ConnSpoiler: Disrupting C&C Communication of IoT-Based Botnet Through Fast Detection of Anomalous Domain Queries

Abstract

The development of Internet of Things (IoT) dramatically facilitates the integration of computing systems with the physical world. However, as IoT devices are more easy to compromise than desktop computers, cybercriminals have founded IoT-based botnets to launch Distributed Denial of Service (DDoS) attacks with unprecedented traffic volume. To mitigate the damages associated with these attacks, the detection of IoT-based botnet has to preempt the command and control (C&C) communication to prevent the delivery of the attack codes. Motivated by the extensively implementation of domain generation algorithm in botnets, in this article, we propose ConnSpoiler, a lightweight system that detects IoT-based botnets by identifying the stream of algorithmically generated domains (AGDs) in a fast way. ConnSpoiler only needs negligible system resources to take effect and thus can execute well on the resource-restraint IoT devices. By outfitting a powerful statistical algorithm, i.e., threshold random walk, ConnSpoiler has a high probability (about 94%) of detecting infection before the compromised devices connect C&C servers, which can help to prevent the succeeding attacks. Moreover, ConnSpoiler only requires the benign domains to take effect and therefore does not need extra effort to label malicious samples for training phase. We evaluate ConnSpoiler based on real-world DNS traffics collected from two different large ISP networks and show that it accurately identifies devices that are compromised by unknown botnets.