Abstract
The widespread adoption of Internet of Things has led to many security issues. Recently, there have been malware attacks on IoT devices, the most prominent one being that of Mirai. IoT devices such as IP cameras, DVRs and routers were compromised by the Mirai malware and later large-scale DDoS attacks were propagated using those infected devices (bots) in October 2016. In this research, we develop a network-based algorithm which can be used to detect IoT bots infected by Mirai or similar malware in large-scale networks (e.g. ISP network). The algorithm particularly targets bots scanning the network for vulnerable devices since the typical scanning phase for botnets lasts for months and the bots can be detected much before they are involved in an actual attack. We analyze the unique signatures of the Mirai malware to identify its presence in an IoT device. Further, to optimize the usage of computational resources, we use a two-dimensional (2D) packet sampling approach, wherein we sample the packets transmitted by IoT devices both across time and across the devices. Leveraging the Mirai signatures identified and the 2D packet sampling approach, a bot detection algorithm is proposed. We use testbed measurements and simulations to study the relationship between bot detection delays and the sampling frequencies for device packets. Subsequently, we derive insights from the obtained results and use them to design our proposed bot detection algorithm. Finally, we discuss the deployment of our bot detection algorithm and the countermeasures which can be taken post detection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Al-Fuqaha, A., Guizani, M., Mohammadi, M., Aledhari, M., Ayyash, M.: Internet of things: a survey on enabling technologies, protocols, and applications. IEEE Commun. Surv. Tutorials 17(4), 2347–2376 (2015)
Nordrum, A.: Popular internet of things forecast of 50 billion devices by 2020 is outdated. https://spectrum.ieee.org/tech-talk/telecom/internet/popular-internet-of-things-forecast-of-50-billion-devices-by-2020-is-outdated
Frustaci, M., Pace, P., Aloi, G., Fortino, G.: Evaluating critical security issues of the IoT world: present and future challenges. IEEE Internet of Things J. PP(99), 1–1 (2017)
Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., Zhao, W.: A survey on internet of things: architecture, enabling technologies, security and privacy, and applications. IEEE Internet Things J. 4(5), 1125–1142 (2017)
Yang, Y., Wu, L., Yin, G., Li, L., Zhao, H.: A survey on security and privacy issues in internet-of-things. IEEE Internet of Things J. 4(5), 1250–1258 (2017)
Krebs, B.: Hacked cameras, DVRs powered today’s massive internet outage. https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/ (2016)
Cimpanu, C.: There’s a 120,000-strong IoT DDoS Botnet lurking around. http://news.softpedia.com/news/there-s-a-120-000-strong-iot-ddos-botnet-lurking-around-507773.shtml
Constantin, L.: Your Linux-based home router could succumb to a new Telnet worm, Remaiten. https://www.computerworld.com/article/3049982/security/your-linux-based-home-router-could-succumb-to-a-new-telnet-worm-remaiten.html
Grange, W.: Hajime worm battles Mirai for control of the Internet of Things. https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
Arghire, I.: IoT Botnet used in website hacking attacks. https://www.securityweek.com/iot-botnet-used-website-hacking-attacks
Beek, C.: Mirai Botnet creates army of IoT Orcs. https://securingtomorrow.mcafee.com/mcafee-labs/mirai-botnet-creates-army-iot-orcs/
Ilascu, I.: Mirai code still runs on many IoT devices. https://www.bitdefender.com/box/blog/iot-news/mirai-code-still-runs-many-iot-devices/
Yu, T., Sekar, V., Seshan, S., Agarwal, Y., Xu, C.: Handling a trillion (unfixable) flaws on a billion devices: rethinking network security for the internet-of-things. In: Proceedings of the 14th ACM Workshop on Hot Topics in Networks, HotNets-XIV, pp. 5:1–5:7, New York, NY, USA. ACM (2015)
Antonakakis, M., April, T., Bailey, M., Bernhard, M., Bursztein, E., Cochran, J., Durumeric, Z., Halderman, J.A., Invernizzi, L., Kallitsis, M., Kumar, Lever, C., Ma, Z., Mason, J., Menscher, D., Seaman, C., Sullivan, N., Thomas, K., Zhou, Y.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), Vancouver, BC, pp. 1093–1110. USENIX Association (2017)
Livadas, C., Walsh, R., Lapsley, D., Strayer, W.T.: Using machine learning techniques to identify Botnet traffic. In: Proceedings. 2006 31st IEEE Conference on Local Computer Networks, pp. 967–974, Nov 2006
Gu, G., Porras, P., Yegneswaran, V., Fong, M.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: 16th USENIX Security Symposium (USENIX Security 07), Boston, MA. USENIX Association (2007)
Gu, G., Zhang, J., Lee, W.: BotSniffer: detecting Botnet command and control channels in network traffic. In: Network and Distributed System Security Symposium (NDSS) (2008)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: BotMiner: clustering analysis of network traffic for protocol- and structure-independent Botnet detection. In: Proceedings of the 17th Conference on Security Symposium, SS’08, Berkeley, CA, USA, pp. 139–154. USENIX Association (2008)
Zhang, J., Perdisci, R., Lee, W., Luo, X., Sarfraz, U.: Building a scalable system for stealthy P2P-Botnet detection. IEEE Trans. Inf. Forensics Secur. 9(1), 27–38 (2014)
Habibi, J., Midi, D., Mudgerikar, A., Bertino, E.: Heimdall: mitigating the internet of insecure things. IEEE Internet Things J. 4(4), 968–978 (2017)
Pajouh, H.H., Javidan, R., Khayami, R., Ali, D., Choo, K.K.R.: A two-layer dimension reduction and two-tier classification model for anomaly-based intrusion detection in IoT backbone networks. IEEE Trans. Emerg. Topics Comput. PP(99), 1–1 (2016)
Meidan, Y., Bohadana, M., Mathov, Y., Mirsky, Y., Breitenbacher, D., Shabtai, A., Elovici, Y.: N-baiot: network-based detection of IoT botnet attacks using deep autoencoders. CoRR, abs/1805.03409 (2018)
Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316 (2010)
Gates, C., Taylor, C.: Challenging the anomaly detection paradigm: a provocative discussion. In: Proceedings of the 2006 Workshop on New Security Paradigms, NSPW ’06, New York, NY, USA, pp. 21–29. ACM (2007)
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other Botnets. Computer 50(7), 80–84 (2017)
MySQL: The world’s most popular open source database. https://www.mysql.com/
Ron Winward: Mirai: Inside of an IoT Botnet. https://www.nanog.org/sites/default/files/1_Winward_Mirai_The_Rise.pdf (2017)
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, Berkeley, CA, USA, pp. 41–41. USENIX Association. https://www.qemu.org/ (2005)
IANA: Service Name and Transport Protocol Port Number Registry. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=1
Wanner, R.: What is happening on 2323/TCP? https://isc.sans.edu/forums/diary/What+is+happening+on+2323TCP/21563/
Postel, J., Reynolds, J.: Telnet protocol specification. https://tools.ietf.org/html/rfc854 (1983)
Google Cloud: Overview of Internet of Things. https://cloud.google.com/solutions/iot-overview
Wireshark: Network protocol analyzer. https://www.wireshark.org/
Statista: Installed base of IoT consumer devices by category in the United States in 2017 (in million units). https://www.statista.com/statistics/757717/iot-consumer-product-installed-base-in-the-us-by-category/ (2018)
Wikipedia: Broadband Providers in the United States. https://en.wikipedia.org/wiki/Internet_in_the_United_States#Broadband_providers
Ieee standard for low-rate wireless networks. IEEE Std 802.15.4-2015 (Revision of IEEE Std 802.15.4-2011), pp. 1–709, Apr 2016
Foong, A.P., Huff, T.R., Hum, H.H., Patwardhan, J.R., Regnier, G.J.: TCP performance re-visited. In: 2003 IEEE International Symposium on Performance Analysis of Systems and Software. ISPASS 2003, pp. 70–79 (2003)
Karp, R.M.: Reducibility among Combinatorial Problems, pp. 85–103. Springer US, Boston, MA (1972)
Meidan, Y., Bohadana, M., Shabtai, A., Guarnizo, J.D., Ochoa, M., Tippenhauer, N.O., Elovici, Y.: Profiliot: a machine learning approach for IoT device identification based on network traffic analysis. In: Proceedings of the Symposium on Applied Computing, SAC ’17, pp. 506–509, New York, NY, USA. ACM (2017)
Livingood, J., Mody, N., O’Reirdan, M.: Recommendations for the remediation of bots in ISP networks. https://tools.ietf.org/html/rfc6561
Kumar, A.: Software Repository for Mirai-Like IoT Malware Detection Algorithm. https://github.com/ayush47-github/IoT-bot-detection
Zheng, C., Xiao, C., Jia, Y.: New IoT/Linux malware targets DVRs, Forms Botnet. https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
Hayashi, K.: Linux worm targeting hidden devices. https://www.symantec.com/connect/blogs/linux-worm-targeting-hidden-devices
Radware. Reaper Botnet. https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-reports/reaper-botnet/
Acknowledgements
The authors would like to thank Dr. Liang Zhenkai (SoC, NUS) for helping us with some of the initial ideas used in this paper and Dr. Min Suk Kang (SoC, NUS) for providing comments on our manuscript. We would also like to appreciate the National Cybersecurity R&D Lab, Singapore for allowing us to use their testbed to collect important data which has been used in our work. This research is supported by the National Research Foundation, Prime Minister’s Office, Singapore under its Corporate Laboratory@University Scheme, National University of Singapore, and Singapore Telecommunications Ltd.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Kumar, A., Lim, T.J. (2020). Early Detection of Mirai-Like IoT Bots in Large-Scale Networks through Sub-sampled Packet Traffic Analysis. In: Arai, K., Bhatia, R. (eds) Advances in Information and Communication. FICC 2019. Lecture Notes in Networks and Systems, vol 70. Springer, Cham. https://doi.org/10.1007/978-3-030-12385-7_58
Download citation
DOI: https://doi.org/10.1007/978-3-030-12385-7_58
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12384-0
Online ISBN: 978-3-030-12385-7
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)