A study of IoT malware activities using association rule learning for darknet sensor data

Along with the proliferation of Internet of Things (IoT) devices, cyberattacks towards these devices are on the rise. In this paper, we present a study on applying Association Rule Learning to discover the regularities of these attacks from the big stream data collected on a large-scale darknet. By exploring the regularities in IoT-related indicators such as destination ports , type of service , and TCP window sizes , we succeeded in discovering the activities of attacking hosts associated with well-known classes of malware programs. As a case study, we report an interesting observation of the attack campaigns before and after the first source code release of the well-known IoT malware Mirai . The experiments show that the proposed scheme is effective and efficient in early detection and tracking of activities of new malware on the Internet and hence induces a promising approach to automate and accelerate the identification and mitigation of new cyber threats.

[1]  Jian Pei,et al.  Mining Frequent Patterns without Candidate Generation: A Frequent-Pattern Tree Approach , 2006, Sixth IEEE International Conference on Data Mining - Workshops (ICDMW'06).

[2]  Christian Borgelt,et al.  Frequent item set mining , 2012, WIREs Data Mining Knowl. Discov..

[3]  Dan Grossman,et al.  New Terminology and Clarifications for Diffserv , 2002, RFC.

[4]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[5]  Vrizlynn L. L. Thing,et al.  A Survey of Bots Used for Distributed Denial of Service Attacks , 2007, SEC.

[6]  AgrawalRakesh,et al.  Mining association rules between sets of items in large databases , 1993 .

[7]  Daisuke Inoue,et al.  The Carna Botnet Through the Lens of a Network Telescope , 2013, FPS.

[8]  Shaoning Pang,et al.  Towards Early Detection of Novel Attack Patterns through the Lens of a Large-Scale Darknet , 2016, 2016 Intl IEEE Conferences on Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld).

[9]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[10]  BorgeltChristian Frequent item set mining , 2012 .

[11]  David L. Black,et al.  Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers , 1998, RFC.

[12]  Runhe Huang,et al.  A study on association rule mining of darknet big data , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[13]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[14]  Fred Baker,et al.  Configuration Guidelines for DiffServ Service Classes , 2006, RFC.

[15]  Van Jacobson,et al.  TCP Extensions for High Performance , 1992, RFC.