Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
International Conference on Cyber Situational Awareness, Data Analytics and Assessment (Cyber SA 2018), 11-12 June 2018, Glasgow, UK.
Towards Situational Awareness of Botnet Activity in the Internet of Things
Christopher D. McDermott, Andrei V. Petrovski, Farzan Majdani
DDoS Trends
18%
18%9%9%
46%
Multi-Vector DDoS Attacks
1 Attack Type
2 Attack Types
3 Attack Types
4 Attack Types
5+ Attack Types
Source: Verisign DDoS Trends Report Q4 2017
12%
30%42%
2%14%
Types of DDoS Attacks
IP Fragment Attacks
TCP Based
UDP Based
Layer 7
Other
Motivation
Work towards improving situational awareness of infected IoT devicesOutcome
Detect IoT botnet activity within LANIdentify if consumers are situationally aware when their devices are infected, and part of a botnet
Challenge
Collect, parse and analyse local network trafficClassify and predict potential traffic emanating from an infected IoT device
Method
Literature Gap
M. Stevanovic and J. M. Pederson, “An efficient flow-based botnet detection using supervised machine learning,” in 2014 International Conference on Computing Networking and Communications (ICNC)
M. Stevanovic and J. M. Pederson, “An analysis of network traffic classification for botnet detection,” in 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA)
L. Bilge, D. Balzarotti, W. Robertson, E. Kirda and C. Kruegel, “Disclosure: Detecting botnet command and control servers through large-scale netfow analysis,” in 2012 proceedings of the 28th Annual Computer Security Applications Conference (ACSAS)
D. Zhao, I. Traore, B. Sayed, W. Lu, S. Saad, A. Ghorbani and D. Garant, “Botnet detection based on traffic behaviour analysis and flow intervals,” in 2013 Computers and Security
G. Kirubavathi and R. Anitha, “Botnet detection via mining of traffic flow characteristics,” in 2016 Computers and Electrical Engineering
Flow-based Application to IoT
“We assume the network includes an on-path device, such as a home gateway router or other middlebox, that can observe traffic between consumer IoT devices on the local network and the rest of the internet”
Machine Learning DDoS Detection for Consumer Internet of Things
Devices
Princeton University
Situational Awareness Problem
Participants shown video feeds from infected/uninfected IP cameras
Difficult to identify infected IoT device and actions
Lack of Situational Awareness
Full results of online survey to be published
Pilot Study
Botnet Detection Framework
Test against known dataset
labels
Anomaly not detected
Anomaly detected
“We propose a novel application of deep learning to botnet detection in the Internet of Things”
Our contributions
A labelled dataset encompassing botnet activity and DDoS attacks;
A BLSTM-RNN detection algorithm which utilises a word embedding methodology for text recognition of features within botnet attack vectors;
A modular detection model to detect and predict infected IoT device traffic.
Dataset Generation
Dataset
Five captures- Normal, UDP, ACK, DNS, SYN flood.
Features No, Time, Source, Destination, Protocol, Length, Info captured (later reduced by ML model)
Traffic converted into appropriate format
Captures labelled and stored for ingestion into ML model
Components
Scan / Loader Server - used to scan for vulnerable devices and load malware
Command & Control Server -used to issue infect and attacks commands to bots
Utilities Server - used for DNS services / reporting
Botnet Detection Framework
Test against known dataset
labels
Anomaly not detected
Anomaly detected
Traffic on mirrored port captured
Most recent capture fetched
Pcap conversion to .csv format
Formatted capture stored for detection module
Packet Capture and Conversion Module1. Tokenise data within the info
feature to integer encoded format2. Create dictionary of tokenised
words and their index3. Create array of the corresponding
indices4. Inject additional relevant features
into array5. Map label identifiers to integer and
inject into array6. Pad array to equal length7. Split dataset into training and test8. Build BLSTM-RNN model
Intrusion Detection Module
Model Accuracy
Train ValidateMean
AccuracyMean Loss
Mirai (SYN)
196171 105631 99.154744 0.1362400
UDP 194831 104909 98.005605 0.2439042
DNS 195451 105243 97.819378 0.2333340
ACK 215213 115884 88.852511 1.6414504
BLSTM-RNN model returns high accuracy and low loss metrics for three attack vectors used by MiraiACK attacks proved more difficult to detectComplex information and often out of sequence. Pattern is clearly evident but the BLSTM-RNN did not appear to detect it
Multi-vector (without ACK) 95.209029 0.2228190
Multi-vector (with two ACK) 93.899201 0.0384694
The model proved effective in detecting multi-vector attack vectors, however the impact of the ACK attack was still evidentIncreasing the sample size greatly improved detection accuracy
Conclusions
Identified a lack of situational awareness of botnet activity within consumer networks.
Demonstrated the effectiveness of Deep Learning for IoT botnet detection, using a novel detection model based on a BLSTM-RNN, in conjunction with Word Embedding.
Demonstrated the effectiveness of deep packet inspection for IoT botnet detection.
Future work
Improve model to:- better detect all attack vectors- use JSON instead of .csv (easier integration with other systems e.g. ELK Stack)
Test detection model against mutated version of Mirai source code and other datasets
Create third module and explore methods of improving situational awareness of botnet activity within consumer IoT devices.