Abstract
The leaked IoT botnet source-codes have facilitated the proliferation of different IoT botnet variants, some of which are equipped with new capabilities and may be difficult to detect. Despite the availability of solutions for automated analysis of IoT botnet samples, the identification of new variants is still very challenging because the analysis results must be manually interpreted by malware analysts. To overcome this challenge, we propose an approach for automated behaviour-based clustering of IoT botnet samples, aimed to enable automatic identification of IoT botnet variants equipped with new capabilities. In the proposed approach, the behaviour of the IoT botnet samples is captured using a sandbox and represented as behaviour profiles describing the actions performed by the samples. The behaviour profiles are vectorised using TF-IDF and clustered using the DBSCAN algorithm. The proposed approach was evaluated using a collection of samples captured from IoT botnets propagating on the Internet. The evaluation shows that the proposed approach enables accurate automatic identification of IoT botnet variants equipped with new capabilities, which will help security researchers to investigate the new capabilities, and to apply the investigation findings for improving the solutions for detecting and preventing IoT botnet infections.
Highlights
An Internet of Things (IoT) botnet is a network of IoT devices infected by botnet malware
We proposed a novel approach for automated behaviour-based clustering of IoT botnets
The proposed approach enables automatic identification of IoT botnet variants equipped with new capabilities, and overcomes the need to manually investigate the IoT botnet samples for new botnet variants to be identified
Summary
An Internet of Things (IoT) botnet is a network of IoT devices infected by botnet malware. It describes the challenges that may affect the behavioural analysis of botnet samples and the actions taken to address them It presents a novel approach for automated clustering of IoT botnet samples based on their behaviour profiles. It provides the evaluation of the proposed clustering approach using a collection of samples captured from IoT botnets propagating on the Internet. The research method used consists of literature review identifying knowledge gaps and areas of improvement, collection of botnet samples using honeypots and a malware tracking service, execution and behavioural analysis of the collected samples, investigation of factors affecting the capturing of IoT botnet behaviour, investigation of methods for extracting features from text documents, and evaluation of different algorithms for clustering the extracted features.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
