V-Sandbox for Dynamic Analysis IoT Botnet

Le, Hai-Viet; Ngo, Quoc-Dung

doi:10.1109/access.2020.3014891

Cited by 25 publications

(10 citation statements)

References 51 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Hai-Viet Le 13 proposed IoT-BDA framework to combat the smartness of the IoT botnets. The IoT-BDA architecture comprises a variety of honeypots and newly evolved sandboxes, and it is made up of blocks such as BCB and BAB.…”

Section: Related Workmentioning

confidence: 99%

An Efficient Framework for Detection and Classification of IoT Botnet Traffic

et al. 2022

View full text Add to dashboard Cite

The Internet of Things (IoT) has become an integral requirement to equip common life. According to IDC, the number of IoT devices may increase exponentially up to a trillion in near future. Thus, their cyberspace having inherent vulnerabilities leads to various possible serious cyber-attacks. So, the security of IoT systems becomes the prime concern for its consumers and businesses. Therefore, to enhance the reliability of IoT security systems, a better and real-time approach is required. For this purpose, the creation of a real-time dataset is essential for IoT traffic analysis. In this paper, the experimental testbed has been devised for the generation of a real-time dataset using the IoT botnet traffic in which each of the bots consists of several possible attacks. Besides, an extensive comparative study of the proposed dataset and existing datasets are done using popular Machine Learning (ML) techniques to show its relevance in the real-time scenario.

show abstract

Section: Related Workmentioning

confidence: 99%

An Efficient Framework for Detection and Classification of IoT Botnet Traffic

et al. 2022

View full text Add to dashboard Cite

show abstract

“…The results are summarised in Table 27. Padawan The static analysis is provided by most of the proposed sandboxes except for IoTBOX [9] and V-Sandbox [18]. IoT-BDA BAB provides the most detailed static analysis by identifying IoC and anti-static-analysis techniques such as packing and string encoding.…”

Section: B Botnet Samples Analysismentioning

confidence: 99%

“…d) Library support: The availability of the required libraries may affect the outcome of the sample execution. From the compared sandboxes, only V-Sandbox employs an agent that provides the shared object (SO) libraries to the sample [18]. The SO libraries are obtained from publicly available IoT devices firmware.…”

Section: B Botnet Samples Analysismentioning

confidence: 99%

An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)

Trajanovski¹,

Zhang

2021

IEEE Access

View full text Add to dashboard Cite

The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analyzing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis in sandboxes, introducing a delay during which a botnet may change its operation. Furthermore, the effectiveness of the proposed sandboxes is limited by the potential use of anti-analysis techniques and the inability to identify features for effective detection and identification of IoT botnets. In this paper, we propose and evaluate a novel framework, the IoT-BDA framework, for automated capturing, analysis, identification, and reporting of IoT botnets. The framework consists of honeypots integrated with a novel sandbox that supports a wider range of hardware and software configurations, and can identify indicators of compromise and attack, along with anti-analysis, persistence, and anti-forensics techniques. These features can make botnet detection and analysis, and infection remedy more effective. The framework reports the findings to a blacklist and abuse service to facilitate botnet suspension. The paper also describes the discovered anti-honeypot techniques and the measures applied to reduce the risk of honeypot detection. Over the period of seven months, the framework captured, analyzed, and reported 4077 unique IoT botnet samples. The analysis results show that some IoT botnets used antianalysis, persistence, and anti-forensics techniques typically seen in traditional botnets.

show abstract

“…However, the large number of IoT botnet samples collected by antivirus vendors makes it impossible for the malware analysts to examine each botnet sample [7]. Although significant efforts have been made for automating the analysis of IoT botnet samples using sandboxes [8][9][10], the analysis results still need to be interpreted by malware analysts. This challenge can be overcome by grouping together samples that exhibit similar behaviours into clusters.…”

Section: Introductionmentioning

confidence: 99%

“…To be able to capture the behaviour of the botnets infecting a single CPU architecture, the sandbox should support the CPU architectures which are the most targeted by IoT botnets. Furthermore, a botnet sample may require software tools and libraries that are expected to be available on the vulnerable devices [10].…”

mentioning

confidence: 99%

An Automated Behaviour-Based Clustering of IoT Botnets

Trajanovski

Zhang

2021

Future Internet

View full text Add to dashboard Cite

The leaked IoT botnet source-codes have facilitated the proliferation of different IoT botnet variants, some of which are equipped with new capabilities and may be difficult to detect. Despite the availability of solutions for automated analysis of IoT botnet samples, the identification of new variants is still very challenging because the analysis results must be manually interpreted by malware analysts. To overcome this challenge, we propose an approach for automated behaviour-based clustering of IoT botnet samples, aimed to enable automatic identification of IoT botnet variants equipped with new capabilities. In the proposed approach, the behaviour of the IoT botnet samples is captured using a sandbox and represented as behaviour profiles describing the actions performed by the samples. The behaviour profiles are vectorised using TF-IDF and clustered using the DBSCAN algorithm. The proposed approach was evaluated using a collection of samples captured from IoT botnets propagating on the Internet. The evaluation shows that the proposed approach enables accurate automatic identification of IoT botnet variants equipped with new capabilities, which will help security researchers to investigate the new capabilities, and to apply the investigation findings for improving the solutions for detecting and preventing IoT botnet infections.

show abstract

V-Sandbox for Dynamic Analysis IoT Botnet

Cited by 25 publications

References 51 publications

An Efficient Framework for Detection and Classification of IoT Botnet Traffic

An Efficient Framework for Detection and Classification of IoT Botnet Traffic

An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)

An Automated Behaviour-Based Clustering of IoT Botnets

Contact Info

Product

Resources

About