International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA 2018), 11-12 June 2018, Glasgow, UK.

Towards Situational Awareness of Botnet Activity in the Internet of Things

Christopher D. McDermott, Andrei V. Petrovski, Farzan Majdani

DDoS Trends

18%

18%9%9%

46%

Multi-Vector DDoS Attacks

1 Attack Type

2 Attack Types

3 Attack Types

4 Attack Types

5+ Attack Types

Source: Verisign DDoS Trends Report Q4 2017

12%

30%42%

2%14%

Types of DDoS Attacks

IP Fragment Attacks

TCP Based

UDP Based

Layer 7

Other

Motivation

Work towards improving situational awareness of infected IoT devicesOutcome

Detect IoT botnet activity within LANIdentify if consumers are situationally aware when their devices are infected, and part of a botnet

Challenge

Collect, parse and analyse local network trafficClassify and predict potential traffic emanating from an infected IoT device

Method

Literature Gap

M. Stevanovic and J. M. Pederson, “An efficient flow-based botnet detection using supervised machine learning,” in 2014 International Conference on Computing Networking and Communications (ICNC)

M. Stevanovic and J. M. Pederson, “An analysis of network traffic classification for botnet detection,” in 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)

L. Bilge, D. Balzarotti, W. Robertson, E. Kirda and C. Kruegel, “Disclosure: Detecting botnet command and control servers through large-scale netfow analysis,” in 2012 proceedings of the 28th Annual Computer Security Applications Conference (ACSAS)

D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani and D. Garant, “Botnet detection based on traffic behaviour analysis and flow intervals,” in 2013 Computers and Security

G. Kirubavathi and R. Anitha, “Botnet detection via mining of traffic flow characteristics,” in 2016 Computers and Electrical Engineering

Flow-based Application to IoT

“We assume the network includes an on-path device, such as a home gateway router or other middlebox, that can observe traffic between consumer IoT devices on the local network and the rest of the internet”

Machine Learning DDoS Detection for Consumer Internet of Things

Devices

Princeton University

Situational Awareness Problem

Participants shown video feeds from infected/uninfected IP cameras

Difficult to identify infected IoT device and actions

Lack of Situational Awareness

Full results of online survey to be published

Pilot Study

Botnet Detection Framework

Test against known dataset

labels

Anomaly not detected

Anomaly detected

“We propose a novel application of deep learning to botnet detection in the Internet of Things”

Our contributions

A labelled dataset encompassing botnet activity and DDoS attacks;

A BLSTM-RNN detection algorithm which utilises a word embedding methodology for text recognition of features within botnet attack vectors;

A modular detection model to detect and predict infected IoT device traffic.

Dataset Generation

Dataset

Five captures- Normal, UDP, ACK, DNS, SYN flood.

Features No, Time, Source, Destination, Protocol, Length, Info captured (later reduced by ML model)

Traffic converted into appropriate format

Captures labelled and stored for ingestion into ML model

Components

Scan / Loader Server - used to scan for vulnerable devices and load malware

Command & Control Server -used to issue infect and attacks commands to bots

Utilities Server - used for DNS services / reporting

Botnet Detection Framework

Test against known dataset

labels

Anomaly not detected

Anomaly detected

Traffic on mirrored port captured

Most recent capture fetched

Pcap conversion to .csv format

Formatted capture stored for detection module

Packet Capture and Conversion Module1. Tokenise data within the info

feature to integer encoded format2. Create dictionary of tokenised

words and their index3. Create array of the corresponding

indices4. Inject additional relevant features

into array5. Map label identifiers to integer and

inject into array6. Pad array to equal length7. Split dataset into training and test8. Build BLSTM-RNN model

Intrusion Detection Module

Model Accuracy

Train ValidateMean

AccuracyMean Loss

Mirai (SYN)

196171 105631 99.154744 0.1362400

UDP 194831 104909 98.005605 0.2439042

DNS 195451 105243 97.819378 0.2333340

ACK 215213 115884 88.852511 1.6414504

BLSTM-RNN model returns high accuracy and low loss metrics for three attack vectors used by MiraiACK attacks proved more difficult to detectComplex information and often out of sequence. Pattern is clearly evident but the BLSTM-RNN did not appear to detect it

Multi-vector (without ACK) 95.209029 0.2228190

Multi-vector (with two ACK) 93.899201 0.0384694

The model proved effective in detecting multi-vector attack vectors, however the impact of the ACK attack was still evidentIncreasing the sample size greatly improved detection accuracy

Conclusions

Identified a lack of situational awareness of botnet activity within consumer networks.

Demonstrated the effectiveness of Deep Learning for IoT botnet detection, using a novel detection model based on a BLSTM-RNN, in conjunction with Word Embedding.

Demonstrated the effectiveness of deep packet inspection for IoT botnet detection.

Future work

Improve model to:- better detect all attack vectors- use JSON instead of .csv (easier integration with other systems e.g. ELK Stack)

Test detection model against mutated version of Mirai source code and other datasets

Create third module and explore methods of improving situational awareness of botnet activity within consumer IoT devices.