Detecting Malicious Botnets in IoT Networks Using Machine Learning Techniques

The widespread use of the Internet of Things (IoT) has led to a rise in botnet attacks, with the Mirai botnet being a major source of Distributed Denial of Service (DDOS) attacks. Mirai gained notoriety for its involvement in large-scale attacks that compromised numerous IoT devices through weak authentication credentials. Similarly, Bashlite, also known as Gafgyt or Lizkebab, targets vulnerable IoT devices by exploiting the Shellshock vulnerability in Linux-based systems. These botnets leverage compromised devices to carry out malicious activities and the propagation of malware. While Machine Learning (ML) based approaches have been proposed to identify botnets, however, detecting both Mirai and Bashlite botnets simultaneously is challenging as their attack characteristics are not very similar. In this study, we apply ML techniques like Logistic Regression, Support Vector Machine and Random Forest to classify the malicious traffic from Mirai and Bashlite botnets. The publicly available NBaIoT dataset is used for the training of algorithms to identify the most informative features to detect botnet traffic targeting IoT devices. The dataset contains traffic data from nine infected devices against five protocols. The employed machine learning algorithms achieved test validation accuracy above 99%, with Random Forest performing the best. Our analysis shows that devices generating combo floods share common characteristics like weight or variance calculated within a certain time window.