论文信息 - Profiling IoT-Based Botnet Traffic Using DNS

Profiling IoT-Based Botnet Traffic Using DNS

Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai's base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.

Vasileios Giotsas | Angelos K. Marnerides | Owen Dwyer | Troy Mursch

[1] Xuan Dau Hoang,et al. Botnet Detection Based On Machine Learning Techniques Using DNS Query Data , 2018, Future Internet.

[2] Mikko Hypponen,et al. The Internet of (Vulnerable) Things: On Hypponen's Law, Security Engineering, and IoT Legislation , 2017 .

[3] Yi Zhou,et al. Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[4] Hahn-Ming Lee,et al. Fast-flux service network detection based on spatial snapshot mechanism for delay-free detection , 2010, ASIACCS '10.

[5] Wenke Lee,et al. Detecting Malicious Flux Service Networks through Passive Analysis of Recursive DNS Traces , 2009, 2009 Annual Computer Security Applications Conference.

[6] Felix C. Freiling,et al. Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[7] Leyla Bilge,et al. Exposure: A Passive DNS Analysis Service to Detect and Report Malicious Domains , 2014, TSEC.

[8] Etienne Stalmans,et al. A framework for DNS based detection and mitigation of malware infections on a network , 2011, 2011 Information Security for South Africa.

[9] Kishore Angrishi,et al. Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets , 2017, ArXiv.

[10] Khaled Salah,et al. IoT security: Review, blockchain solutions, and open challenges , 2017, Future Gener. Comput. Syst..

[11] Darragh O'Brien,et al. DNS Traffic Analysis for Botnet Detection , 2017, AICS.