MCDERMOTT, C.D., MAJDANI, F. and PETROVSKI, A.V. 2018. Botnet detection in the Internet of Things using deep
learning approaches. In Proceedings of the 2018 International joint conference on neural networks (IJCNN 2018), 8-13
July 2018, Rio de Janeiro, Brazil. Piscataway, NJ: IEEE [online], article number 8489489. Available from:
https://doi.org/10.1109/IJCNN.2018.8489489
© 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other
uses, in any current or future media, including reprinting/republishing this material for advertising or
promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of
any copyrighted component of this work in other works.
This document was downloaded from
https://openair.rgu.ac.uk
Botnet detection in the Internet of Things using
deep learning approaches.
MCDERMOTT, C.D., MAJDANI, F. and PETROVSKI, A.V.
2018
Botnet Detection in the Internet of Things using
Deep Learning Approaches
Christopher D. McDermott, Farzan Majdani, Andrei V. Petrovski
School of Computing Science and Digital Media
Robert Gordon University
Aberdeen, United Kingdom
Emails: {c.d.mcdermott, f.majdani-shabestari, a.petrovski}@rgu.ac.uk
Abstract—The recent growth of the Internet of Things (IoT)
has resulted in a rise in IoT based DDoS attacks. This paper
presents a solution to the detection of botnet activity within
consumer IoT devices and networks. A novel application of
Deep Learning is used to develop a detection model based
on a Bidirectional Long Short Term Memory based Recurrent
Neural Network (BLSTM-RNN). Word Embedding is used for
text recognition and conversion of attack packets into tokenised
integer format. The developed BLSTM-RNN detection model is
compared to a LSTM-RNN for detecting four attack vectors
used by the mirai botnet, and evaluated for accuracy and loss.
The paper demonstrates that although the bidirectional approach
adds overhead to each epoch and increases processing time, it
proves to be a better progressive model over time. A labelled
dataset was generated as part of this research, and is available
upon request.
Index Terms—Deep Learning, LSTM, Word Embedding, IoT,
Botnet, Mirai, DDoS.
I. INTRODUCTION
The Internet of Things (IoT) is expected to usher in an
era of increased connectivity, with an estimated 50 billion
devices expected to be connected to the Internet by 2020
[1]. At its core, the aim of the IoT is to connect previously
unconnected devices to the Internet [2], thus creating smart
devices capable of collecting, storing and sharing data, without
requiring human interaction [3] [4]. Many of these IoT devices
are aimed at consumers, who value low cost and ease of
deployment over security. These market forces have resulted
in IoT manufacturers omitting critical security features, and
producing swathes of insecure Internet connected devices,
such as IP cameras and Digital Video Recorder (DVR) boxes.
Such vulnerabilities and exploits are often derived and epit-
omised by inherent computational limitations, use of default
credentials and insecure protocols. The rapid proliferation of
insecure IoT devices and ease by which attackers can locate
them using online services, such as shodan, provides an ever
expanding pool of attack resources. By comprising and lever-
aging multitudes of these vulnerable IoT devices, attackers can
now perform large scale attacks such as spamming, phishing
and Distributed Denial of Service (DDoS), against resources
on the Internet [5].
The rise in IoT based DDoS attacks, witnessed in recent
years, will likely continue until IoT manufacturers accept
responsibility and incorporate security mechanisms into their
devices. Until such a time, the IoT has the potential to become
the new playground for future cyber attacks and therefore
presents a number of challenges. Since an increasing number
of DDoS attacks seek to leverage consumer level IoT devices,
the issues highlighted previously, coupled with a lack of
technical knowledge or awareness of inherent vulnerabilities,
by owners of these devices, presents one such problem. This
challenge is further compounded by a lack of convenient user
interface on many consumer IoT devices, making detection
and awareness of attacks in home networks practically impos-
sible for consumers.
To substantiate this issue, we undertook preliminary re-
search and created a secure sandboxed botnet environment.
An IoT IP Camera was successfully infected, and leveraged to
perform a sequence of DDoS attacks against a selected target.
During the infection process and attacks, the camera did not
display any adverse symptoms of infection, and continued to
function as expected. Remote access to the device was still
possible, and performance did not appear to be degraded. Live
video streaming continued to be as responsiveness as prior to
the attacks, therefore without any clear signs of an infection it
was confirmed that, detection or awareness or botnet activity
would prove very difficult within consumer networks.
Current methods of botnet detection such as signature or
flow based anomaly intrusion detection, have proved ineffec-
tive in preventing the spread of IoT botnets. Largely due to
simple code mutations rendering attack signatures obsolete or
a lack of protocol support (NetFlow, Sflow) within consumer
networks and equipment.
This paper presents a solution to the detection of botnet
activity within consumer IoT devices and networks. A novel
detection model was developed based on a Deep Bidirectional
Long Short Term Memory based Recurrent Neural Network
(BLSTM-RNN). Detection was performed at the packet level,
and focused on text recognition within features, normally
discarded by other flow based detection methods. Word Em-
bedding was used for text recognition and conversion, and
proved to be an effective method for predicting attack vectors.
The BLSTM-RNN detection model was compared with a
LSTM-RNN, and evaluated for accuracy and loss.
The main contributions of this paper can be defined as:
1) Producing a labelled and public dataset incorporating
botnet traffic, attack vectors, and normal traffic;
2) Developing a detection algorithm for text recognition of
features within botnet attack vectors;
3) Comparing LSTM and BLSTM Recurrent Neural Net-
work based detection models to detect and predict in-
fected IoT device traffic.
The rest of the paper is organized as follows: Section II
introduces botnet activity within the IoT, and the application
of deep learning for attack detection. Section III describes
the botnet architecture used to generate the botnet dataset.
It also details the use of a BLSTM-RNN in conjuction with
Word Embedding methodology to create a botnet detection
model. Section IV describes the process of data collection and
pre-processing. Section V evaluates the experimental results,
comparing the LSTM and BLSTM Recurrent Neural Network
models for accuracy and loss. Section VI draws conclusions
and suggests possible future research directions.
II. SECURITY IN THE INTERNET OF THINGS
Some of the most extensive and destructive cyber-attacks
deployed on the Internet have been Distributed Denial of
Service (DDoS) attacks. According to Akamai, a global leader
in web security, some of the largest DDoS attacks ever
recorded occurred in the second half of 2016. During this
time, attacks of over 100 Gbps, were up by 140% with three
attacks reaching over 300 Gbps [6]. Fuelled in full or part by
the Internet of Things, 88% of DDoS attacks in quarter 4 of
2017 employed a multi-vector attack strategy [7].
A. Botnets in the Internet of Things
Fig. 1. Botnet Infection and Proliferation
One of the most prominent examples of a DDoS attack
emanating from the IoT during this period was the Mirai
botnet. Mirai is a piece of malware that attempts to find and
infect IoT devices to establish and propagate a network of
robots (botnet) consisting of the infected IoT devices (bots).
An attacker (botmaster) then uses a command and control
(C&C) server to remotely control the bots, forcing them to
participate in DDoS attacks against targets on the Internet. On
September 20 2016 the Mirai botnet was used to perform an
unprecedented 620 Gbps DDoS attack on security journalist
Brian Krebs website krebsonsecurity.com [8]. Shortly after it
was also responsible for a series of additional DDoS attacks
peaking at over 1.2 Tbps against French hosting company
OVH and DNS provider DYN, who estimated that up to 100
000 infected IoT devices (bots) were involved in the attack.
The severity of the DYN attack was sufficient to cause major
disruption on the Internet, and render several high profile
websites such as GitHub, Twitter, Reddit, Netflix, inaccessible
[9].
Fig. 1 shows the process of infection and propagation
method employed by Mirai. The Mirai infrastructure consists
of a command and control (C&C) server, a Scan/Loader server
and infected IoT devices known as bots.
Infection and propagation occurs by exploiting weak default
security credentials found on many IoT devices running busy-
box, an embedded version of Linux. An attacker (botmaster)
starts the process by connecting to the Scan/Loader server
(step 1) and initiating ./loader to execute the scanner.c module,
and scan the Internet for vulnerable IoT devices with Telnet
services and ports 23 or 2323 open (step 2). Upon detecting
a vulnerable device, the malware attempts to brute force a
successful login using a list of 62 known default usernames
and passwords. If successful, login credentials and device
information are sent back to the C&C server, and will be
used later by the Scan/Loader server to login and deliver
the malware to the vulnerable device (step 3). An infect
command is sent from the C&C server to the Scan/Loader
server containing all necessary information such as login
details, IP address, hardware architecture. Mirai supports mul-
tiple hardware architectures, including arm, mips, sparc and
powerpc (step 4).
The Scan/Loader server uses this information to login
and instruct the vulnerable device to tftp or wget to the
Scan/Loader server, download and execute the corresponding
payload binary. Once executed, the first infected IoT device
becomes part of the Mirai botnet and can communicate with
the C&C server. The malware binary is removed and runs
only in memory, to avoid detection (step 5). The botmaster
can now issue attack commands, specifying parameters such
as attack duration and target (step 6). The malware includes
10 DDoS attack types, including UDP flood (udp), Recursive
DNS (dns), SYN packet flood (syn), ACK packet flood (ack),
GRE flood (gre ip), which can be used to attack a target on
the Internet (step 7). The first bot now attempts to repeat
the infection process and propagate the botnet by scanning
the Internet for additional vulnerable IoT devices with Telnet
services and ports 23 or 2323 open (step 8). New vulnerable
IoT device information is returned to the C&C server (step
9). A new infect command is issued to the Scan/Loader server
(step 10). The appropriate hardware binary is loaded onto the
newly discover vulnerable IoT device (step 11). The relevant
attack command is issued from the C&C server (step 12).
The attack is executed by the newly infected second bot, in
conjunction with the first bot (step 13). Scanning for additional
vulnerable IoT devices is repeated to further expand the botnet.
(step 14).
B. Deep Learning for Attack Detection
The increasing presence of IoT systems in a broad range
of applications, as well as their increasing computing and
processing capabilities make them a valuable attack target,
such as network packets and malware designed to compromise
specific IoT devices. Attack detections in IoT systems is
notably different from the existing mechanisms because of
the special service requirements, such as low latency, resource
specificity, distributed nature, mobility, to mention a few
[10]. This means that conventional network attack detection
has limited application in addressing IoT security problems.
According to Kaspersky Lab, in 2016 the majority of IoT
devices examined were insecure, using default passwords or
unpatched vulnerabilities, and easily compromised by Mirai
and Hajime malware [11].A considerable number of zero-day
attacks are continuously emerging because of the addition of
various IoT protocols. Most of these attacks are small variants
of previously known cyber-attacks that present a difficulty in
their detection even for advanced computational intelligence
mechanisms such as traditional machine learning systems.
Previous literature have suggested the potential of lever-
aging machine learning to enhance security threat hunting,
but it is not practical to simply integrate machine learning
in static and dynamic cyber security analysis due to the
wide variety and distribution of IoT devices, particularly
for (inexpensive) IoT devices with limited processing power
[12]. On the other hand, the success of deep learning (DL)
in various big data fields has attracted noticeable interest
in cybersecurity fields. The application of DL has become
practical because of the advances in computer architecture
(e.g. NVIDIA DGX platforms) and in development of new
neural network libraries (such as Theano and Tensorflow for
instance); also, the availability of large and diverse training
datasets made a contribution to the effectiveness of deep
learning algorithms.
Deep learning (DL) enables several breakthroughs of con-
ventional AI tasks in the fields of image processing, pattern
recognition and computer vision. Deep networks are capable of
achieving significant improvement in accuracy of classification
and predictions in these complex tasks. The main benefit of
deep learning is the absence of manual feature engineering,
unsupervised pre-training and compression capabilities which
enable the application of deep learning feasible even in re-
source constraint networks. It means that the capability of DL
to self-learning results in higher accuracy and faster process-
ing, which can be effectively utilised for a novel distributed
attack detection in IoT systems [13]. This is very important
in the context of IoT security because such systems face a
plethora of security problems, including jamming, spoofing,
replaying and eavesdropping, but also prone to issues related
to resource constraints e.g. out-of-memory accesses, unsafe
programming languages, etc. [14].
This research is aimed at adopting a deep learning approach
to cybersecurity to enable the detection of botnet attacks. Other
machine learning and evolutionary computing techniques have
IoT Device (b)
IoT Device (a)
Target
Scan / Loader DNSCnC
Packet Sniffer
Scan
Infection
Control
Attack
Legend
Tap0
DNS Query
DDoS Attack
Load Bot
AttackCommand
Mirrored Port
Input:
Output:
Botnet Architecture:
Deep Learning Detection Model:
Load Bot
Scan
Attack Command
Pre-Proecessing
Modelling
Anomaly Detection
Data Tokenisation
Normalisation
Reduction
Defining
Fitting
Evaluation
Testing and Classification
IoT User
Alert User
Fig. 2. Botnet Architecture and Deep Learning Detection Model
been successfully applied in mitigating against botnet attacks.
One example is the use of swarm intelligence for destroying
any rigid master-slave relationship between bots and for auton-
omizing the bot operating roles [15]. The evolving behaviour
of botnets often enables them to circumvent the traditional de-
tection approaches. The development of behavioural detection
approaches, however, have helped in dealing with the constant
change in the botnet activities by finding the common patterns
that botnets follow across their life cycle. For instance, all the
bots need connect to the C&C server to receive new orders,
and this kind of behaviour observed only after a long period
of time can guide the detection methods.
One implication of observing the network traffic over a
long period is the necessity to successfully deal with large
data sequences. Recurrent neural networks (RNN) in general,
and one of its variants the Long Short Term Memory (LSTM)
network have been proven effective in recognizing the different
sequences of states that change over time, bridging thereby
long time lags between relevant input and target output [16].
This type of structure is theoretically well suited and has
been proven a powerful model for tagging tasks with appli-
cations in natural language processing, machine translation,
Image recognition, and the like [17]. A bidirectional LSTM
(BLSTM), furthermore, introduces two independent layers to
accumulate contextual information both from the past and the
future [12]. The main contribution of this paper is the applica-
tion of the variants of LSTM networks for implementing deep
learning in network traffic analysis aimed at detecting botnet
attacks.
III. METHODOLOGY
To promote reproducibility of this paper, a detailed descrip-
tion of botnet environment and algorithm implementation is
presented.
A. Experimental Setup
A secure sandboxed environment was created as shown in
Fig. 2. This consisted of a command and control C&C server, a
Scan/Loader server and an additional utilities server to handle
DNS queries and reporting. A soft tap (Tap0) SPAN port was
created to mirror all relevant traffic to a packet sniffing device,
to capture for later analysis. Two Sricam AP009 IP Cameras
running busybox utilities were used as bots to attack a target
Raspberry Pi.
The Mirai source code was downloaded from GitHub. To
ensure a true representation of a Mirai infection and attack,
amendments to the source code were kept to a minimum
however, some configuration changes were required to comply
with ethical and legal regulations.
1) C&C Server Configuration:
Essential packages were installed using apt-get install unzip
gcc golang electric-fence screen y
Domains were created for report.McDPhD.org and
cnc.McDPhD.org, and added to table.c and main.go.
MySQL was installed using apt-get install mysql-server
mysql-client y and a user created using INSERT INTO users
VALUES (NULL, ’miraiuser’, ’miraipassword’, 0, 0, 0, 0, -1,
1, 30, ”); Once configured main.go was edited to include the
MySQL credentials.
Cross compilers for the required binary architectures
(e.g. arm, mips) were installed and appropriate export
paths added to /etc/profile using export PATH= $PATH:
/etc/xcompile/mips/bin. To allow information regarding C&C
connections, compiler issues and flood status to be sent the
C&C server ./build.sh debug telnet was run. The required
binary files for each architecture were created and stored in
the release directory using ./build.sh release
2) Scan Loader Server Configuration:
Apache was installed using apt-get install apache2 y and
binary architecture files created earlier, were moved to the
loader/bins directory. The Scan/Loader IP address was added
to main.c and full permission granted using chmod777*. The
loader file was compiled and added to the loader directory
using ./build.sh
To reduce the number of IP ranges available for scanning
and ensure the range used in our environment was allowed,
excluded IP ranges were amended in scanner.c to reflect our
topology.
The Scan/Loader IP address was added to scanListen.go
and port 48101 specified as the default port to listen for brute
force results. Within the tools directory the scanListen file
was compiled using go build scanListen.go and moved to the
loader directory.
The Sricam AP009 IP camera used in the lab setup did not
include wget, therefore tftp was installed using apt-get install
tftpd tftp.
Algorithm 1 Botnet Detection Algorithm
1: dataProcessing (dataset)
2: unitToDrop ← 25%
3: Parse data to predefined format
4: Define token dictionary
5: repeat
6: /*Parse data to format*/
7: for row ← 1, row s do
8: Convert text to tokenised integer format
9: Index tokenised text
10: Create dictionary of tokenised text indices
11: Pad data arrays with 0s to max 25
12: Inject additional tokenised features into array
13: end for
14: until return dataset
15: Split Training and Test based on unitToDrop
16: TrainAndValidate (trainingData, testData)
17: model ← sequential()
18: cell ← 0
19: activation ← sigmoid
20: loss ← mae
21: optimiser ← Adam
22: epochs ← 100
23: Create new BLSTM/LSTM unit
24: Add LSTM unit to model
25: Create new Dense Layer
26: Add Dense Layer to model
27: Set activation for Dense Layer
28: Compile model using Optimiser and Loss
29: repeat
30: /*Fit Model*/
31: for epoch ← 1, epochs do
32: Evaluate Loss, Validation Loss
33: Evaluate Accuracy and Validation Accuracy
34: end for
35: until All epochs completed
36: Return Loss, ValLoss, Acc, ValAcc
A tftp configuration was created using touch
/etc/xinetd.d/tftp and /tftpboot specified as the directory
where the architecture binary files will be copied to for
delivering later delivering the payload.
3) DNS Server Configuration:
The Mirai malware requires access to a DNS server
to discover the C&C servers IP address. Bind9 software
was installed and used to create two required domains re-
port.McDPhD.org and cnc.McDPhD.org in named.conf.local.
These will be used by the bots to report IoT device information
and communicate with the C&C server.
B. Pre-Processing using Word Embedding
The developed model uses a novel application of Deep
Bidirectional Long Short Term Memory based Recurrent
Neural Network (BLSTM-RNN), in conjunction with Word
