FastIoTBot: Identifying IoT Bots by Fast Detecting Anomalous Domain Queries with Long Short-Term Memory Networks

Ruyu Li, Lihua Yin, Yuanfei Zhang, Kexiang Qian, Xi Luo
{"title":"FastIoTBot: Identifying IoT Bots by Fast Detecting Anomalous Domain Queries with Long Short-Term Memory Networks","authors":"Ruyu Li, Lihua Yin, Yuanfei Zhang, Kexiang Qian, Xi Luo","doi":"10.1109/ICCECE58074.2023.10135366","DOIUrl":null,"url":null,"abstract":"Along with the progression in technology, Internet of Things (IoT) has been dramatically developed in recent ten years. It connects physical world and digital world, which makes people's life more convenient. However, IoT devices have bring great vulnerability to Internet security since they usually under weak protection, which makes them easy to be exploited by criminals to launch multiple attacks. In fact, IoT devices have been a crucial part of botnets that launch horrible Distributed Denial of Service (DDoS) with explosive traffic. Unfortunately, traditional detection works have limited effectiveness face IoT botnets because of the restricted resources of IoT devices and unprecedented huge scale of IoT botnets. To mitigate the threat of IoT botnets, in this paper, we propose a lightweight system, named FastIoTBot, to discover compromised IoT devices in a fast way. FastIoTBot can distinguish compromised IoT devices instantly and prevent potential malicious behaviors by examining domain query activities. Specifically, FastIoTBot monitors the DNS query for a device and generates its NXDOMAIN query sequence. Then, for each domain in the sequence, FastIoTBot takes the domain name string as input and calculates its malicious score using long short-term memory (LSTM) model. Finally, FastIoTBot identifies compromised IoT devices through analyzing NXDOMAIN sequences with internal domains' malicious score leveraging threshold random walk (TRW) algorithm. The effectiveness of FastIoTBot is evaluate with real world DNS data of two large ISP networks. The results show that FastIoTBot perform well with over 99% accuracy.","PeriodicalId":120030,"journal":{"name":"2023 3rd International Conference on Consumer Electronics and Computer Engineering (ICCECE)","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-01-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2023 3rd International Conference on Consumer Electronics and Computer Engineering (ICCECE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICCECE58074.2023.10135366","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

Abstract

Along with the progression in technology, Internet of Things (IoT) has been dramatically developed in recent ten years. It connects physical world and digital world, which makes people's life more convenient. However, IoT devices have bring great vulnerability to Internet security since they usually under weak protection, which makes them easy to be exploited by criminals to launch multiple attacks. In fact, IoT devices have been a crucial part of botnets that launch horrible Distributed Denial of Service (DDoS) with explosive traffic. Unfortunately, traditional detection works have limited effectiveness face IoT botnets because of the restricted resources of IoT devices and unprecedented huge scale of IoT botnets. To mitigate the threat of IoT botnets, in this paper, we propose a lightweight system, named FastIoTBot, to discover compromised IoT devices in a fast way. FastIoTBot can distinguish compromised IoT devices instantly and prevent potential malicious behaviors by examining domain query activities. Specifically, FastIoTBot monitors the DNS query for a device and generates its NXDOMAIN query sequence. Then, for each domain in the sequence, FastIoTBot takes the domain name string as input and calculates its malicious score using long short-term memory (LSTM) model. Finally, FastIoTBot identifies compromised IoT devices through analyzing NXDOMAIN sequences with internal domains' malicious score leveraging threshold random walk (TRW) algorithm. The effectiveness of FastIoTBot is evaluate with real world DNS data of two large ISP networks. The results show that FastIoTBot perform well with over 99% accuracy.
FastIoTBot:通过长短期记忆网络快速检测异常域查询来识别物联网机器人
随着科技的进步,物联网(IoT)在近十年得到了迅猛的发展。它连接了物理世界和数字世界,使人们的生活更加方便。然而,物联网设备通常受到较弱的保护,给互联网安全带来了很大的漏洞,容易被犯罪分子利用,发动多重攻击。事实上,物联网设备一直是僵尸网络的重要组成部分,这些僵尸网络会以爆炸性的流量发起可怕的分布式拒绝服务(DDoS)攻击。不幸的是,由于物联网设备资源有限,物联网僵尸网络规模空前庞大,传统的检测工作面对物联网僵尸网络的有效性有限。为了减轻物联网僵尸网络的威胁,在本文中,我们提出了一个名为FastIoTBot的轻量级系统,以快速发现受损的物联网设备。FastIoTBot可以立即识别受损的物联网设备,并通过检查域查询活动来防止潜在的恶意行为。FastIoTBot监控设备的DNS查询,生成设备的NXDOMAIN查询序列。然后,对于序列中的每个域,FastIoTBot将域名字符串作为输入,并使用长短期记忆(LSTM)模型计算其恶意得分。最后,FastIoTBot通过利用阈值随机游走(TRW)算法分析内部域恶意得分的NXDOMAIN序列来识别受感染的物联网设备。利用两个大型ISP网络的真实DNS数据对fasttiotbot的有效性进行了评估。结果表明,FastIoTBot的准确率超过99%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信