FastIoTBot: Identifying IoT Bots by Fast Detecting Anomalous Domain Queries with Long Short-Term Memory Networks

Along with the progression in technology, Internet of Things (IoT) has been dramatically developed in recent ten years. It connects physical world and digital world, which makes people's life more convenient. However, IoT devices have bring great vulnerability to Internet security since they usually under weak protection, which makes them easy to be exploited by criminals to launch multiple attacks. In fact, IoT devices have been a crucial part of botnets that launch horrible Distributed Denial of Service (DDoS) with explosive traffic. Unfortunately, traditional detection works have limited effectiveness face IoT botnets because of the restricted resources of IoT devices and unprecedented huge scale of IoT botnets. To mitigate the threat of IoT botnets, in this paper, we propose a lightweight system, named FastIoTBot, to discover compromised IoT devices in a fast way. FastIoTBot can distinguish compromised IoT devices instantly and prevent potential malicious behaviors by examining domain query activities. Specifically, FastIoTBot monitors the DNS query for a device and generates its NXDOMAIN query sequence. Then, for each domain in the sequence, FastIoTBot takes the domain name string as input and calculates its malicious score using long short-term memory (LSTM) model. Finally, FastIoTBot identifies compromised IoT devices through analyzing NXDOMAIN sequences with internal domains' malicious score leveraging threshold random walk (TRW) algorithm. The effectiveness of FastIoTBot is evaluate with real world DNS data of two large ISP networks. The results show that FastIoTBot perform well with over 99% accuracy.