Inferring, Characterizing, and Investigating Internet-Scale Malicious IoT Device Activities: A Network Telescope Perspective

Recent attacks have highlighted the insecurity of the Internet of Things (IoT) paradigm by demonstrating the impacts of leveraging Internet-scale compromised IoT devices. In this paper, we address the lack of IoT-specific empirical data by drawing upon more than 5TB of passive measurements. We devise data-driven methodologies to infer compromised IoT devices and those targeted by denial of service attacks. We perform large-scale characterization analysis of their traffic, as well as explore a public threat repository and an in-house malware database, to underlie their malicious activities. The results expose a significant 26 thousand compromised IoT devices "in the wild," with 40% being active in critical infrastructure. More importantly, we uncover new, previously unreported malware variants that specifically target IoT devices. Our empirical results render a first attempt to highlight the large-scale insecurity of the IoT paradigm, while alarming about the rise of new generations of IoT-centric malware-orchestrated botnets.

[1]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[2]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[3]  A Dainotti,et al.  Analysis of a “/0” Stealth Scan From a Botnet , 2012, IEEE/ACM Transactions on Networking.

[4]  Mourad Debbabi,et al.  Fingerprinting Internet DNS Amplification DDoS Activities , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[5]  K. Limthong,et al.  Wavelet-Based Unwanted Traffic Time Series Analysis , 2008, 2008 International Conference on Computer and Electrical Engineering.

[6]  Tsutomu Matsumoto,et al.  IoTPOT: A Novel Honeypot for Revealing Current IoT Threats , 2016, J. Inf. Process..

[7]  Mourad Debbabi,et al.  Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization , 2016, IEEE Communications Surveys & Tutorials.

[8]  Ahmad-Reza Sadeghi,et al.  Security analysis on consumer and industrial IoT devices , 2016, 2016 21st Asia and South Pacific Design Automation Conference (ASP-DAC).

[9]  Christian Doerr,et al.  Quantifying the Spectrum of Denial-of-Service Attacks through Internet Backscatter , 2017, ARES.

[10]  Tao Ban,et al.  Detection of DDoS Backscatter Based on Traffic Features of Darknet TCP Packets , 2014, 2014 Ninth Asia Joint Conference on Information Security.

[11]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.

[12]  Nasir D. Memon,et al.  Internet-scale Probing of CPS: Inference, Characterization and Orchestration Analysis , 2017, NDSS.

[13]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[14]  Xenofontas A. Dimitropoulos,et al.  Classifying internet one-way traffic , 2012, Internet Measurement Conference.

[15]  A. Nur Zincir-Heywood,et al.  On the analysis of backscatter traffic , 2014, 39th Annual IEEE Conference on Local Computer Networks Workshops.

[16]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[17]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[18]  Yuval Elovici,et al.  SIPHON: Towards Scalable High-Interaction Physical Honeypots , 2017, CPSS@AsiaCCS.

[19]  Panganamala Ramana Kumar,et al.  Cyber–Physical Systems: A Perspective at the Centennial , 2012, Proceedings of the IEEE.

[20]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[21]  Kensuke Fukuda,et al.  Towards a taxonomy of darknet traffic , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[22]  Adi Shamir,et al.  Extended Functionality Attacks on IoT Devices: The Case of Smart Lights , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[23]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[24]  Blase Ur,et al.  The Current State of Access Control for Smart Devices in Homes , 2013 .

[25]  Mourad Debbabi,et al.  CSC-Detector: A System to Infer Large-Scale Probing Campaigns , 2016, IEEE Transactions on Dependable and Secure Computing.

[26]  Mourad Debbabi,et al.  On fingerprinting probing activities , 2014, Comput. Secur..

[27]  Atul Prakash,et al.  FlowFence: Practical Data Protection for Emerging IoT Application Frameworks , 2016, USENIX Security Symposium.