Detecting IoT Botnets on IoT Edge Devices

Rapid expansion in the utilization of Internet of things (IoT) devices in everyday life leads to an increase in the attack surface for cybercriminals. IoT devices have been frequently compromised and used for the creation of botnets. The goal of this research is to identify a machine learning method that can be run on resource-constrained IoT edge devices to detect IoT botnet traffic accurately in real time. Specifically, we apply both the input perturbation ranking (IPR) algorithm and decision trees to achieve this goal. We study the network snapshots of IoT traffic infected with two botnets, i.e., Mirai and Bashlite, and use IPR with XGBoost to identify nine most important features that distinguish between benign and anomalous traffic for IoT devices. We propose to use decision trees, a supervised machine learning method, because of its simplicity, less time to train and predict, ease to be translated to security policy, and flexibility on balancing detection accuracy and speed. In our experiments, we compare the performance of decision trees with a deep-learning based method, i.e., Kitsune, and other popular supervised machine learning methods. We show that decision trees are with high decision performance (e.g., more than 99.99% accuracy), but with much less training and prediction time than Kitsune and most other machine learning methods. Moreover, we demonstrate that using nine most important features in decision tress, the detection accuracy is similar, but the computation power can be significantly reduced, making botnet detection suitable on IoT edge devices.