An Automated and Comprehensive Framework for IoT Botnet Detection and Analysis (IoT-BDA)
release_7vyksb7sxjgrxevyblzvso564u
by
Tolijan Trajanovski, Ning Zhang
2021
Abstract
The proliferation of insecure Internet-connected devices gave rise to the IoT
botnets which can grow very large rapidly and may perform high-impact
cyber-attacks. The related studies for tackling IoT botnets are concerned with
either capturing or analysing IoT botnet samples, using honeypots and
sandboxes, respectively. The lack of integration between the two implies that
the samples captured by the honeypots must be manually submitted for analysis,
introducing a delay during which a botnet may change its operation.
Furthermore, the effectiveness of the proposed sandboxes is limited by the
potential use of anti-analysis techniques and the inability to identify
features for effective detection and identification of IoT botnets. In this
paper, we propose the IoT-BDA framework for automated capturing, analysis,
identification, and reporting of IoT botnets. The captured samples are analysed
in real-time to identify indicators of compromise and attack, along with
anti-analysis, persistence, and anti-forensics techniques. These features can
help botnet detection and analysis, as well as infection remedy. The framework
reports the findings to a blacklist and abuse service to facilitate botnet
suspension. We also describe the discovered anti-honeypot techniques and the
measures applied to reduce the risk of honeypot detection. Over the period of
seven months, the framework captured, analysed, and reported 4077 unique IoT
botnet samples. The analysis results show that IoT botnets may employ
persistence, anti-analysis and anti-forensics techniques typical for
traditional botnets. The in-depth analysis also discovered IoT botnets using
techniques for evading network detection.
In text/plain
format
Archived Content
There are no accessible files associated with this release. You could check other releases for this work for an accessible version.
Know of a fulltext copy of on the public web? Submit a URL and we will archive it
2105.11061v1
access all versions, variants, and formats of this works (eg, pre-prints)