A Scalable Platform for Enabling the Forensic Investigation of Exploited IoT Devices and Their Generated Unsolicited Activities

Abstract

The analysis of large-scale cyber attacks, which utilized millions of exploited Internet of Things (IoT) devices to perform malicious activities, highlights the significant role of compromised IoT devices in enabling evasive and effective attacks at scale. Motivated by the shortage of empirical data related to the deployment of IoT devices, and the lack of understanding about compromised devices and their unsolicited activities, in this paper, we leverage a big data analytics framework (Apache Spark) to design and develop a scalable system for automated detection of compromised IoT devices and characterization of their unsolicited activities. The system utilizes IoT device information and passive network measurements obtained from a large network telescope, while implementing an array of data-driven methodologies rooted in data mining and machine learning techniques, to provide a macroscopic view of IoT-generated malicious activities. We evaluate the system with more than 4TB of passive network measurements and demonstrate its effectiveness in the network forensic investigation of compromised devices and their activities, in near real-time. In addition, we empirically analyze and elaborate on the capabilities of the developed system as a scalable infrastructure, which can support a number of applications that enable IoT-centric forensics.