BOND: Efficient and Frugal DL Model Co-design for Botnet detection on IoT Gateways

A botnet is a network of devices infected by the same malware, acting as a single entity and controlled by a botmaster. They are the biggest cybersecurity threat to carry out large-scale attacks from spamming, ransomware, data exfiltration, and denial-of-service attacks. Lightweight IoT devices without traditional security mechanisms have become favorite victims and agents to carry out botnet attacks. In our work, we seek to detect botnet-infected IoT nodes. This paper presents BOND, a frugal Deep Learning analysis of network traffic for detecting IoT devices infected with botnet(s), correctly classifying Zero-Day attacks and newer benign traffic. BOND is designed considering the constraints of IoT gateways and betters the F1 score of standard benchmark ML algorithms and State-of-The-Art method - Kitsune, by at least 10%, with under 1 millisecond inference time and less than 150 KB of model memory. This paper also presents labeled data-set 27-Botnet spanning 27 IoT botnet families and ten different IoT devices. We believe, it is the first data set with a separate zero-day component.

[1]  Vijay Varadharajan,et al.  A Detailed Investigation and Analysis of Using Machine Learning Techniques for Intrusion Detection , 2019, IEEE Communications Surveys & Tutorials.

[2]  Benzhen Guo,et al.  Light-weight IoT Gateway with Embedded Web Server , 2020, 2020 12th International Conference on Intelligent Human-Machine Systems and Cybernetics (IHMSC).

[3]  Andreas Haeberlen,et al.  Challenges in Experimenting with Botnet Detection Systems , 2011, CSET.

[4]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[5]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[6]  Giacomo Spigler,et al.  Denoising Autoencoders for Overgeneralization in Neural Networks , 2017, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[7]  Ali A. Ghorbani,et al.  Toward developing a systematic approach to generate benchmark datasets for intrusion detection , 2012, Comput. Secur..

[8]  Chia-Mei Chen,et al.  Detecting botnet by anomalous traffic , 2015, J. Inf. Secur. Appl..

[9]  Karl N. Levitt,et al.  A general cooperative intrusion detection architecture for MANETs , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[10]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[11]  Sunil Kumar,et al.  Security Issues in Mobile Ad Hoc Networks: A Survey , 2016 .

[12]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[13]  David Hutchison,et al.  OpenLIDS: a lightweight intrusion detection system for wireless mesh networks , 2009, MobiCom '09.

[14]  J. Parker,et al.  Cross-layer analysis for detecting wireless misbehavior , 2006, CCNC 2006. 2006 3rd IEEE Consumer Communications and Networking Conference, 2006..

[15]  Alejandro Zunino,et al.  An empirical comparison of botnet detection methods , 2014, Comput. Secur..

[16]  Ali A. Ghorbani,et al.  Towards effective feature selection in machine learning-based botnet detection approaches , 2014, 2014 IEEE Conference on Communications and Network Security.

[17]  Norbert Pohlmann,et al.  CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis , 2013, Comput. Networks.

[18]  Nour Moustafa,et al.  Forensics and Deep Learning Mechanisms for Botnets in Internet of Things: A Survey of Challenges and Solutions , 2019, IEEE Access.

[19]  Sajal K. Das,et al.  Foreword , 2003, Wirel. Networks.

[20]  Song Zhang,et al.  Bot Classification for Real-Life Highly Class-Imbalanced Dataset , 2017, 2017 IEEE 15th Intl Conf on Dependable, Autonomic and Secure Computing, 15th Intl Conf on Pervasive Intelligence and Computing, 3rd Intl Conf on Big Data Intelligence and Computing and Cyber Science and Technology Congress(DASC/PiCom/DataCom/CyberSciTech).

[21]  Yuval Elovici,et al.  Kitsune: An Ensemble of Autoencoders for Online Network Intrusion Detection , 2018, NDSS.

[22]  Sylvio Barbon Junior,et al.  Providing IoT host-based datasets for intrusion detection research ∗ , 2018 .

[23]  Andrei Petrovski,et al.  Botnet Detection in the Internet of Things using Deep Learning Approaches , 2018, 2018 International Joint Conference on Neural Networks (IJCNN).

[24]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[25]  Jugal K. Kalita,et al.  Towards Generating Real-life Datasets for Network Intrusion Detection , 2015, Int. J. Netw. Secur..

[26]  Victor Guilherme Turrisi da Costa,et al.  IoTDS: A One-Class Classification Approach to Detect Botnets in Internet of Things Devices , 2019, Sensors.

[27]  Khalid Abualsaud,et al.  Lightweight IoT Malware Detection Solution Using CNN Classification , 2020, 2020 IEEE 3rd 5G World Forum (5GWF).

[28]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[29]  Julian Bunn,et al.  Tracking Temporal Evolution of Network Activity for Botnet Detection , 2019, ArXiv.

[30]  Theophilus A. Benson,et al.  Detecting Volumetric Attacks on loT Devices via SDN-Based Monitoring of MUD Activity , 2019, SOSR.

[31]  Leyla Bilge,et al.  Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis , 2012, ACSAC '12.

[32]  Yuval Elovici,et al.  N-BaIoT—Network-Based Detection of IoT Botnet Attacks Using Deep Autoencoders , 2018, IEEE Pervasive Computing.

[33]  Hung-Min Sun,et al.  DeepBot: a time-based botnet detection with deep learning , 2020, Soft Computing.

[34]  Davide Balzarotti,et al.  A Lustrum of Malware Network Communication: Evolution and Insights , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[35]  Wenke Lee,et al.  Intrusion Detection Techniques for Mobile Wireless Networks , 2003, Wirel. Networks.

[36]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[37]  Heejo Lee,et al.  PsyBoG: A scalable botnet detection method for large-scale DNS traffic , 2016, Comput. Networks.

[38]  Nour Moustafa,et al.  UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set) , 2015, 2015 Military Communications and Information Systems Conference (MilCIS).

[39]  Elisa Bertino,et al.  Heimdall: Mitigating the Internet of Insecure Things , 2017, IEEE Internet of Things Journal.