based autoencoder (for each IoT device) on the extracted features and comparison of the reconstruction error for traffic observations with a threshold for normal-anomalous classification.…”

Section: Related Workmentioning

confidence: 99%

“…This is because we aim to detect bots infected by Mirai-like IoT malware, towards which much simpler features can be used as discussed in Section 3.3. Fifth, unlike [22], we aim to detect IoT bots much before the actual attack, during the scanning phase itself as explained in Section 4. Finally, most of the above cited works use quantifiers such as detection rate and false positive rates to evaluate the performance of their proposed botnet detection solutions.…”

Section: Related Workmentioning

confidence: 99%

Early Detection of Mirai-Like IoT Bots in Large-Scale Networks through Sub-sampled Packet Traffic Analysis

Kumar

Lim

2019

Lecture Notes in Networks and Systems

View full text Add to dashboard Cite

The widespread adoption of Internet of Things has led to many security issues. Recently, there have been malware attacks on IoT devices, the most prominent one being that of Mirai. IoT devices such as IP cameras, DVRs and routers were compromised by the Mirai malware and later large-scale DDoS attacks were propagated using those infected devices (bots) in October 2016. In this research, we develop a network-based algorithm which can be used to detect IoT bots infected by Mirai or similar malware in large-scale networks (e.g. ISP network). The algorithm particularly targets bots scanning the network for vulnerable devices since the typical scanning phase for botnets lasts for months and the bots can be detected much before they are involved in an actual attack. We analyze the unique signatures of the Mirai malware to identify its presence in an IoT device. The prospective deployment of our bot detection solution is discussed next along with the countermeasures which can be taken post detection. Further, to optimize the usage of computational resources, we use a two-dimensional (2D) packet sampling approach, wherein we sample the packets transmitted by IoT devices both across time and across the devices. Leveraging the Mirai signatures identified and the 2D packet sampling approach, a bot detection algorithm is proposed. Subsequently, we use testbed measurements and simulations to study the relationship between bot detection delays and the sampling frequencies for device packets. Finally, we derive insights from the obtained results and use them to design our proposed bot detection algorithm.

show abstract

“…• Detecting IoT device attacks from inspecting network traffic data collected from commercial IoT devices [23]. This dataset contains nine types of IoT devices which are subject to 10 types of attacks.…”

Section: Motivating Case Studiesmentioning

confidence: 99%

“…The dataset provides traces collected at different IoT devices. More details are provided in [23]. We aim to apply RAD to build a noiseresistant model to categorize the attacks for post fact analysis, e.g., for threat assessment.…”

Section: A Use Cases and Datasetsmentioning

confidence: 99%

Robust Anomaly Detection on Unreliable Data

Zhao

Cerf

Birke

et al. 2019

2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

View full text Add to dashboard Cite

Classification algorithms have been widely adopted to detect anomalies for various systems, e.g., IoT, cloud and face recognition, under the common assumption that the data source is clean, i.e., features and labels are correctly set. However, data collected from the wild can be unreliable due to careless annotations or malicious data transformation for incorrect anomaly detection. In this paper, we present a two-layer on-line learning framework for robust anomaly detection (RAD) in the presence of unreliable anomaly labels, where the first layer is to filter out the suspicious data, and the second layer detects the anomaly patterns from the remaining data. To adapt to the on-line nature of anomaly detection, we extend RAD with additional features of repetitively cleaning, conflicting opinions of classifiers, and oracle knowledge. We on-line learn from the incoming data streams and continuously cleanse the data, so as to adapt to the increasing learning capacity from the larger accumulated data set. Moreover, we explore the concept of oracle learning that provides additional information of true labels for difficult data points. We specifically focus on three use cases, (i) detecting 10 classes of IoT attacks, (ii) predicting 4 classes of task failures of big data jobs, (iii) recognising 20 celebrities faces. Our evaluation results show that RAD can robustly improve the accuracy of anomaly detection, to reach up to 98% for IoT device attacks (i.e., +11%), up to 84% for cloud task failures (i.e., +20%) under 40% noise, and up to 74% for face recognition (i.e., +28%) under 30% noisy labels. The proposed RAD is general and can be applied to different anomaly detection algorithms.

show abstract

N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders

Cited by 1,019 publications

References 18 publications

EDIMA: Early Detection of IoT Malware Network Activity Using Machine Learning Techniques

EDIMA: Early Detection of IoT Malware Network Activity Using Machine Learning Techniques

Early Detection of Mirai-Like IoT Bots in Large-Scale Networks through Sub-sampled Packet Traffic Analysis

Robust Anomaly Detection on Unreliable Data

Contact Info

Product

Resources

About