Machine Learning Method For Detecting Botnet Attacks Originated From The Iot Networks
Name
Anel Abylkassymova
Abstract
Recently, botnet attacks have become more sophisticated than other malware since they can expand to other devices and cause even more damage. The botnet attacks are large-scale attacks that can compromise IoT devices due to their lack of security measures. An intrusion detection system (IDS) is used to monitor the network traffic and capture the suspicious traffic. The IDS, based on the machine learning approach, has been more utilized by security analysts for IoT botnet detection. This approach applies a machine learning model to enhance the IoT botnet detection process. The botnet attack development causes the demand to improve the botnet detection workflow.
The botnet attacks are multi-stage attacks that harm systems gradually. Thereby, there is a need for early stages of attack detection to prevent malware from expanding. Although some machine learning-based research papers focused only on malware detection, those papers did not consider the structure of IoT botnet attacks, which can also include a multi-stage attack approach. Also, there is a problem with the IoT device type identification. The compromised IoT devices in the IoT environment should be defined to prevent the spread of malware.
Thereby, this thesis is intended to improve the malware detection procedure utilizing different machine learning methods that not only address binary classification problems but also can be applied in early attack stages detection with a categorization of malware with device type and attack stage with the device type. The binary classification models defined the IoT botnet malware such as Mirai, Bashlite, and Torii. The multiclass classification models included: 4 classes of scenarios with three malware types and legitimate traffic, 8 classes of an experiment that differentiated the malware type and device type, and 12 classes of scenarios that distinguished the attack stage, whether it was command and control (C&C) or spread and the device type.
The botnet attacks are multi-stage attacks that harm systems gradually. Thereby, there is a need for early stages of attack detection to prevent malware from expanding. Although some machine learning-based research papers focused only on malware detection, those papers did not consider the structure of IoT botnet attacks, which can also include a multi-stage attack approach. Also, there is a problem with the IoT device type identification. The compromised IoT devices in the IoT environment should be defined to prevent the spread of malware.
Thereby, this thesis is intended to improve the malware detection procedure utilizing different machine learning methods that not only address binary classification problems but also can be applied in early attack stages detection with a categorization of malware with device type and attack stage with the device type. The binary classification models defined the IoT botnet malware such as Mirai, Bashlite, and Torii. The multiclass classification models included: 4 classes of scenarios with three malware types and legitimate traffic, 8 classes of an experiment that differentiated the malware type and device type, and 12 classes of scenarios that distinguished the attack stage, whether it was command and control (C&C) or spread and the device type.
Graduation Thesis language
English
Graduation Thesis type
Master - Cyber Security
Supervisor(s)
Hayretdin Bahsi, Sven Nõmm, Raimundas Matulevicius
Defence year
2022