Profiling IoT-based Botnet Traffic using DNS

Dwyer, Owen and Marnerides, Angelos and Giotsas, Vasileios and Mursch, Troy (2020) Profiling IoT-based Botnet Traffic using DNS. In: 2019 IEEE Global Communications Conference (GLOBECOM). IEEE, pp. 1-6. ISBN 9781728109626

[img]
Text (dwyer_globecomm19)
dwyer_globecomm19.pdf - Accepted Version

Download (1MB)

Abstract

Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai's base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.

Item Type:
Contribution in Book/Report/Proceedings
Additional Information:
©2020 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.
ID Code:
135834
Deposited By:
Deposited On:
29 Jul 2019 08:10
Refereed?:
Yes
Published?:
Published
Last Modified:
24 Nov 2020 11:53