IoT Botnet Detection Based on Anomalies of Multiscale Time Series Dynamics

Abstract

In this work, we propose a solution for detecting botnet attacks in the Internet of Things (IoT) by identifying anomalies in the temporal dynamics of their devices. Given their limited computing capabilities, IoT devices are more vulnerable to attacks than conventional computers. In this scenario, botnets have a high degree of severity since they are used to trigger distributed denial-of-service attacks, which are amplified by a large number of IoT devices. Thus, solutions aiming to identify and mitigate the damage caused by botnets in IoT are urgent and essential. We evaluate the number of packets a device transmits, following a multiscale ordinal patterns transformation, and uses Isolation Forest for anomaly detection. By investigating how devices evolve, we can distinguish between normal and anomalous behaviors. We apply the proposed solution to detect two major botnets for IoT: Mirai and Bashlite. We evaluated our model throughout two experimental setups. The first, using a single model for all devices, reaching 99.5% of accuracy and 99.6% of specificity, and the second, by tuning a model per device, reaching 100% of accuracy. These results show that, with the proper transformation, it is possible to use simple methods for detecting anomalies in IoT devices' behaviors.