Abstract
The proliferation of insecure Internet-connected devices gave rise to the IoT botnets which can grow very large rapidly and may perform high-impact cyber-attacks. The related studies for tackling IoT botnets are concerned with either capturing or analyzing IoT botnet samples, using honeypots and sandboxes, respectively. The lack of integration between the two implies that the samples captured by the honeypots must be manually submitted for analysis in sandboxes, introducing a delay during which a botnet may change its operation. Furthermore, the effectiveness of the proposed sandboxes is limited by the potential use of anti-analysis techniques and the inability to identify features for effective detection and identification of IoT botnets. In this paper, we propose and evaluate a novel framework, the IoT-BDA framework, for automated capturing, analysis, identification, and reporting of IoT botnets. The framework consists of honeypots integrated with a novel sandbox that supports a wider range of hardware and software configurations, and can identify indicators of compromise and attack, along with anti-analysis, persistence, and anti-forensics techniques. These features can make botnet detection and analysis, and infection remedy more effective. The framework reports the findings to a blacklist and abuse service to facilitate botnet suspension. The paper also describes the discovered anti-honeypot techniques and the measures applied to reduce the risk of honeypot detection. Over the period of seven months, the framework captured, analyzed, and reported 4077 unique IoT botnet samples. The analysis results show that some IoT botnets used anti-analysis, persistence, and anti-forensics techniques typically seen in traditional botnets.
Highlights
A botnet malware is a self-propagating malware that infects Internet-connected devices automatically, without human intervention, using software vulnerabilities as infection vectors
As reported by Kaspersky [34], since the vulnerable IoT devices are typically found behind residential IP addresses, the botnet herders may blacklist IP ranges allocated to cloud providers to evade honeypots hosted on the cloud
We propose the IoT-BDA architecture comprised of two blocks, Botnet Capturing Block (BCB) and Botnet Analysis Block (BAB), for capturing and analyzing IoT botnet samples, respectively
Summary
A botnet malware is a self-propagating malware that infects Internet-connected devices automatically, without human intervention, using software vulnerabilities as infection vectors. The proposed sandboxes have a number of limitations, such as the lack of capability to identify: 1) features for effective detection and identification of IoT botnets; 2) anti-forensics techniques that may prevent infection remedy; and 3) anti-analysis techniques that may obstruct the analysis and cause false negative errors. Another limitation is the absence of prompt results sharing and actions towards botnet suspension. We have made the analysis results and the raw data, consisted of the captured samples and their recorded behaviours available at [21], and provided the framework as a free service to researchers and cyber security professionals [22]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
