Botnet Detection in the Internet of Things using Deep Learning Approaches
read more
Citations
A Survey of Deep Learning Methods for Cyber Security
A Supervised Intrusion Detection System for Smart Home IoT Devices
Comprehensive Review of Artificial Neural Network Applications to Pattern Recognition
Deep Learning Models for Cyber Security in IoT Networks
Deep learning and big data technologies for IoT security
References
The Internet of Things: A survey
DDoS in the IoT: Mirai and Other Botnets
Distributed attack detection scheme using deep learning approach for Internet of Things
A Comprehensive Study of Security of Internet-of-Things
A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting
Related Papers (5)
Distributed attack detection scheme using deep learning approach for Internet of Things
Frequently Asked Questions (22)
Q2. What are the future works mentioned in the paper "Botnet detection in the internet of things using deep learning approaches" ?
Furthermore, although the bidirectional approach adds overhead to each epoch, and increases processing time, it appears to be a better progressive model over time Several avenues for future research have been identified. By helping consumers become aware when their device is infected, the authors hope to raise awareness of the inherent vulnerabilities, and aid them to make better choices in the future, with regard to procurement, and operation of such devices. Firstly a second more comprehensive dataset will be generated, incorporating all ten attack vectors used by the mirai botnet malware. To demonstrate the ability of their developed model to detect new variations of botnets, a mutated version of the mirai source code will be used to generate a third dataset, and will be compared against existing signature and flow based anomaly detection methods.
Q3. What features were required to be included in the array?
Since attacks are often closely coupled to the protocol used and the length of the captured packet, the Protocol and Length features also required to be included in the array.
Q4. What was the source code for the Mirai?
Two Sricam AP009 IP Cameras running busybox utilities were used as bots to attack a target Raspberry Pi.The Mirai source code was downloaded from GitHub.
Q5. What was used to create a secure shell (ssh) into the C&C?
Mobaxterm was used to create a secure shell (ssh) into the C&C server, before executing command screen ./cnc from within the mirai/release directory, to start the MYSQL database.
Q6. What was used to train and validate the detection model?
In order to train and validate their detection model, ground-truth labels norm, mirai, udp, dns, ack were assigned to the captured data, ready to be ingested into the detection model.
Q7. What is the main contribution of this paper?
The main contribution of this paper is the application of the variants of LSTM networks for implementing deep learning in network traffic analysis aimed at detecting botnet attacks.
Q8. What is the implication of observing the network traffic over a long period of time?
One implication of observing the network traffic over a long period is the necessity to successfully deal with large data sequences.
Q9. How many Tbps did the Mirai botnet attack?
Tbps against French hosting company OVH and DNS provider DYN, who estimated that up to 100 000 infected IoT devices (bots) were involved in the attack.
Q10. What was the purpose of the telnet command?
To allow information regarding C&C connections, compiler issues and flood status to be sent the C&C server ./build.sh debug telnet was run.
Q11. What is the way to evaluate the mirai botnet detection model?
To evaluate their detection models the authors required a dataset which contained a mixture of IoT botnet communication, multiple attack vectors and normal IoT device traffic.
Q12. What was the required binary files for each architecture?
The required binary files for each architecture were created and stored in the release directory using ./build.sh release2) Scan Loader Server Configuration: Apache was installed using apt-get install apache2 y and binary architecture files created earlier, were moved to the loader/bins directory.
Q13. What was the first capture of the dns attack?
The third capture (udp.pcap) consisted of a single (udp) flood attack, whereby the C&C server issued the attack command, and the infected IoT device flooded its target with bursts of (udp) packets for a total period of 60 seconds.
Q14. What are the results for mirai, udp, and dns?
Results for mirai, udp, and dns were very encouraging with 99%, 98%, 98% validation accuracy and 0.000809, 0.125630, 0.116453 validation loss metrics respectively.
Q15. How many attacks can mirai use to attack?
The mirai botnet malware contains ten available attack vectors, which infected IoT devices can utilise to engage in DDoS attacks against targets.
Q16. What is the way to test the accuracy of the mirai botnet detection model?
To demonstrate the ability of their developed model to detect new variations of botnets, a mutated version of the mirai source code will be used to generate a third dataset, and will be compared against existing signature and flow based anomaly detection methods.
Q17. What was the first capture of the dns flood?
The fourth capture (dns.pcap) consisted of a single (dns) flood attack, whereby the C&C server issued the attack command, and the infected IoT device flooded its target with bursts of (dns) packets for a total period of 60 seconds.
Q18. What port was used to listen for brute force results?
The Scan/Loader IP address was added to scanListen.go and port 48101 specified as the default port to listen for brute force results.
Q19. What is the way to test the model?
Finally in the Anomaly Detection phase the generated dataset is tested to determine the effectiveness of the model in terms of accuracy and loss.
Q20. What is the definition of a botnet?
Mirai is a piece of malware that attempts to find and infect IoT devices to establish and propagate a network of robots (botnet) consisting of the infected IoT devices (bots).
Q21. What is the way to measure the accuracy of the BLSTM-RNN?
Row 7 of Table V shows an increase in sample size, improves the overall validation accuracy to 92%, with BLSTMRNN returning the better loss metric, meaning this model was able to better predict attack traffic, when presented with a larger sample size.
Q22. What is the description of the paper?
This paper presents the implementation of deep learning using a Bidirectional Long Short Term Memory Recurrent Neural Network (BLSTM-RNN), in conjunction with Word Embedding for botnet detection.