On data-driven curation, learning, and analysis for inferring evolving internet-of-Things (IoT) botnets in the wild

Author First name, Last name, Institution

Morteza Safaei Pour, The University of Texas at San Antonio
Antonio Mangino, The University of Texas at San Antonio
Kurt Friday, The University of Texas at San Antonio
Matthias Rathbun, Florida Atlantic University
Elias Bou-Harb, The University of Texas at San Antonio
Farkhund Iqbal, Zayed UniversityFollow
Sagar Samtani, University of South Florida, Tampa
Jorge Crichigno, University of South Carolina
Nasir Ghani, University of South Florida, Tampa

ORCID Identifiers

0000-0003-1176-6274

0000-0002-4123-7579

0000-0001-8040-4635

Document Type

Article

Source of Publication

Computers and Security

Publication Date

4-1-2020

Abstract

© 2020 Elsevier Ltd The insecurity of the Internet-of-Things (IoT) paradigm continues to wreak havoc in consumer and critical infrastructures. The highly heterogeneous nature of IoT devices and their widespread deployments has led to the rise of several key security and measurement-based challenges, significantly crippling the process of collecting, analyzing and correlating IoT-centric data. To this end, this paper explores macroscopic, passive empirical data to shed light on this evolving threat phenomena. The proposed work aims to classify and infer Internet-scale compromised IoT devices by solely observing one-way network traffic, while also uncovering, reporting and thoroughly analyzing “in the wild” IoT botnets. To prepare a relevant dataset, a novel probabilistic model is developed to cleanse unrelated traffic by removing noise samples (i.e., misconfigured network traffic). Subsequently, several shallow and deep learning models are evaluated in an effort to train an effective multi-window convolutional neural network. By leveraging active and passing measurements when generating the training dataset, the neural network aims to accurately identify compromised IoT devices. Consequently, to infer orchestrated and unsolicited activities that have been generated by well-coordinated IoT botnets, hierarchical agglomerative clustering is employed by scrutinizing a set of innovative and efficient network feature sets. Analyzing 3.6 TB of recently captured darknet traffic revealed a momentous 440,000 compromised IoT devices and generated evidence-based artifacts related to 350 IoT botnets. Moreover, by conducting thorough analysis of such inferred campaigns, we reveal their scanning behaviors, packet inter-arrival times, employed rates and geo-distributions. Although several campaigns exhibit significant differences in these aspects, some are more distinguishable; by being limited to specific geo-locations or by executing scans on random ports besides their core targets. While many of the inferred botnets belong to previously documented campaigns such as Hide and Seek, Hajime and Fbot, newly discovered events portray the evolving nature of such IoT threat phenomena by demonstrating growing cryptojacking capabilities or by targeting industrial control services. To motivate empirical (and operational) IoT cyber security initiatives as well as aid in reproducibility of the obtained results, we make the source codes of all the developed methods and techniques available to the research community at large.

DOI Link

10.1016/j.cose.2019.101707

ISSN

0167-4048

Publisher

Elsevier Ltd

Volume

91

First Page

101707

Disciplines

Computer Sciences

Keywords

Cyber forensics, Data science, Internet measurements, Internet-of-things, IoT Security

Scopus ID

85079171097

Recommended Citation

Safaei Pour, Morteza; Mangino, Antonio; Friday, Kurt; Rathbun, Matthias; Bou-Harb, Elias; Iqbal, Farkhund; Samtani, Sagar; Crichigno, Jorge; and Ghani, Nasir, "On data-driven curation, learning, and analysis for inferring evolving internet-of-Things (IoT) botnets in the wild" (2020). All Works. 2547.
https://zuscholars.zu.ac.ae/works/2547

Indexed in Scopus

yes

Open Access

no