DIMI: Detecção Inteligente de Botnets Mirai em Redes IoT

The emerging usage of Internet of Things (IoT) paradigm brings,together with new services, new threats to Information Security.Among these threats, we have the Mirai Botnet that performed severalDistributed Denial of Service (DDoS) cyberattacks, exploringthe vulnerabilites of IoT devices. Within this context, this paperpresents a mechanism for detecting Mirai botnet attacks on IoTnetworks using ML techniques and comparing different approaches.The mechanism was evaluated using a set of traffic data from realIoT devices, achieving results with 99 % precision in detecting MiraiBotnet attacks

Online Self-Supervised Learning in Machine Learning Intrusion Detection for the Internet of Things

This paper proposes a novel Self-Supervised Intrusion Detection (SSID) framework, which enables a fully online Machine Learning (ML) based Intrusion Detection System (IDS) that requires no human intervention or prior off-line learning. The proposed framework analyzes and labels incoming traffic packets based only on the decisions of the IDS itself using an Auto-Associative Deep Random Neural Network, and on an online estimate of its statistically measured trustworthiness. The SSID framework enables IDS to adapt rapidly to time-varying characteristics of the network traffic, and eliminates the need for offline data collection. This approach avoids human errors in data labeling, and human labor and computational costs of model training and data collection. The approach is experimentally evaluated on public datasets and compared with well-known ML models, showing that this SSID framework is very useful and advantageous as an accurate and online learning ML-based IDS for IoT systems

Profiling IoT botnet activity

Undoubtedly, Internet of Things (IoT) devices have evolved into a necessity within our modern lifestyles. Nonetheless, IoT devices have proved to pose significant security risks due to their vulnerabilities and susceptibility to malware. Evidently, vulnerable IoT devices are enlisted by attackers to participate into Internet-wide botnets in order to instrument large-scale cyber-attacks and disrupt critical Internet services. Tracking these botnets is challenging due to their varying structural characteristics, and also due to the fact that malicious actors continuously adopt new evasion and propagation strategies. This thesis develops BotPro framework, a novel data-driven approach for profiling IoT botnet behaviour. BotPro provides a comprehensive approach for capturing and highlighting the behavioural properties of IoT botnets with respect to their structural and propagation properties across the global Internet. We implement the proposed framework using real-world data obtained from the measurement infrastructure that was designed in this thesis. Our measurement infrastructure gathers data from various sources, including globally distributed honeypots, regional Internet registries, global IP blacklists and routing topology. This diverse dataset forms a strong foundation for profiling IoT botnet activity, ensuring that our analysis accurately reflects behavioural patterns of botnets in real-world scenarios. BotPto encompasses diverse methods to profile IoT botnets, including information theory, statistical analysis, natural language processing, machine learning and graph theory. The framework’s results provide insights related to the structural properties as well as the evolving scanning and propagation strategies of IoT botnets. It also provides evidence on concentrated botnet activities and determines the effectiveness of widely used IP blacklists on capturing their evolving behaviour. In addition, the insights reveal the strategy adopted by IoT botnets in expanding their network and increasing their level of resilience. The results provide a compilation of the most important autonomous system(AS) attributes that frequently embrace IoT botnet activity as well as provide a novel macroscopic view on the influence of AS-level relationships with respect to IoT botnet propagation. Furthermore, It provides insights into the structural properties of botnet loaders with respect to the distribution of malware binaries of various strains. The insights generated by BotPro are essential to equip next generation automated cyber threat intelligence, intrusion detection systems and anomaly detection mechanisms with enriched information regarding evolving scanning, establishment and propagation strategies of new botnet variants. Industry will be equipped with even more improved ways to defend against emerging threats in the domains of cyber warfare, cyber tourism and cybercrime. The BotPro framework provides a comprehensive platform for stakeholders, including cybersecurity researchers, security analysts and network administrators to gain deep and meaningful insights into the sophisticated activities and behaviour exhibited by IoT botnets