Anomaly Detection and Multi-Output Classification of IoT Attacks

Abstract

Botnet attacks are responsible for the largest Distributed Denial-of-Service (DDoS) attacks on record. The detection of botnet attacks in Internet of Things (IoT) devices has become crucial now more than ever due to the frequent emergence of newer botnets and botnet attacks. Techniques used in the recent past have been unable to detect emerging botnets and have focused primarily on botnet families that are already present. The paper overcomes this challenge by detecting emerging and newer botnets using an anomaly detection model as well as generating a new dataset that incorporates unknown IoT attack traffic. Furthermore, techniques used recently have incorporated multiple models to detect IoT botnet attacks. The paper proposes an approach whereby a consolidated model is used to perform the detection of binary, botnet and attack types simultaneously, making it a more efficient approach which is implemented in two phases. A dataset has been generated by simulating an unknown IoT attack (an attack similar to typical IoT botnet attacks) in a virtualized environment. The first phase involves anomaly detection of unknown IoT attacks using an Autoencoder. The second phase consists of multi-output classification of the remaining detected known data using a Multi-Output Deep Neural Network (DNN) into botnet and attack types. Hence, the proposed approach overcomes the problem of detecting unknown or newer botnet attacks. Moreover, the approach performs multi-output classification with 99.99%, 99.98%, and 88.89% accuracies for binary type, botnet type, and attack type respectively.