DISTR: Detecting multi-stage IoT botnets through contextual traffic and causal analytics

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-05-22 DOI:10.1016/j.cose.2025.104531

Fanchao Meng, Jiaping Gui , Futai Zou, Yunbo Li, Yue Wu

{"title":"DISTR: Detecting multi-stage IoT botnets through contextual traffic and causal analytics","authors":"Fanchao Meng, Jiaping Gui , Futai Zou, Yunbo Li, Yue Wu","doi":"10.1016/j.cose.2025.104531","DOIUrl":null,"url":null,"abstract":"<div><div>The proliferation of Internet of Things (IoT) devices has introduced more vulnerabilities that can be exploited by cyber attacks, such as botnets. It is imperative to detect these attacks to prevent significant damage. However, existing solutions fail to meet both the efficacy and interpretability goals demanded in the real world. By analyzing the traffic patterns of normal IoT networks and attack traffic, we observe that (1) IoT devices with similar traffic patterns exhibit clustering tendencies; (2) the attack starts with one IoT device as a foothold, then moves to other devices, which proceeds in a progressive manner. Based on these insights, we propose DISTR, a novel framework that detects and validates malicious activities on an IoT device by analyzing behaviors of other devices within the same cluster in the network, which improves the detection accuracy. In addition, by causally correlating anomalies, DISTR is able to reconstruct the progression of IoT botnets. Our evaluations on public datasets, along with those collected from real IoT devices, show that DISTR achieves the detection of IoT attacks accurately, on average with a precision and F1 score of 99.1% and 99.3%, respectively on various attack scenarios, outperforming the state-of-the-art solutions.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"156 ","pages":"Article 104531"},"PeriodicalIF":4.8000,"publicationDate":"2025-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002202","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The proliferation of Internet of Things (IoT) devices has introduced more vulnerabilities that can be exploited by cyber attacks, such as botnets. It is imperative to detect these attacks to prevent significant damage. However, existing solutions fail to meet both the efficacy and interpretability goals demanded in the real world. By analyzing the traffic patterns of normal IoT networks and attack traffic, we observe that (1) IoT devices with similar traffic patterns exhibit clustering tendencies; (2) the attack starts with one IoT device as a foothold, then moves to other devices, which proceeds in a progressive manner. Based on these insights, we propose DISTR, a novel framework that detects and validates malicious activities on an IoT device by analyzing behaviors of other devices within the same cluster in the network, which improves the detection accuracy. In addition, by causally correlating anomalies, DISTR is able to reconstruct the progression of IoT botnets. Our evaluations on public datasets, along with those collected from real IoT devices, show that DISTR achieves the detection of IoT attacks accurately, on average with a precision and F1 score of 99.1% and 99.3%, respectively on various attack scenarios, outperforming the state-of-the-art solutions.

查看原文本刊更多论文

DISTR：通过上下文流量和因果分析检测多阶段物联网僵尸网络

物联网（IoT）设备的激增带来了更多可被僵尸网络等网络攻击利用的漏洞。必须检测这些攻击，以防止造成重大损害。然而，现有的解决方案无法满足现实世界中所要求的有效性和可解释性目标。通过分析正常物联网网络的流量模式和攻击流量，我们观察到：(1)具有相似流量模式的物联网设备呈现聚类趋势；(2)攻击从一个物联网设备作为立足点开始，然后移动到其他设备，以渐进的方式进行。基于这些见解，我们提出了DISTR，这是一个新的框架，通过分析网络中同一集群内其他设备的行为来检测和验证物联网设备上的恶意活动，从而提高了检测精度。此外，通过因果关联异常，DISTR能够重建物联网僵尸网络的进展。我们对公共数据集以及从真实物联网设备收集的数据进行的评估表明，DISTR准确地实现了物联网攻击的检测，在各种攻击场景下，平均精度和F1分数分别为99.1%和99.3%，优于最先进的解决方案。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.