A novel graph-based approach for IoT botnet detection

The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. These IoT devices can communicate with others over the Internet and fully integrate into people’s daily life. In recent years, IoT devices still suffer from basic security vulnerabiliti...

Full description

Saved in:
Bibliographic Details
Published inInternational journal of information security Vol. 19; no. 5; pp. 567 - 577
Main Authors Nguyen, Huy-Trung, Ngo, Quoc-Dung, Le, Van-Hoang
Format Journal Article
LanguageEnglish
Published Berlin/Heidelberg Springer Berlin Heidelberg 01.10.2020
Springer Nature B.V
Subjects
Coding and Information Theory
Communications Engineering
Comparative studies
Computer Communication Networks
Computer Science
Cryptology
Electronic devices
Feature extraction
Internet of Things
Malware
Management of Computing and Information Systems
Microprocessors
Networks
Operating Systems
Personal computers
Regular Contribution
Source code
Deep learning
PSI-Graph
IoT botnet
Information security
Static analysis
Online AccessGet full text

Cover

More Information
Summary:The Internet of things (IoT) is the extension of Internet connectivity into physical devices and everyday objects. These IoT devices can communicate with others over the Internet and fully integrate into people’s daily life. In recent years, IoT devices still suffer from basic security vulnerabilities making them vulnerable to a variety of threats and malware, especially IoT botnets. Unlike common malware on desktop personal computer and Android, heterogeneous processor architecture issue on IoT devices brings various challenges for researchers. Many studies take advantages of well-known dynamic or static analysis for detecting and classifying botnet on IoT devices. However, almost studies yet cannot address the multi-architecture issue and consume vast computing resources for analyzing. In this paper, we propose a lightweight method for detecting IoT botnet, which based on extracting high-level features from function–call graphs, called PSI-Graph, for each executable file. This feature shows the effectiveness when dealing with the multi-architecture problem while avoiding the complexity of control flow graph analysis that is used by most of the existing methods. The experimental results show that the proposed method achieves an accuracy of 98.7%, with the dataset of 11,200 ELF files consisting of 7199 IoT botnet samples and 4001 benign samples. Additionally, a comparative study with other existing methods demonstrates that our approach delivers better outcome. Lastly, we make the source code of this work available to Github.
ISSN:1615-5262
1615-5270
DOI:10.1007/s10207-019-00475-6