FPMBot: Discovering the frequent pattern of IoT-botnet domain queries in large-scale network

Abstract

With the rapid development of Internet of Things (IoT), new types of security issues has emerged, and one of the most severe one is the IoT-based botnet. A number of traditional works dedicate in analyzing DNS traffic for its wide misuse in botnets. However, most works are limited to specific behaviors, such as regularity in domains queries and periodicity in C&C(Command and Control) processes, which are often sheltered by attackers. Moreover, ever-growing numbers of domains and queries caused by IoT devices make most approaches not effective anymore since their architectures are hard to confront traffic explosion. In this paper, we illustrate the essential property of botnet, i.e., the frequent pattern of DNS request relationships, and propose a generic and scalable IoT-botnet detection system, named FPMBot, to detect bots domain queries in large-scale DNS traffic. The key insight is that bots in the same botnet inevitably query same sets of domains or servers whenever they try to conduct attacks or connect to C&C servers, and form frequent patterns in a bipartite graph of requesters and responsers. This frequent pattern in domain queries is an essential behavior for bots since a significant advantage of bots is the ability to launch large-scale attacks synchronously. We utilize a frequent pattern mining algorithm to detect such patterns and implement FPMBot based on Apache Spark parallel computing architecture to handle the daily increasing traffic. The experiment result on more than 14 billion records in four days real-world DNS logs shows that FPMBot has a high detection precision over 95% and performs well in large-scale network.