Improved Mirai Bot Scanner Summation Algorithm

EngRN: Engineering Design Process (Topic) Pub Date : 2020-01-15 DOI:10.2139/ssrn.3519728

Faisal A. Garba, Sahalu B. Junaidu, Afolayan A. Obiniyi, Adekunle M. Ibrahim

{"title":"Improved Mirai Bot Scanner Summation Algorithm","authors":"Faisal A. Garba, Sahalu B. Junaidu, Afolayan A. Obiniyi, Adekunle M. Ibrahim","doi":"10.2139/ssrn.3519728","DOIUrl":null,"url":null,"abstract":"Mirai is the most dangerous Distributed Denial of Service (DDoS)-capable IoT malware to date that is in the wild and yet very simple in nature. Mirai attack an array of Internet of Things (IoT) and embedded devices that ranges from Digital Video Recorders (DVRs), Internet Protocol (IP) cameras, routers and printers recruiting them to form a botnet. The biggest DDoS attack in history was executed using Mirai botnet. A recent study proposed the Mirai Bot Scanner Summation Prototype that analyzes the network traffic generated from Mirai bot host discovery. The Mirai Bot Scanner Summation Algorithm however, cannot recognize if a network traffic is truly Mirai bot host discovery traffic or not. Given any network traffic, the Mirai Bot Scanner Summation Prototype will proceed to summate and output number of bots, retransmission packets, number of packets and number of potential victim IoT devices using only the source Internet Protocol (IP) address and destination IP address of a packet without identifying if it is truly a Mirai bot host discovery packet or not. This paper present an Improved Mirai Bot Scanner Summation Algorithm that looks at the packet to determine whether it is a truly packet generated due to Mirai bot host discovery by looking at the TCP flag of the packet and the port number of the packet. To perform a host discovery Mirai bot sends out SYN packet over TELNET port 23 or 2323 to a randomly generated non-governmental IP addresses to establish a TCP 3-way handshake with a potentially vulnerable IoT device. The Improved Mirai Bot Scanner Summation Algorithm uses this condition to determine whether a packet is a Mirai bot host discovery packet or not. The Mirai Bot Scanner Summation Algorithm and the Improved Mirai Bot Scanner Summation Algorithm are evaluated using IoT Network Intrusion Dataset. The evaluation results have shown that the Improved Mirai Bot Scanner Summation Algorithm provides more accurate results than the Mirai Bot Scanner Summation Algorithm.","PeriodicalId":11974,"journal":{"name":"EngRN: Engineering Design Process (Topic)","volume":"1 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2020-01-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"EngRN: Engineering Design Process (Topic)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2139/ssrn.3519728","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

Abstract

Mirai is the most dangerous Distributed Denial of Service (DDoS)-capable IoT malware to date that is in the wild and yet very simple in nature. Mirai attack an array of Internet of Things (IoT) and embedded devices that ranges from Digital Video Recorders (DVRs), Internet Protocol (IP) cameras, routers and printers recruiting them to form a botnet. The biggest DDoS attack in history was executed using Mirai botnet. A recent study proposed the Mirai Bot Scanner Summation Prototype that analyzes the network traffic generated from Mirai bot host discovery. The Mirai Bot Scanner Summation Algorithm however, cannot recognize if a network traffic is truly Mirai bot host discovery traffic or not. Given any network traffic, the Mirai Bot Scanner Summation Prototype will proceed to summate and output number of bots, retransmission packets, number of packets and number of potential victim IoT devices using only the source Internet Protocol (IP) address and destination IP address of a packet without identifying if it is truly a Mirai bot host discovery packet or not. This paper present an Improved Mirai Bot Scanner Summation Algorithm that looks at the packet to determine whether it is a truly packet generated due to Mirai bot host discovery by looking at the TCP flag of the packet and the port number of the packet. To perform a host discovery Mirai bot sends out SYN packet over TELNET port 23 or 2323 to a randomly generated non-governmental IP addresses to establish a TCP 3-way handshake with a potentially vulnerable IoT device. The Improved Mirai Bot Scanner Summation Algorithm uses this condition to determine whether a packet is a Mirai bot host discovery packet or not. The Mirai Bot Scanner Summation Algorithm and the Improved Mirai Bot Scanner Summation Algorithm are evaluated using IoT Network Intrusion Dataset. The evaluation results have shown that the Improved Mirai Bot Scanner Summation Algorithm provides more accurate results than the Mirai Bot Scanner Summation Algorithm.

查看原文本刊更多论文

改进的Mirai机器人扫描求和算法

Mirai是迄今为止最危险的分布式拒绝服务(DDoS)物联网恶意软件，在野外，但本质上非常简单。Mirai攻击一系列物联网(IoT)和嵌入式设备，包括数字录像机(dvr)、互联网协议(IP)摄像机、路由器和打印机，招募它们形成僵尸网络。历史上最大的DDoS攻击是使用Mirai僵尸网络执行的。最近的一项研究提出了Mirai Bot扫描仪求和原型，该原型分析了Mirai Bot主机发现产生的网络流量。然而，Mirai Bot扫描求和算法无法识别网络流量是否真的是Mirai Bot主机发现流量。给定任何网络流量，Mirai Bot扫描仪求和原型将仅使用数据包的源互联网协议(IP)地址和目的IP地址继续求和并输出机器人数量、重传数据包、数据包数量和潜在受害物联网设备数量，而不确定它是否真的是Mirai Bot主机发现数据包。本文提出了一种改进的Mirai Bot扫描求和算法，该算法通过查看数据包的TCP标志和数据包的端口号来查看数据包，以确定它是否是由于Mirai Bot主机发现而生成的真正数据包。为了执行主机发现，Mirai机器人通过TELNET端口23或2323向随机生成的非政府IP地址发送SYN数据包，以与潜在易受攻击的物联网设备建立TCP 3-way握手。改进的Mirai Bot扫描求和算法使用此条件来确定数据包是否是Mirai Bot主机发现数据包。使用物联网网络入侵数据集对Mirai Bot扫描求和算法和改进的Mirai Bot扫描求和算法进行了评估。评估结果表明，改进的Mirai Bot扫描求和算法比Mirai Bot扫描求和算法提供了更准确的结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

EngRN: Engineering Design Process (Topic)

自引率

0.00%

发文量