Botnet Attacks Research Articles

Lightweight Meta-Learning BotNet Attack Detection

Modern society is increasingly dependent on numerous Internet of Things (IoT) devices to assist in a variety of scenarios, such as smart homes and cities, healthcare systems, and cyber-physical systems. Despite IoT’s increasing popularity, IoT security remains a challenge due to the multitude of attack vectors. Existing cyber-attack defense methods attempt to protect the network from both within and outside the network. Network Intrusion Detection Systems (NIDS) act as device borders within network security and offer a potential defense methodology. This research analyzes the performance of an Artificial Intelligent Internet of Things (AIoT) lightweight botnet attack detection model by deploying meta-learning ensemble botnet detection models and evaluates the capability of a single-board system in addressing cyber-attack threats. The Aposemat IoT-23 GarciaApose, UC Irvine KDD99Dua:2019KDD99, and UNSW TONbooijTONdataset datasets provide IoT and network traffic network flow captures which are used to evaluate the proposed meta-learning methodologies. Experiments show that deployment of our proposed methodologies on edge devices exhibits similar results to PC-based Desktop CPU-trained models. Over the three datasets, when considering a binary classifier (benign vs malignant), our models can consistently achieve above 97.9% accuracy with a false positive rate (FPR) less than 3.8% and an inference time less than 3.95 seconds. In this work, we show that for binary classification our meta-learners provide consistently stable high accuracy low FPR performance across all three datasets, while maintaining reasonable inference times.

Effective injection of adversarial botnet attacks in IoT ecosystem using evolutionary computing

AbstractWith the widespread adoption of Internet of Things (IoT) technologies, botnet attacks have become the most prevalent cyberattack. In order to combat botnet attacks, there has been a considerable amount of research on botnet attacks in IoT ecosystems by graph‐based machine learning (GML). The majority of GML models are vulnerable to adversarial attacks (ADAs). These ADAs were created to assess the robustness of existing ML‐based security solutions. In this letter, we present a novel adversarial botnet attack (ADBA) that modifies the graph data structure using genetic algorithms (GAs) to trick the graph‐based botnet attack detection system. According to the experiment results and comparative analysis, the proposed ADBA can be executed on resource‐constrained IoT nodes. It offers a substantial performance gain of 2.15 s, 52 kb, 92 817 mJ, 97.8%, and 27.74%–41.82% over other approaches in term of Computing Time (CT), Memory Usage (MU), Energy Usage (EU), Attack Success Rate (ASR) and Accuracy (ACC) metrics, respectively.

Lightweight Model for Botnet Attack Detection in Software Defined Network-Orchestrated IoT

The Internet of things (IoT) is being used in a variety of industries, including agriculture, the military, smart cities and smart grids, and personalized health care. It is also being used to control critical infrastructure. Nevertheless, because the IoT lacks security procedures and lack the processing power to execute computationally costly antimalware apps, they are susceptible to malware attacks. In addition, the conventional method by which malware-detection mechanisms identify a threat is through known malware fingerprints stored in their database. However, with the ever-evolving and drastic increase in malware threats in the IoT, it is not enough to have traditional antimalware software in place, which solely defends against known threats. Consequently, in this paper, a lightweight deep learning model for an SDN-enabled IoT framework that leverages the underlying IoT resource-constrained devices by provisioning computing resources to deploy instant protection against botnet malware attacks is proposed. The proposed model can achieve 99% precision, recall, and F1 score and 99.4% accuracy. The execution time of the model is 0.108 milliseconds with 118 KB size and 19,414 parameters. The proposed model can achieve performance with high accuracy while utilizing fewer computational resources and addressing resource-limitation issues.

Adv-Bot: Realistic adversarial botnet attacks against network intrusion detection systems

Due to the numerous advantages of machine learning (ML) algorithms, many applications now incorporate them. However, many studies in the field of image classification have shown that MLs can be fooled by a variety of adversarial attacks. These attacks take advantage of ML algorithms’ inherent vulnerability. This raises many questions in the cybersecurity field, where a growing number of researchers are recently investigating the feasibility of such attacks against machine learning-based security systems, such as intrusion detection systems. The majority of this research demonstrates that it is possible to fool a model using features extracted from a raw data source, but it does not take into account the real implementation of such attacks, i.e., the reverse transformation from theory to practice. The real implementation of these adversarial attacks would be influenced by various constraints that would make their execution more difficult. As a result, the purpose of this study was to investigate the actual feasibility of adversarial attacks, specifically evasion attacks, against network-based intrusion detection systems (NIDS), demonstrating that it is entirely possible to fool these ML-based IDSs using our proposed adversarial algorithm while assuming as many constraints as possible in a black-box setting. In addition, since it is critical to design defense mechanisms to protect ML-based IDSs against such attacks, a defensive scheme is presented. Realistic botnet traffic traces are used to assess this work. Our goal is to create adversarial botnet traffic that can avoid detection while still performing all of its intended malicious functionality.

Towards Effective Feature Selection for IoT Botnet Attack Detection Using a Genetic Algorithm

With the large-scale use of the Internet of Things, security issues have become increasingly prominent. The accurate detection of network attacks in the IoT environment with limited resources is a key problem that urgently needs to be solved. The intrusion detection system based on network traffic characteristics is one of the solutions for IoT security. However, the intrusion detection system has the problem of a large number of traffic features, which makes training and detection slow. Aiming at this problem, this work proposes a feature selection method based on a genetic algorithm. The experiments performed on the Bot-IoT botnet detection dataset show that this method successfully selects 6 features from the original 40 features, with a detection accuracy of 99.98% and an F1-score of 99.63%. Compared with other methods and without feature selection, this method has advantages in training time and detection accuracy.

Feature engineering based performance analysis of ML and DL algorithms for Botnet attack detection in IoMT

Feature engineering based performance analysis of ML and DL algorithms for Botnet attack detection in IoMT

Using Deep Neural Network to Predict Botnet Attacks in IoT: A Comparative Study

Using Deep Neural Network to Predict Botnet Attacks in IoT: A Comparative Study

A Novel Multi Algorithm Approach to Identify Network Anomalies in the IoT Using Fog Computing and a Model to Distinguish between IoT and Non-IoT Devices

Botnet attacks, such as DDoS, are one of the most common types of attacks in IoT networks. A botnet is a collection of cooperated computing machines or Internet of Things gadgets that criminal users manage remotely. Several strategies have been developed to reduce anomalies in IoT networks, such as DDoS. To increase the accuracy of the anomaly mitigation system and lower the false positive rate (FPR), some schemes use statistical or machine learning methodologies in the anomaly-based intrusion detection system (IDS) to mitigate an attack. Despite the proposed anomaly mitigation techniques, the mitigation of DDoS attacks in IoT networks remains a concern. Because of the similarity between DDoS and normal network flows, leading to problems such as a high FPR, low accuracy, and a low detection rate, the majority of anomaly mitigation methods fail. Furthermore, the limited resources in IoT devices make it difficult to implement anomaly mitigation techniques. In this paper, an efficient anomaly mitigation system has been developed for the IoT network through the design and implementation of a DDoS attack detection system that uses a statistical method that combines three algorithms: exponentially weighted moving average (EWMA), K-nearest neighbors (KNN), and the cumulative sum algorithm (CUSUM). The integration of fog computing with the Internet of Things has created an effective framework for implementing an anomaly mitigation strategy to address security issues such as botnet threats. The proposed module was evaluated using the Bot-IoT dataset. From the results, we conclude that our model has achieved a high accuracy (99.00%) with a low false positive rate (FPR). We have also achieved good results in distinguishing between IoT and non-IoT devices, which will help networking teams make the distinction as well.

DBoTPM: A Deep Neural Network-Based Botnet Prediction Model

Internet of things (IoT) devices’ evolution and growth have boosted system efficiency, reduced human labour, and improved operational efficiency; however, IoT devices pose substantial security and privacy risks, making them highly vulnerable to botnet attacks. Botnet attacks are capable of degrading the performance of an IoT system in a way that makes it difficult for IoT network users to identify them. Earlier studies mainly focused on the detection of IoT botnets, and there was a gap in predicting the botnet attack due to their complex behaviour, repetitive nature, uncertainty, and almost invisible presence in the compromised system. Based on the gaps, it is highly required to develop efficient and stable AI models that can reliably predict botnet attacks. The current study developed and implemented DBoTPM, a novel deep-neural-network-based model for botnet prediction. The DBoTPM was optimized for performance and less computational overhead by utilizing rigorous hyperparameter tuning. The consequences of overfitting and underfitting were mitigated through dropouts. The evaluation of the DBoTPM demonstrated that it is one of the most accurate and efficient models for botnet prediction. This investigation is unique in that it makes use of two real datasets to detect and predict botnet attacks with efficient performance and faster response. The results achieved through the DBoTPM model were assessed against prior research and found to be highly effective at predicting botnet attacks with a real dataset.

Ensemble Machine Learning Techniques for Accurate and Efficient Detection of Botnet Attacks in Connected Computers

The transmission of information, ideas, and thoughts requires communication, which is a crucial component of human contact. The utilization of Internet of Things (IoT) devices is a result of the advent of enormous volumes of messages delivered over the internet. The IoT botnet assault, which attempts to perform genuine, lucrative, and effective cybercrimes, is one of the most critical IoT dangers. To identify and prevent botnet assaults on connected computers, this study uses both quantitative and qualitative approaches. This study employs three basic machine learning (ML) techniques—random forest (RF), decision tree (DT), and generalized linear model (GLM)—and a stacking ensemble model to detect botnets in computer network traffic. The results reveled that random forest attained the best performance with a coefficient of determination (R2) of 0.9977, followed by decision tree with an R2 of 0.9882, while GLM was the worst among the basic machine learning models with an R2 of 0.9522. Almost all ML models achieved satisfactory performance, with an R2 above 0.93. Overall, the stacking ensemble model obtained the best performance, with a root mean square error (RMSE) of 0.0084 m, a mean absolute error (MAE) of 0.0641 m, and an R2 of 0.9997. Regarding the stacking ensemble model as compared with the single machine learning models, the R2 of the stacking ensemble machine learning increased by 0.2% compared to the RF, 1.15% compared to the DT, and 3.75% compared to the GLM, while RMSE decreased by approximately 0.15% compared to the GLM, DT, and RF single machine learning techniques. Furthermore, this paper suggests best practices for preventing botnet attacks. Businesses should make major investments to combat botnets. This work contributes to knowledge by presenting a novel method for detecting botnet assaults using an artificial-intelligence-powered solution with real-time behavioral analysis. This study can assist companies, organizations, and government bodies in making informed decisions for a safer network that will increase productivity.

Unsupervised Learning for Feature Selection: A Proposed Solution for Botnet Detection in 5G Networks

The world has seen exponential growth in deploying Internet of Things (IoT) devices. In recent years, connected IoT devices have surpassed the number of connected non-IoT devices. The number of IoT devices continues to grow and they are becoming a critical component of the national infrastructure. IoT devices' characteristics and inherent limitations make them attractive targets for hackers and cyber criminals. Botnet attack is one of the serious threats on the Internet today. This article proposes pattern-based feature selection methods as part of a machine learning (ML)-based botnet detection system. Specifically, two methods are proposed: the first is based on the most dominant pattern feature values and the second is based on maximal frequent itemset mining. The proposed feature selection method uses Gini impurity and an unsupervised clustering method to select the most influential features automatically. The evaluation results show that the proposed methods have improved the performance of the detection system. The developed system has a true positive rate of 100% and a false positive rate of 0% for best performing models. In addition, the proposed methods reduce the computational cost of the system as evidenced by the detection speed of the system.

Botnet Attacks: Characteristics and Detection Techniques

Botnet Attacks: Characteristics and Detection Techniques

A Lightweight Botnet Exploiting HTTP for Control Flow Denial on Open-Source Medical Systems.

The recent emergence of open-source medical cyber-physical systems has rapidly transformed the healthcare industry. This can be attributed to advancements in 3D printing technology and the growing popularity of open-source microcomputer systems like Arduino and Raspberry Pi. However, the increased use of these systems in hospitals has also raised cybersecurity concerns. In particular, new technologies, such as IoT devices and other mobile devices, have posed new challenges in exploiting modern botnets and determining their effectiveness with limited resources. In this paper, we propose a lightweight and full-encrypted cross-platform botnet system that provides a proof-of-concept demonstration of how a botnet attack can block control flow from the syringe pump in a testbed of an IoT medical network. The emphasis is placed on minimal deployment time and resource usage, making this lightweight botnet different from most traditional botnets, thus furthering cybersecurity research in intrusion detection for open-source medical systems.

Detecting and Mitigating Botnet Attacks in Software-Defined Networks Using Deep Learning Techniques

Detecting and Mitigating Botnet Attacks in Software-Defined Networks Using Deep Learning Techniques

Improved Ant Colony Optimization and Machine Learning Based Ensemble Intrusion Detection Model

Internet of things (IOT) possess cultural, commercial and social effect in life in the future. The nodes which are participating in IOT network are basically attracted by the cyber-attack targets. Attack and identification of anomalies in IoT infrastructure is a growing problem in the IoT domain. Machine Learning Based Ensemble Intrusion Detection (MLEID) method is applied in order to resolve the drawback by minimizing malicious actions in related botnet attacks on Message Queue Telemetry Transport (MQTT) and Hyper-Text Transfer Protocol (HTTP) protocols. The proposed work has two significant contributions which are a selection of features and detection of attacks. New features are chosen from Improved Ant Colony Optimization (IACO) in the feature selection, and then the detection of attacks is carried out based on a combination of their possible properties. The IACO approach is focused on defining the attacker’s important features against HTTP and MQTT. In the IACO algorithm, the constant factor is calculated against HTTP and MQTT based on the mean function for each element. Attack detection, the performance of several machine learning models are Distance Decision Tree (DDT), Adaptive Neuro-Fuzzy Inference System (ANFIS) and Mahalanobis Distance Support Vector Machine (MDSVM) were compared with predicting accurate attacks on the IoT network. The outcomes of these classifiers are combined into the ensemble model. The proposed MLEID strategy has effectively established malicious incidents. The UNSW-NB15 dataset is used to test the MLEID technique using data from simulated IoT sensors. Besides, the proposed MLEID technique has a greater detection rate and an inferior rate of false-positive compared to other conventional techniques.

BotSward: Centrality Measures for Graph-Based Bot Detection Using Machine Learning

The number of botnet malware attacks on Internet devices has grown at an equivalent rate to the number of Internet devices that are connected to the Internet. Bot detection using machine learning (ML) with flow-based features has been extensively studied in the literature. Existing flow-based detection methods involve significant computational overhead that does not completely capture network communication patterns that might reveal other features of malicious hosts. Recently, Graph-Based Bot Detection methods using ML have gained attention to overcome these limitations, as graphs provide a real representation of network communications. The purpose of this study is to build a botnet malware detection system utilizing centrality measures for graph-based botnet detection and ML. We propose BotSward, a graph-based bot detection system that is based on ML. We apply the efficient centrality measures, which are Closeness Centrality (CC), Degree Centrality (CC), and PageRank (PR), and compare them with others used in the state-of-the-art. The efficiency of the proposed method is verified on the available Czech Technical University 13 dataset (CTU-13). The CTU-13 dataset contains 13 real botnet traffic scenarios that are connected to a command-and-control (C&C) channel and that cause malicious actions such as phishing, distributed denial-of-service (DDoS) attacks, spam attacks, etc. BotSward is robust to zero-day attacks, suitable for large-scale datasets, and is intended to produce better accuracy than state-of-the-art techniques. The proposed BotSward solution achieved 99% accuracy in botnet attack detection with a false positive rate as low as 0.0001%.

Trust Management for Deep Autoencoder based Anomaly Detection in Social IoT

Social IoT has gained huge traction with the advent of 5G and beyond communication. In this connected world of devices, the trust management is crucial for protecting the data. There are many attacks, while DDOS is the most prevalent BotNet attack. The infected devices earnestly require anomaly detection to learn and curb the malwares soon. This paper considers 9 IoT devices deployed in a Social IoT environment.We introduce a couple of attacks like Bash lite and Mirai by compromising a network node. We then look for traces of malicious behavior using AI algorithms. The investigation starts from a simple network approach - Multi-Layer Perceptron (MLP) then proceeds to ML - Random Forest (RF). While MLP detected the malicious node with an accuracy of 89.39%, RF proved 90.0% accurate. Motivated by the results, the Deep learning approach - Deep autoencoder was employed and found to be more accurate than MLP and RF. The results are encouraging and verified for scalability, efficiency, and reliability.

Botnet Detection Using Artificial Intelligence

In the year 2021 more than 80 million data were breached by cyber attackers. Most of these attacks were executed as a type of ransomware attack and cyber-attack. There are different methods performed by attackers to target individual user, but to breach an organization, they use Botnet forces. A botnet (robot network), is malware infected network that is controlled by a single attacker called bot-herder. Cyber - attacker attacks many users with their malware script by different mediums like emails, spams and takes command and control (CC) of the victim device. Using these devices attacker forms a network and performs large attack like distributed denial-of-service (DDoS), attack on an organization to breach data. The complex analysis for cybersecurity analyst is to find bot-herder and the infected network. The structures of the botnets are become very different now days. Botnets can be found with its peer-peer (p2p) structure, signature detection, behavioral analysis, domain names (DNS) and network traffic. To make this different feature analysis easier, the usage of artificial intelligence (AI) is introduced in cyber security. Data from previous attacks are collected, trained using a model which helps in prediction of future attacks. Detection of DNS of core CC servers using AI are widely used nowadays. This research mainly focuses on detection of botnet malware from the net flows of malware packets. The botnet attack data set are collected from resources like Czech - university (CTU-13), Information security and object technology (ISOT). The bi-directional net flow data and the calculation of the network packets are used. Using algorithms like support vector machine (SVM), decision tree and multi-layer perceptron, the data set is trained and tested. After the training and testing, the decision tree model has good accuracy and performance metrics of 92%. This model is considered as a best fit model and helps in detection the of malware packets. The research's objective is to build an alerting system which reports once a malware packet is intruded into a network.

Optimal Deep Learning Based Ransomware Detection and Classification in the Internet of Things Environment

With the advent of the Internet of Things (IoT), several devices like sensors nowadays can interact and easily share information. But the IoT model is prone to security concerns as several attackers try to hit the network and make it vulnerable. In such scenarios, security concern is the most prominent. Different models were intended to address these security problems; still, several emergent variants of botnet attacks like Bashlite, Mirai, and Persirai use security breaches. The malware classification and detection in the IoT model is still a problem, as the adversary reliably generates a new variant of IoT malware and actively searches for compromise on the victim devices. This article develops a Sine Cosine Algorithm with Deep Learning based Ransomware Detection and Classification (SCADL-RWDC) method in an IoT environment. In the presented SCADL-RWDC technique, the major intention exists in recognizing and classifying ransomware attacks in the IoT platform. The SCADL-RWDC technique uses the SCA feature selection (SCA-FS) model to improve the detection rate. Besides, the SCADL-RWDC technique exploits the hybrid grey wolf optimizer (HGWO) with a gated recurrent unit (GRU) model for ransomware classification. A widespread experimental analysis is performed to exhibit the enhanced ransomware detection outcomes of the SCADL-RWDC technique. The comparison study reported the enhancement of the SCADL-RWDC technique over other models.

Botnet attacks detection in IoT environment using machine learning techniques

IoT devices with weak security designs are a serious threat to organizations. They are the building blocks of Botnets, the platforms that launch organized attacks that are capable of shutting down an entire infrastructure. Researchers have been developing IDS solutions that can counter such threats, often by employing innovation from other disciplines like artificial intelligence and machine learning. One of the issues that may be encountered when machine learning is used is dataset purity. Since they are not captured from perfect environments, datasets may contain data that could affect the machine learning process, negatively. Algorithms already exist for such problems. Repeated Edited Nearest Neighbor (RENN), Encoding Length (Explore), and Decremental Reduction Optimization Procedure 5 (DROP5) algorithm can filter noises out of datasets. They also provide other benefits such as instance reduction which could help reduce larger Botnet datasets, without sacrificing their quality. Three datasets were chosen in this study to construct an IDS: IoTID20, N-BaIoT and MedBIoT. The filtering algorithms, RENN, Explore, and DROP5 were used on them to filter noise and reduce instances. Noise was also injected and filtered again to assess the resilience of these filters. Then feature optimizations were used to shrink the dataset features. Finally, machine learning was applied on the processed dataset and the resulting IDS was evaluated with the standard supervised learning metrics: Accuracy, Precision, Recall, Specificity, F-Score and G-Mean. Results showed that RENN and DROP5 filtering delivered excellent results. DROP5, in particular, managed to reduce the dataset substantially without sacrificing accuracy. However, when noise got injected, the DROP5 accuracy went down and could not keep up. Of the three dataset, N-BaIoT delivers the best accuracy overall across the learning techniques.