Home > Research > Publications & Outputs > Profiling IoT-based Botnet Traffic using DNS

Electronic data

  • dwyer_globecomm19

    Rights statement: ©2020 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

    Accepted author manuscript, 1.39 MB, PDF document

Links

Text available via DOI:

View graph of relations

Profiling IoT-based Botnet Traffic using DNS

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paper

Published

Standard

Profiling IoT-based Botnet Traffic using DNS. / Dwyer, Owen; Marnerides, Angelos; Giotsas, Vasileios; Mursch, Troy.

2019 IEEE Global Communications Conference (GLOBECOM). IEEE, 2020. p. 1-6.

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paper

Harvard

Dwyer, O, Marnerides, A, Giotsas, V & Mursch, T 2020, Profiling IoT-based Botnet Traffic using DNS. in 2019 IEEE Global Communications Conference (GLOBECOM). IEEE, pp. 1-6. https://doi.org/10.1109/GLOBECOM38437.2019.9014300

APA

Dwyer, O., Marnerides, A., Giotsas, V., & Mursch, T. (2020). Profiling IoT-based Botnet Traffic using DNS. In 2019 IEEE Global Communications Conference (GLOBECOM) (pp. 1-6). IEEE. https://doi.org/10.1109/GLOBECOM38437.2019.9014300

Vancouver

Dwyer O, Marnerides A, Giotsas V, Mursch T. Profiling IoT-based Botnet Traffic using DNS. In 2019 IEEE Global Communications Conference (GLOBECOM). IEEE. 2020. p. 1-6 https://doi.org/10.1109/GLOBECOM38437.2019.9014300

Author

Dwyer, Owen ; Marnerides, Angelos ; Giotsas, Vasileios ; Mursch, Troy. / Profiling IoT-based Botnet Traffic using DNS. 2019 IEEE Global Communications Conference (GLOBECOM). IEEE, 2020. pp. 1-6

Bibtex

@inproceedings{b00988597762473f8f76e8fe7ab27ac8,
title = "Profiling IoT-based Botnet Traffic using DNS",
abstract = "Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai's base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.",
author = "Owen Dwyer and Angelos Marnerides and Vasileios Giotsas and Troy Mursch",
note = "{\textcopyright}2020 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. ",
year = "2020",
month = feb
day = "27",
doi = "10.1109/GLOBECOM38437.2019.9014300",
language = "English",
pages = "1--6",
booktitle = "2019 IEEE Global Communications Conference (GLOBECOM)",
publisher = "IEEE",

}

RIS

TY - GEN

T1 - Profiling IoT-based Botnet Traffic using DNS

AU - Dwyer, Owen

AU - Marnerides, Angelos

AU - Giotsas, Vasileios

AU - Mursch, Troy

N1 - ©2020 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

PY - 2020/2/27

Y1 - 2020/2/27

N2 - Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai's base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.

AB - Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai's base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.

U2 - 10.1109/GLOBECOM38437.2019.9014300

DO - 10.1109/GLOBECOM38437.2019.9014300

M3 - Conference contribution/Paper

SP - 1

EP - 6

BT - 2019 IEEE Global Communications Conference (GLOBECOM)

PB - IEEE

ER -